unicornstealer | f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e

Analysis

max time kernel
148s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08/05/2022, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe
Size

3.4MB
MD5

43099e8aa1fc1a891f0e0d3901722d83
SHA1

e700821c5443b93c79b790aa4a87306bf1837fc6
SHA256

f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e
SHA512

1b9ba53653dc310722095f921a9593edd37c460f0a52836f43f15c8cd6685c2b3fb0a7856fe09f02382bca60ed4ebfc2fe525da64985df68ec0daa033ee6bf02

Score

10^/10

unicornstealer stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer Payload 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/4300-141-0x0000000005270000-0x000000000537C000-memory.dmp	unicorn

Executes dropped EXE 1 IoCs

pid	Process
1168	openvpn-gui.exe

Loads dropped DLL 2 IoCs

pid	Process
1168	openvpn-gui.exe
1168	openvpn-gui.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe
1168	openvpn-gui.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe
4300	extrac32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe
1168	openvpn-gui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82
PID 920 wrote to memory of 4728	920	f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe	82

C:\Users\Admin\AppData\Local\Temp\f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe
"C:\Users\Admin\AppData\Local\Temp\f0aa61702b6bf58598bd2d325ee289810914fe26fe7f634e0dad8b3ad3c1a04e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\tracert.exe
  "C:\Windows\system32\tracert.exe"
  2⤵
  PID:4728
- - C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\openvpn-gui.exe
    "C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\openvpn-gui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1168
  - - C:\Windows\SysWOW64\extrac32.exe
      "C:\Windows\system32\extrac32.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:4300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe"
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\system32\notepad.exe"
        5⤵
        
        PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\libcrypto-1_1.dll

Filesize
3.3MB

MD5
f2b1412c63ab313adbef1d480583ea37

SHA1
d02b5032d725c104b3eafb476dad23f9958755ae

SHA256
29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b

SHA512
2daf692dbbaa6d60a439c86a95e65f2e47d7df2f57a71ccddf0728bd7d481915550996e3f68dffdeaa0ee813206b5b1ef76febcd47f26ad0fde77162c3859df3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\libcrypto-1_1.dll

Filesize
3.3MB

MD5
f2b1412c63ab313adbef1d480583ea37

SHA1
d02b5032d725c104b3eafb476dad23f9958755ae

SHA256
29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b

SHA512
2daf692dbbaa6d60a439c86a95e65f2e47d7df2f57a71ccddf0728bd7d481915550996e3f68dffdeaa0ee813206b5b1ef76febcd47f26ad0fde77162c3859df3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\libcrypto-1_1.dll

Filesize
3.3MB

MD5
f2b1412c63ab313adbef1d480583ea37

SHA1
d02b5032d725c104b3eafb476dad23f9958755ae

SHA256
29c062ee6df61733f00c39c3290c58a33c1eea61b5fbf2a8560b57b5b689440b

SHA512
2daf692dbbaa6d60a439c86a95e65f2e47d7df2f57a71ccddf0728bd7d481915550996e3f68dffdeaa0ee813206b5b1ef76febcd47f26ad0fde77162c3859df3

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\openvpn-gui.exe

Filesize
630KB

MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
memory/920-131-0x00000000028A0000-0x00000000028A6000-memory.dmp

Filesize
24KB

Download
memory/968-156-0x00007FFF1B3D0000-0x00007FFF1B5C5000-memory.dmp

Filesize
2.0MB

Download
memory/968-155-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/1168-139-0x00000000006A0000-0x00000000006A9000-memory.dmp

Filesize
36KB

Download
memory/1168-137-0x0000000001040000-0x00000000013AC000-memory.dmp

Filesize
3.4MB

Download
memory/4300-140-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/4300-141-0x0000000005270000-0x000000000537C000-memory.dmp

Filesize
1.0MB

Download
memory/4300-142-0x00007FFF1B3D0000-0x00007FFF1B5C5000-memory.dmp

Filesize
2.0MB

Download
memory/4300-153-0x0000000005276000-0x0000000005286000-memory.dmp

Filesize
64KB

Download