yunsip | f3b3b33d4450e130838dd3248e4bd71cc1ac68b3576704b476ef63d092b3ea74

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 05:04

Target

f3b3b33d4450e130838dd3248e4bd71cc1ac68b3576704b476ef63d092b3ea74.dll
Size

1.0MB
MD5

ce6f0a991d30a2c05bb5b2a3f7d7e8f3
SHA1

1e46492dfef8032cab5c78178113113d61d14ee7
SHA256

f3b3b33d4450e130838dd3248e4bd71cc1ac68b3576704b476ef63d092b3ea74
SHA512

7e10fca01de13aa3dee8d6bf42ecf9e4a95f9dc79910c5fd923b563b3b9a4c01edcb276cac8d0068b1974ae6b64fc72af7194252be61089db6584b71eaeddc61
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYq:o6RI1Fo/wT3cJYYYYYYYYYYYYq

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe
PID 2660 wrote to memory of 2832	2660	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3b3b33d4450e130838dd3248e4bd71cc1ac68b3576704b476ef63d092b3ea74.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3b3b33d4450e130838dd3248e4bd71cc1ac68b3576704b476ef63d092b3ea74.dll,#1
  2⤵
  PID:2832