unicornstealer | b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2023, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll
Size

3.6MB
MD5

a92d5ac95942035396dda8baead2b5de
SHA1

42d657eb9486bd777838e2add24b4cfc1598ba4c
SHA256

b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755
SHA512

3635355a4d1b564970b7e2038e49126635f6d24ef81ac172871c6220ca5770bd136283a3385366293edb21b45c104529ea6dc2193e392152ab51f05bcb32611e
SSDEEP

49152:YjapCJeS7PSQvZkJg7kKKvMg98P+ilzue089HH/f:VpuD6zvMgCPVb06

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/1800-137-0x0000000016C00000-0x0000000016D4D000-memory.dmp	unicorn
behavioral2/memory/1468-148-0x0000000000400000-0x000000000053A000-memory.dmp	unicorn
behavioral2/memory/1468-149-0x0000000000400000-0x000000000053A000-memory.dmp	unicorn

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	rundll32.exe
1800	svchost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe
1468	dllhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1800	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1468	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 5036	4328	rundll32.exe	82
PID 4328 wrote to memory of 5036	4328	rundll32.exe	82
PID 4328 wrote to memory of 5036	4328	rundll32.exe	82
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83
PID 5036 wrote to memory of 1800	5036	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4cba8d6da42a2cf40009b50502f7eeeb4ef601f0dafb7c2ee6aa9d4e2629755.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1800
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1468-149-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1468-148-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/1468-142-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/1468-141-0x00007FFF3C5F0000-0x00007FFF3C7E5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-138-0x00007FFF3C5F0000-0x00007FFF3C7E5000-memory.dmp

Filesize
2.0MB

Download
memory/1800-139-0x0000000016C07000-0x0000000016C17000-memory.dmp

Filesize
64KB

Download
memory/1800-137-0x0000000016C00000-0x0000000016D4D000-memory.dmp

Filesize
1.3MB

Download
memory/1800-136-0x0000000002E60000-0x0000000002E68000-memory.dmp

Filesize
32KB

Download
memory/1800-147-0x0000000016C07000-0x0000000016C17000-memory.dmp

Filesize
64KB

Download
memory/5036-135-0x0000000002970000-0x000000000297A000-memory.dmp

Filesize
40KB

Download
memory/5036-133-0x00000000025B0000-0x000000000295D000-memory.dmp

Filesize
3.7MB

Download