unicornstealer | 0dfbfd5ffc2407580afee569af088ba1d0f5d44ac8fc4a4bb18b4481adf8a087

Analysis

max time kernel
8s
max time network
163s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:53

Target

0d89aea9f518ca7f10c8953c8d96e0f3.dll
Size

3.6MB
MD5

0d89aea9f518ca7f10c8953c8d96e0f3
SHA1

1a1833e2ddf136b6d87105765111e98566241da4
SHA256

0dfbfd5ffc2407580afee569af088ba1d0f5d44ac8fc4a4bb18b4481adf8a087
SHA512

c28e3afa4b2099089f323089ac9bba17390ee0f6ee5c04caccb6cdd0a5df0429aae71e1898733be14dfd5b54134289771b9a2794879e1c44dcf1631505616b69
SSDEEP

49152:wtiEM3qSat9+rZufjlxnyqxSgF8CP4rhDTF+2huh:wtT4ZurlL8CP4rh1+gu

Score

10^/10

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2740-37-0x0000000016400000-0x0000000016545000-memory.dmp	unicorn
behavioral1/memory/2076-39-0x0000000000400000-0x0000000000532000-memory.dmp	unicorn

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
792	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28
PID 2844 wrote to memory of 792	2844	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d89aea9f518ca7f10c8953c8d96e0f3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d89aea9f518ca7f10c8953c8d96e0f3.dll,#1
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:792
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      4⤵
      PID:2076

memory/792-0-0x00000000020C0000-0x0000000002483000-memory.dmp

Filesize
3.8MB

Download
memory/792-1-0x00000000020C0000-0x0000000002483000-memory.dmp

Filesize
3.8MB

Download
memory/792-2-0x00000000020C0000-0x0000000002483000-memory.dmp

Filesize
3.8MB

Download
memory/792-3-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/792-5-0x00000000020C0000-0x0000000002483000-memory.dmp

Filesize
3.8MB

Download
memory/792-7-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/2076-39-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2076-40-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-4-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2740-35-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2740-38-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/2740-37-0x0000000016400000-0x0000000016545000-memory.dmp

Filesize
1.3MB

Download