yunsip | 4388805b3402136c142866119b46a132a5e29dd5c1b98c2140f7b216064be31d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 19:28

Target

20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll
Size

490KB
MD5

20566f106f3d371c05a58d752af4ff80
SHA1

f26952209056fb6fdb2efd3fcf12268ce502d9da
SHA256

4388805b3402136c142866119b46a132a5e29dd5c1b98c2140f7b216064be31d
SHA512

00a1f8a55ae66876cd937af312e33a0be1391674970791f6d5c82710375907a751a924495263a889c67dd33b47aa20eee339b9c9566dadfe722ccd41a040d567
SSDEEP

3072:jDKpt9sSR0HUHPwZWLnWVfEAzV2IJIwTBftpmc+z+f3Q0G:jDgtfRQUHPw06MoV2nwTBlhm8e

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28
PID 1728 wrote to memory of 1952	1728	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\20566f106f3d371c05a58d752af4ff80_NeikiAnalytics.dll,#1
  2⤵
  PID:1952