unicornstealer | 4689527f10d148468069ee575d34716c[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

4689527f10d148468069ee575d34716c.zip
Size

618KB
MD5

ac4fc7b1a92cb5d0c18447c41f9a31f3
SHA1

4e3d348320e822e2c795062e8ac6cd9e8730a4a6
SHA256

50af05d0c4f75364b311da2e741fa40c0848a72b40df10dc92b1a4d247f75b10
SHA512

953158dc78646ccc4be9c5b5ddf85de0a67e7a668638024ef7ae6ccda77ccc95427e7dcf517a215306c742e53cee2e29d3cf2a7ea7f91ba23733054e0e9d02c8
SSDEEP

12288:PGM0Nbo5/qqGqyX22/EZgXp+PcqZfStbJrYlj5iOhu+Qe6popX1Kvk8vBx:OM0NW/qXqw22/E+Z+PcN1rY3bQMpFKvF

Score

10^/10

stealer unicornstealer

Malware Config

Signatures

Unicorn Stealer payload 1 IoCs

stealer

resource	yara_rule
static1/unpack001/d292e7388d4cd59fc1fc5efe2e933e453bbbe53a29503a5c6447849afd6f3c09	unicorn

Unicornstealer family
unicornstealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/d292e7388d4cd59fc1fc5efe2e933e453bbbe53a29503a5c6447849afd6f3c09

Files

4689527f10d148468069ee575d34716c.zip
.zip

Password: infected
d292e7388d4cd59fc1fc5efe2e933e453bbbe53a29503a5c6447849afd6f3c09
.exe windows:6 windows x86 arch:x86

Password: infected

bdf1cab1845d3b5344585c5428062993

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

VirtualFree
ExpandEnvironmentStringsW
TerminateProcess
SetFileTime
LeaveCriticalSection
UnmapViewOfFile
OpenProcess
CreateToolhelp32Snapshot
Sleep
Process32NextW
FlushViewOfFile
Process32FirstW
CreateThread
SetFilePointerEx
GetFileSize
SystemTimeToFileTime
GetSystemTime
CreateFileMappingW
MapViewOfFile
LocalAlloc
InitializeCriticalSection
SetEndOfFile
lstrcpyA
GetModuleHandleA
GetLastError
GlobalLock
GlobalUnlock
lstrcmpiA
K32GetModuleFileNameExW
WideCharToMultiByte
GetVolumeInformationA
lstrcatA
GetTempPathA
GetUserDefaultLCID
lstrcatW
GetProcAddress
TerminateThread
EnterCriticalSection
SetNamedPipeHandleState
WaitNamedPipeA
CreateNamedPipeA
WriteFileEx
DisconnectNamedPipe
CreateEventW
CreateFileA
SetEvent
WaitForSingleObjectEx
ReadFileEx
GetOverlappedResult
lstrcpynA
ConnectNamedPipe
ReadProcessMemory
ExitThread
AddVectoredExceptionHandler
SetUnhandledExceptionFilter
LocalFree
ExitProcess
GetCurrentDirectoryW
SetCurrentDirectoryW
MultiByteToWideChar
GetFileAttributesExW
FindFirstFileExW
GetCommandLineW
GetCommandLineA
ReadFile
lstrcmpA
lstrlenA
lstrcmpW
lstrcmpiW
lstrcpyW
FindClose
VirtualAlloc
lstrlenW
FindNextFileW
FindFirstFileW
MoveFileW
QueryPerformanceCounter
GetTempFileNameW
CopyFileW
CreateProcessW
RtlUnwind
FormatMessageA
MoveFileExA
VerifyVersionInfoA
GetSystemDirectoryA
QueryPerformanceFrequency
VerSetConditionMask
SleepEx
GetTickCount
CloseHandle
GlobalFree
DeleteFileW
GlobalAlloc
GetSystemDirectoryW
CreateFileW
WaitForSingleObject
GetTempPathW
WriteFile
CreateEventA
WaitForMultipleObjects
LoadLibraryA
GetEnvironmentVariableA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetLocalTime
InitializeSListHead
GetCurrentProcessId
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
HeapSize
WriteConsoleW
GetModuleFileNameW
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
GetStringTypeW
GetProcessHeap
GetFileSizeEx
GetFullPathNameW
GetTimeZoneInformation
FlushFileBuffers
GetModuleHandleExW
VirtualQuery
GetModuleHandleW
RaiseException
DecodePointer
DeleteCriticalSection
IsDebuggerPresent
UnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
GetFileType
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
HeapAlloc
HeapFree
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetSystemTimeAsFileTime
FreeLibrary
LoadLibraryExW
CompareStringW
LCMapStringW
GetStdHandle
GetStartupInfoW
SetLastError
GetCurrentThreadId
HeapReAlloc
SetStdHandle
GetConsoleCP
GetConsoleMode
ReadConsoleW
EncodePointer

user32

GetMessageW
DefWindowProcW
TranslateMessage
CloseClipboard
wsprintfW
wsprintfA
CreateWindowExA
OpenClipboard
SendMessageA
GetClipboardData
EmptyClipboard
SetTimer
GetWindowTextW
ToUnicode
SetWindowsHookExW
GetForegroundWindow
CallNextHookEx
GetKeyState
GetCursorPos
SetClipboardData
DispatchMessageW
RegisterClassExA
SetClipboardViewer
ReleaseDC
GetWindowThreadProcessId
SetProcessDPIAware
GetWindowRect
GetDC

gdi32

GetStockObject
GetCurrentObject
DeleteObject
GetObjectW
DeleteDC
CreateCompatibleDC
CreateDIBSection
SelectObject
BitBlt

shell32

CommandLineToArgvW

secur32

GetUserNameExW
InitSecurityInterfaceA

winhttp

WinHttpQueryDataAvailable
WinHttpConnect
WinHttpSendRequest
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpReadData
WinHttpOpen
WinHttpReceiveResponse

msvcrt

memset
memmove
vsprintf_s
_vscprintf
vprintf
memcmp
memchr
strstr
memcpy

shlwapi

StrChrW
StrStrIW
PathFileExistsW

gdiplus

GdipAlloc
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToFile
GdipGetImageEncoders
GdiplusStartup
GdipCloneImage

advapi32

CryptReleaseContext
CryptGenRandom
CryptAcquireContextA
CryptDestroyKey
CryptExportKey
CryptEncrypt
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptImportKey
CryptGetHashParam

bcrypt

BCryptDuplicateHash
BCryptImportKeyPair
BCryptImportKey
BCryptEncrypt
BCryptSetProperty
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptFinishHash
BCryptGenRandom
BCryptDestroyKey

ws2_32

gethostname
ioctlsocket
select
__WSAFDIsSet
WSAIoctl
WSASetLastError
setsockopt
ntohs
getsockopt
getsockname
getpeername
bind
WSAGetLastError
WSAWaitForMultipleEvents
WSASetEvent
WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
WSACleanup
inet_ntoa
inet_addr
htons
recv
connect
socket
send
WSAStartup
gethostbyname
closesocket

crypt32

CryptStringToBinaryA
CryptBinaryToStringA
CryptDecodeObject

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape
curl_easy_upkeep
curl_escape
curl_formadd
curl_formfree
curl_formget
curl_free
curl_getdate
curl_getenv
curl_global_cleanup
curl_global_init
curl_global_init_mem
curl_global_sslset
curl_maprintf
curl_mfprintf
curl_mime_addpart
curl_mime_data
curl_mime_data_cb
curl_mime_encoder
curl_mime_filedata
curl_mime_filename
curl_mime_free
curl_mime_headers
curl_mime_init
curl_mime_name
curl_mime_subparts
curl_mime_type
curl_mprintf
curl_msnprintf
curl_msprintf
curl_multi_add_handle
curl_multi_assign
curl_multi_cleanup
curl_multi_fdset
curl_multi_info_read
curl_multi_init
curl_multi_perform
curl_multi_poll
curl_multi_remove_handle
curl_multi_setopt
curl_multi_socket
curl_multi_socket_action
curl_multi_socket_all
curl_multi_strerror
curl_multi_timeout
curl_multi_wait
curl_multi_wakeup
curl_mvaprintf
curl_mvfprintf
curl_mvprintf
curl_mvsnprintf
curl_mvsprintf
curl_share_cleanup
curl_share_init
curl_share_setopt
curl_share_strerror
curl_slist_append
curl_slist_free_all
curl_strequal
curl_strnequal
curl_unescape
curl_url
curl_url_cleanup
curl_url_dup
curl_url_get
curl_url_set

Sections

.text
Size: 672KB - Virtual size: 672KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 108KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 404KB - Virtual size: 404KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

bdf1cab1845d3b5344585c5428062993

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

secur32

winhttp

msvcrt

shlwapi

gdiplus

advapi32

bcrypt

ws2_32

crypt32

Exports

Exports

Sections

.text Size: 672KB - Virtual size: 672KB

.rdata Size: 108KB - Virtual size: 108KB

.data Size: 404KB - Virtual size: 404KB

.reloc Size: 24KB - Virtual size: 24KB

.text
Size: 672KB - Virtual size: 672KB

.rdata
Size: 108KB - Virtual size: 108KB

.data
Size: 404KB - Virtual size: 404KB

.reloc
Size: 24KB - Virtual size: 24KB