yunsip | 9a638957b18e9926af8a567ac878b64da2335b80e16a8b00ee15c8a4645e4bc1

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 14:34

Target

b92a0087c97e47e57f121503e2c7efb0_NEAS.dll
Size

654KB
MD5

b92a0087c97e47e57f121503e2c7efb0
SHA1

da8640ce4dc8f6baa77ae52a75d8b205652fe193
SHA256

9a638957b18e9926af8a567ac878b64da2335b80e16a8b00ee15c8a4645e4bc1
SHA512

39a3fe80522002ccd4432337cad8c2e2b8ea493d720a141f2979ac2a6eac21855b0423eef1f85b7c13aab8f9b65c5a8886ea3309f8dd12f37a515d52c42ea994
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYf:o6RI1Fo/wT3cJYYYYYYYYYYYYf

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3468	2812	rundll32.exe	86
PID 2812 wrote to memory of 3468	2812	rundll32.exe	86
PID 2812 wrote to memory of 3468	2812	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b92a0087c97e47e57f121503e2c7efb0_NEAS.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b92a0087c97e47e57f121503e2c7efb0_NEAS.dll,#1
  2⤵
  PID:3468