yunsip | 9a638957b18e9926af8a567ac878b64da2335b80e16a8b00ee15c8a4645e4bc1

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 14:34

Target

b92a0087c97e47e57f121503e2c7efb0_NEAS.dll
Size

654KB
MD5

b92a0087c97e47e57f121503e2c7efb0
SHA1

da8640ce4dc8f6baa77ae52a75d8b205652fe193
SHA256

9a638957b18e9926af8a567ac878b64da2335b80e16a8b00ee15c8a4645e4bc1
SHA512

39a3fe80522002ccd4432337cad8c2e2b8ea493d720a141f2979ac2a6eac21855b0423eef1f85b7c13aab8f9b65c5a8886ea3309f8dd12f37a515d52c42ea994
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYf:o6RI1Fo/wT3cJYYYYYYYYYYYYf

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28
PID 2492 wrote to memory of 2684	2492	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b92a0087c97e47e57f121503e2c7efb0_NEAS.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b92a0087c97e47e57f121503e2c7efb0_NEAS.dll,#1
  2⤵
  PID:2684