yunsip | b4f6ca17a7df0330fb7a32a801517d869219f46971728fffe13d14b8e17c227d

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 03:01

Target

b4f6ca17a7df0330fb7a32a801517d869219f46971728fffe13d14b8e17c227d.dll
Size

618KB
MD5

332e5a75003dafdbef26c79b0a69501a
SHA1

8174aa666f6ff53a8bd7c84d44704a27a3a36a0a
SHA256

b4f6ca17a7df0330fb7a32a801517d869219f46971728fffe13d14b8e17c227d
SHA512

783a0e1398a7e35bd89853be53b448d8fecac0fb8127cceb781b55ba55575838972beedc1f9bf6092a293f2e75b59372e34f9ae7fa286199bb5dba2a247ed85d
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYz:o6RI1Fo/wT3cJYYYYYYYYYYYYz

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28
PID 2724 wrote to memory of 2344	2724	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4f6ca17a7df0330fb7a32a801517d869219f46971728fffe13d14b8e17c227d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4f6ca17a7df0330fb7a32a801517d869219f46971728fffe13d14b8e17c227d.dll,#1
  2⤵
  PID:2344