unicornstealer | b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/01/2023, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll
Size

3.6MB
MD5

a92d5ac95942035396dda8baead2b5de
SHA1

42d657eb9486bd777838e2add24b4cfc1598ba4c
SHA256

b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755
SHA512

3635355a4d1b564970b7e2038e49126635f6d24ef81ac172871c6220ca5770bd136283a3385366293edb21b45c104529ea6dc2193e392152ab51f05bcb32611e
SSDEEP

49152:YjapCJeS7PSQvZkJg7kKKvMg98P+ilzue089HH/f:VpuD6zvMgCPVb06

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1964-62-0x0000000015D90000-0x0000000015EDD000-memory.dmp	unicorn
behavioral1/memory/1388-73-0x0000000000400000-0x000000000053A000-memory.dmp	unicorn
behavioral1/memory/1388-74-0x0000000000400000-0x000000000053A000-memory.dmp	unicorn

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1764	rundll32.exe
1964	svchost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1964	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1388	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 2016 wrote to memory of 1764	2016	rundll32.exe	27
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1764 wrote to memory of 1964	1764	rundll32.exe	28
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29
PID 1964 wrote to memory of 1388	1964	svchost.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-74-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1388-73-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1388-67-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/1388-66-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1764-58-0x0000000000000000-0x00000000023E3650-memory.dmp

Filesize
35.9MB

Download
memory/1764-60-0x0000000000000000-0x00000000023E3650-memory.dmp

Filesize
35.9MB

Download
memory/1764-56-0x00000000020B0000-0x000000000245D000-memory.dmp

Filesize
3.7MB

Download
memory/1764-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1964-61-0x0000000000180000-0x0000000000188000-memory.dmp

Filesize
32KB

Download
memory/1964-62-0x0000000015D90000-0x0000000015EDD000-memory.dmp

Filesize
1.3MB

Download
memory/1964-63-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1964-64-0x0000000015D97000-0x0000000015DA7000-memory.dmp

Filesize
64KB

Download
memory/1964-72-0x0000000015D97000-0x0000000015DA7000-memory.dmp

Filesize
64KB

Download