unicornstealer | 29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220414-en
submitted
02/05/2022, 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b.dll
Size

3.3MB
MD5

f2b1412c63ab313adbef1d480583ea37
SHA1

d02b5032d725c104b3eafb476dad23f9958755ae
SHA256

29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b
SHA512

2daf692dbbaa6d60a439c86a95e65f2e47d7df2f57a71ccddf0728bd7d481915550996e3f68dffdeaa0ee813206b5b1ef76febcd47f26ad0fde77162c3859df3

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer Payload 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/796-61-0x0000000005330000-0x000000000543C000-memory.dmp	unicorn
behavioral1/memory/1684-75-0x0000000000400000-0x00000000004FA000-memory.dmp	unicorn

Blocklisted process makes network request 12 IoCs

flow	pid	Process
11	1684	cmd.exe
14	1684	cmd.exe
15	1684	cmd.exe
16	1684	cmd.exe
17	1684	cmd.exe
20	1684	cmd.exe
21	1684	cmd.exe
22	1684	cmd.exe
23	1684	cmd.exe
24	1684	cmd.exe
25	1684	cmd.exe
26	1684	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rundll32.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1896	rundll32.exe
796	extrac32.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe
1684	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
796	extrac32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1896	rundll32.exe
1684	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1660 wrote to memory of 1896	1660	rundll32.exe	28
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 1896 wrote to memory of 796	1896	rundll32.exe	29
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31
PID 796 wrote to memory of 1684	796	extrac32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\system32\extrac32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Blocklisted process makes network request
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
c49adb5ea87cb1546605261d8a1944fd

SHA1
91dbb905fa903fa04e2c2728cfad9d9eda6dba09

SHA256
50a678594efe92e7fc02a01f4e84cf63e2e17a556e8137531eea6f39da4de740

SHA512
e6ba4c6fb76a3e62749568228dcfccb73d63a1c0a84f13fd4d0e4ed55fbd17ea30ffcc1bfbc8f357057fb75213d75bd1ba98fe5030dfc1fef6073de99445c715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f894fa4639f79bb994fecc8b0943cff

SHA1
5c24eb7b5bfe88bfba0ba0ae51acd290eae5923c

SHA256
87ebc4965f9d666ba89c650d5873bcfd53ee33544d311ccd8b8da8c19410ef0e

SHA512
9c5ece52d732f2bd36b2d4eed6662da64197270553f52bf4d28e86e1f5e6b8b4b154d704092bc89b897ef0142151b62130de034067e3122264539ab11f1a7004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
4e59257230fd7982accbfe8368230464

SHA1
8b12fbb120abfc8fe572f9905759ea13c0560eef

SHA256
f8bfba4c90642e4674ad59c60c5b0ac7b695ea6d97cbfa046110df66647ee324

SHA512
1be1c3492daf8be683d15b007486adce5879da74071816b147bb94deaf42ae58d4c11bb3f3e6ced1c0fe93f4b3d9cb8820375de085364767ceeb82dd765202f5

Download Submit
memory/796-63-0x0000000005336000-0x0000000005346000-memory.dmp

Filesize
64KB

Download
memory/796-60-0x0000000001D00000-0x0000000001D35000-memory.dmp

Filesize
212KB

Download
memory/796-61-0x0000000005330000-0x000000000543C000-memory.dmp

Filesize
1.0MB

Download
memory/796-62-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-65-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1684-66-0x0000000077C30000-0x0000000077DD9000-memory.dmp

Filesize
1.7MB

Download
memory/1684-75-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1896-58-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1896-56-0x0000000002010000-0x000000000237C000-memory.dmp

Filesize
3.4MB

Download
memory/1896-55-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download