yunsip | 549be199dacea388e24a53f37425d717e716f9de25aea62779082e2de46e088e

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 22:18

Target

549be199dacea388e24a53f37425d717e716f9de25aea62779082e2de46e088e.dll
Size

621KB
MD5

51bd2d9bc1d36e029b79b0191fe89664
SHA1

ee7f090b125139f22cd1adb652450ed370318445
SHA256

549be199dacea388e24a53f37425d717e716f9de25aea62779082e2de46e088e
SHA512

93eda230ab35fb2263c3a3e5f020fbfc879f386c576d5edbfc5e51e1b74fa9491f8a0594b08c5620cb32416c339e6a9639a053ebd813b02ae5a6a5ca45ca697e
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYZ:o6RI1Fo/wT3cJYYYYYYYYYYYYZ

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 1676	4792	rundll32.exe	82
PID 4792 wrote to memory of 1676	4792	rundll32.exe	82
PID 4792 wrote to memory of 1676	4792	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\549be199dacea388e24a53f37425d717e716f9de25aea62779082e2de46e088e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\549be199dacea388e24a53f37425d717e716f9de25aea62779082e2de46e088e.dll,#1
  2⤵
  PID:1676