yunsip | 621fcdc2d7d7fddde3f2206d7c856cc23ff5440e8e10f16f4f00c1f29514e6cf

Analysis

max time kernel
19s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 03:22

Target

5d34e5ac8913333b897e7e956eb240f0N.dll
Size

1.0MB
MD5

5d34e5ac8913333b897e7e956eb240f0
SHA1

05f20ab60b860fdcdf0c0cb4b536379cf56d6cc3
SHA256

621fcdc2d7d7fddde3f2206d7c856cc23ff5440e8e10f16f4f00c1f29514e6cf
SHA512

523a7f8f1318af518297a8044aa6bb019ed88cd9da12fb2bc117299c9185ab6815379fd459d1276e1a700d6c535a01bbe73a2b2f031c3423ff5492b61ae98d34
SSDEEP

6144:o6C5AXbMn7UI1FoV2gwTBlrIckPJYYYYYYYYYYYYq:o6RI1Fo/wT3cJYYYYYYYYYYYYq

Score

10^/10

Yunsip
Remote backdoor which communicates with a C2 server to receive commands.
trojan banker yunsip

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30
PID 3024 wrote to memory of 3060	3024	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d34e5ac8913333b897e7e956eb240f0N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d34e5ac8913333b897e7e956eb240f0N.dll,#1
  2⤵
  PID:3060