Try VMRay Platform
Malicious
Classifications

Virus

Threat Names

KawaiiUnicorn

Dynamic Analysis Report

Created on 2024-08-01T15:30:17+00:00

Kawaii-Unicorn.exe

Windows Exe (x86-32)
...

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "16 minutes, 12 seconds" to "1 second" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\OqXZRaykm\Desktop\Kawaii-Unicorn.exe Sample File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 bc8ed73cc27fba29d082b9b85e99775f Copy to Clipboard
SHA1 f5b74fcd861cd8bac24f1d7f43897459c9810ba9 Copy to Clipboard
SHA256 3bf4b24335d22062415115fcc53aa923aab5a47b07de631db8963699678e499d Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fbHowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
kawaii-unicorn.exe 1 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 1 0x020B0000 0x0215FFFF Marked Executable False 32-bit - False
...
buffer 1 0x020B0000 0x020B9FFF First Execution False 32-bit 0x020B5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-183.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 95aed1a8478c04877d72441b71ecc5c4 Copy to Clipboard
SHA1 c4ccc3abbc2a2d9f42366ac5e3dad50fd764053e Copy to Clipboard
SHA256 4ab314335c6a8b9c2bf7f01385fdf6f749e0318d5eb4fd5d8c2a1de23e389dee Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuM7AL:fb3owZUtbPJjcfW0rtkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-36048.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3643650c74252b5e84ad4ccf4e240b76 Copy to Clipboard
SHA1 73627fc29838fadadafeb36554159277883d9e43 Copy to Clipboard
SHA256 d40b70604d1726df6b2c90675a28218a8761c29cd578cf4f81474a066218d3bc Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuU0Yc3wSAuK7AW:fb3owZUtbPJjcf20zT0Y2jAuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50206.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 c281b6e715e06cd808d195a29cab58de Copy to Clipboard
SHA1 ce0cd3b0b3ac8d43ff1df44b799903960fd0c5ba Copy to Clipboard
SHA256 6f6cfcb7468cb70dd960ae51fd903c813b84eb5fe2b121172717984df48134d5 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc3zSAuK7AW:fb3owZUtbPJjcfW0rtkY22AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50206.exe 51 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 51 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 51 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-34283.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3d6cd51add6a30ba4ced949708abcf75 Copy to Clipboard
SHA1 c52c8d24f86cc36b7565469d5bea2b38a6a85e9f Copy to Clipboard
SHA256 d8253168ca826d79f7f4f0023f477b2e98456c1f7128295b59e2358eaaf026f8 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/iChvvIpwnJHexVuSkYc39SAuK7AW:fb3owZUtbPJjcfE0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-34283.exe 82 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 82 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 82 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-23257.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 5b24a9699b475a4db21ed41616a452ca Copy to Clipboard
SHA1 2ffb9b4274d63bbe982f880d2873f5824af021ca Copy to Clipboard
SHA256 f2bafdfd06b11299457cf905142932c5e932a8eb2407905651eed5aec1bbd705 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkPc39SAuK7AW:fb3owZUtbPJjcfW0rtkP24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-23257.exe 66 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 66 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 66 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-61101.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 639c22f64c4249905f99aa726f6b67b1 Copy to Clipboard
SHA1 e2c7e96ab9ec3f64a68bd9101230a9c22e7a7e17 Copy to Clipboard
SHA256 e23808d8e782af74ccbf39f36f66025da1272456da024cb310f0d86e6578c4b2 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuM7AW:fb3owZUtbPJjcfW0rtkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-61101.exe 20 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 20 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 20 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-30812.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 ea8d26ab17786723aa7452c9d9bf0d2d Copy to Clipboard
SHA1 d5338ecfcefc3fe89a2c15e811cb1165d5d34ded Copy to Clipboard
SHA256 220a8a1736657a5b1616dedd1c41d8f85cf36a9ab6c2806278ec27e144b0dfbe Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYf3R9AuE7AW:fb3owZUtbPJjcf20rTfYPfAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-33308.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 54068253e5d76cdef5011e2381c1153d Copy to Clipboard
SHA1 8c90f968014be5880bbdd96eeb088be391fea6d0 Copy to Clipboard
SHA256 2c8bf7b27099ec2a95309d9ee52774e7de9a0a98ba5715631e768d1d63399ab1 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc33STuK7AW:fb3owZUtbPJjcfW0rTkY2CTuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-30351.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 9406a6cf59c5b02a2de8b6c6137910bc Copy to Clipboard
SHA1 c6df1cddba5e572eb2101c48c5af48a7aee31f12 Copy to Clipboard
SHA256 3ff599cde8e1322369edf0974cfa1217387b2f8f89e2c862d0226149fa0744ad Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuKHAW:fb3owZUtbPJjcfW0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-30351.exe 36 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 36 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 36 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-32837.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3f205e24f5d14d1cb142cd11c2edeb67 Copy to Clipboard
SHA1 044b344dbfa09ff93eb3bbf8dc400e7227ef938f Copy to Clipboard
SHA256 fe6cae8c06e56354b530026c8dbc5494249fa353bbbc3bb6f67fbc6311da5c21 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChkvIpwnJHexVuSkYc39SAuK7AW:fb3owZUtbPJjcfN0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-36864.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 fd88ecd05543529efae65f358b53ed10 Copy to Clipboard
SHA1 5b1028bcf75d098d8aeac1a10c5202c75efc94ad Copy to Clipboard
SHA256 58541c2e254815a7bc7a1e668b1edc648825c9fc9d3bf65db2a689bfa448698b Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7Az:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-36864.exe 49 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 49 0x005C0000 0x005CFFFF Marked Executable False 32-bit - False
...
buffer 49 0x005C0000 0x005CFFFF First Execution False 32-bit 0x005C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-62317.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 09d3650b265370fa3e0d2a5638a0fefa Copy to Clipboard
SHA1 2a2c33eecf9c9c6d3e3e8a54b5752590796cba05 Copy to Clipboard
SHA256 611932d5fab24fb7b080c4b55ad31d695d629ca105874ebf1e9f5f4be7a58167 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbykPztjcf8/EChvPIponJHexVuUkYc39SAuK7AW:fb3owZUtFPJjcf20zTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-62317.exe 92 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 92 0x00590000 0x005BFFFF Marked Executable False 32-bit - False
...
buffer 92 0x00590000 0x005BFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50222.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 965721eec56f48b56e67b66fa90f94f5 Copy to Clipboard
SHA1 35f632ca9efac63469f3b219477e6e2a8b88c286 Copy to Clipboard
SHA256 85cb84de01dd8fbc3019bd516586d0430ba1717f4b31c9f409ba0c902ef2363b Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3R9AuE7AW:fb3owZUtbPJjcf20rTfY2fAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50222.exe 34 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 34 0x006B0000 0x006BFFFF Marked Executable False 32-bit - False
...
buffer 34 0x006B0000 0x006BFFFF First Execution False 32-bit 0x006B5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-11779.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 2a14050b638b3d53658545a61af751a8 Copy to Clipboard
SHA1 5825713373a5ea22875765111fb0a2e7fc7ae870 Copy to Clipboard
SHA256 8e853a7835ddbdb93851abc082b4706f2ea171d6a3b930431ac09f8555876eee Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztUcf8/EChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJUcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-11779.exe 70 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 70 0x006A0000 0x006AFFFF Marked Executable False 32-bit - False
...
buffer 70 0x006A0000 0x006AFFFF First Execution False 32-bit 0x006A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-48636.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 e0fdc995b7b6f527d2bed1f998daa0a9 Copy to Clipboard
SHA1 2cb83b925af353d8efd92cbd78c42ac4067a6735 Copy to Clipboard
SHA256 8bb3d54d25d5e8b6a85ef29ca1377eb0c308a26b70fc05792bc7b7ea94e0cc38 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbylPztjcf8/EChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtkPJjcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-48636.exe 21 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 21 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 21 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-59261.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 271ed2e3391c00fc0eec370bb7382bc0 Copy to Clipboard
SHA1 259eeca60655b6f090b2220fa582b21f37675b7e Copy to Clipboard
SHA256 ac990ecc2937397227971f3893c6b41c1996a64c4bdcab626f85d81428257e70 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7Ay:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-33432.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 8429487a067419ad08e1dd3eae71a391 Copy to Clipboard
SHA1 bbcdf34c296bf454d94262c82c46b36af766d14c Copy to Clipboard
SHA256 2297d9ce1a49e966c449ad194115e1a206376eac564b6de57d824255a5ee7eff Copy to Clipboard
SSDeep 3072:fbAUogId1H5UtbyCPztjcf8/EChvPIpwnJHexVuqmYc39SWuE7AW:fbHoNZUtbPJjcf20rVmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-20961.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 c861b88300cc6079c338c0da121a20ba Copy to Clipboard
SHA1 3b86dbcb4142a2bf2aaeee9f3427c0dd935abb42 Copy to Clipboard
SHA256 f5344d03038a5e271e32d906477be141b4f4b8ea3fd92a7a5043e9c296418b23 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyEPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7AW:fb3owZUtJPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-20961.exe 64 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 64 0x005C0000 0x005CFFFF Marked Executable False 32-bit - False
...
buffer 64 0x005C0000 0x005CFFFF First Execution False 32-bit 0x005C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-26311.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 fdf1a7bc4a216f57dfc03bab9b53cef2 Copy to Clipboard
SHA1 33db3e36d8881119d9068ebee450d326bbdd117c Copy to Clipboard
SHA256 f651e3f397762ab35980e10d909cd5d4ec899f04c296255cee6b690798abca4e Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EC9vPIponJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcfK0zTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-26311.exe 58 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 58 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 58 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-45432.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 677815c06f9e3d831918a9987ae3d68f Copy to Clipboard
SHA1 d1a07fab61c1173275c8c29582fe0bbb5dea0557 Copy to Clipboard
SHA256 9c2509b22098d6de1bb3b54df147209ff85755c7b7a9d64b758e1531b71068db Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuUkYc3wSAuK7AW:fb3owZUtbPJjcf20zTkY2jAuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-45432.exe 27 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 27 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 27 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-48638.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 2f7f571f2cacdb02c117e6444d19ef29 Copy to Clipboard
SHA1 bafa412df4ad4be1223fa2a51a34c0e0b62c5c6b Copy to Clipboard
SHA256 2e782b050e1eb12dc4502e29f5988d1c7972ca487a14d63cbbe001431423e099 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuMmYc39fWuE7AW:fbHowZUtbPJjcf20rbmY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-48638.exe 67 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 67 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 67 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-3867.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 d2dd8f2eda8658e1d5f066356c8a4fca Copy to Clipboard
SHA1 ff4ba9ccf41492f9108eacdb1a7cd08e01bbbdd2 Copy to Clipboard
SHA256 92f8280d9bdaf746a5693a98301dc194fbe9f336b32e302b42c1a0cde48a3ca5 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc39SAuM7AW:fb3owZUtbPJjcfW0rTkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-3867.exe 88 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 88 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 88 0x005A0000 0x005AFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-15591.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 09fa1c11a65fdafd2964065ecd54fa41 Copy to Clipboard
SHA1 d45b7ce7ff4c27a3fa63f2b43744957d2c41f07a Copy to Clipboard
SHA256 eba57896ee0f147d41a7a3fd41114e0762f5cc2be3d65979b811bce54b276000 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPzqjcf8/EChvPIpwnJHexVuUmYc39fWuE7AW:fbHowZUtbPOjcf20rTmY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-15591.exe 83 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 83 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 83 0x004C0000 0x004CFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-47645.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 b94ecebb82074aa119ebc165a3091fc9 Copy to Clipboard
SHA1 e3e23ceb5d3b89c087b30ea59be2dbf052d14140 Copy to Clipboard
SHA256 253aeb8614c29356ccec71ce43f7ae07a52b6c08e8825b739f91e77e145d7d15 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7Av:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-47645.exe 81 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 81 0x020B0000 0x020DFFFF Marked Executable False 32-bit - False
...
buffer 81 0x020B0000 0x020B9FFF Marked Executable False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-49068.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 c4762bac2e5442dfc856da0452fe25c0 Copy to Clipboard
SHA1 79ce5f48885a871ca4a6dfdabecea3440250ad34 Copy to Clipboard
SHA256 8f3ae403b8fb15a4d2011adfdac5a334359d5d0ebcaf21561b41874a8382fdc4 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnrHexouUkYc39cWuE7AW:fbHowZUtbPJjcf201CkY2WWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-64568.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 4321f14a7ae3a8f9da1722e112fad0bc Copy to Clipboard
SHA1 7b3dac74897c7605d3134fa7743c5c0d0d288b78 Copy to Clipboard
SHA256 79ef1b7e2f61b94cb56390ccde7317a20283e8bb0729635a85abc0a989c5f01e Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8//ChvPIpwnJHexVuUkYc39SAuK7Am:fb3owZUtbPJjcfr0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-34306.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 fae575b47a68b29e5fa41ae24be340ec Copy to Clipboard
SHA1 5565b480b709b1f96181772b7f790df5e482516f Copy to Clipboard
SHA256 34ec5825b8d030a63f60e0767fa431b1a524f02b76a775fe415c54b3f32c6d77 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuU3Yc39SAuK7AW:fb3owZUtbPJjcf20zT3Y24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-42638.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 4fb9c8f0e4dee0b99bb42a29b3dcd262 Copy to Clipboard
SHA1 bf9e75b6a6e36b4a4dd41e5eea83376b0cce487a Copy to Clipboard
SHA256 67b241b6057800ec9165ad07051534083c8a2289589c8fa219d7e0b10cece054 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc3DSWnE7AW:fbHowZUtbPJjcf20rTmY2mWnE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50424.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 8189b5a26f0945a4d3af3b35cabd2bfb Copy to Clipboard
SHA1 0290d9f1a1b8ab10dbe27cf5ef7ea7ab510f13f4 Copy to Clipboard
SHA256 f661d6b6c397dd646ca1ac7fff82312ae86591b482a157b3507803573727f91b Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPzfjcf8/EChvPIpwnJHexVuUmYc39fWuE7AW:fbHowZUtbPbjcf20rTmY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50424.exe 32 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 32 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 32 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-4490.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 6892ccb7794f61e2134a8dfa124e9bb0 Copy to Clipboard
SHA1 de88f1bd3f801022ae346359a1bba7fec0e714dd Copy to Clipboard
SHA256 dbad1eeca19763baa5217b0b7a7b2a21af377849201bbf70139657504d91a234 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHDxVuUfYc39SAuE7Af:fb3owZUtbPJjcf20mTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-4490.exe 95 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-29451.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 14acbc8337ab09a1b8b936f96af4a6e0 Copy to Clipboard
SHA1 2a45ba92ca40615feb1bffe47a39785edc7172cc Copy to Clipboard
SHA256 855d7b42689d7eb590571e5390d519879a4b292be3e5bdf8c5a746b443e8bcdd Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuK7AW:fb3owZUtbPJjcfW0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-29451.exe 9 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 9 0x020A0000 0x020AFFFF Marked Executable False 32-bit - False
...
buffer 9 0x020A0000 0x020AFFFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-35061.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 2eadc8e17bc0e9a68f17ae3bcea09988 Copy to Clipboard
SHA1 53d07606c28cc0ac2f2c8dd2de46a8a9b5c2f485 Copy to Clipboard
SHA256 ce686f4c110ec4d6eb7adfed034ce2353f671b5611c5ec019d8749f6ceffe5b0 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVu1mYc39fWuE7AW:fbHowZUtbPJjcf20rimY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-35061.exe 17 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 17 0x004C0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 17 0x004C0000 0x004C9FFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-37186.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 b75046c2aa4c694cc6ebdd0f84b27076 Copy to Clipboard
SHA1 4e021e63dbd0fc3b350a592979e2c5d35c9e6c05 Copy to Clipboard
SHA256 394e6848d23b2866b41316a36e8ebb254c4ff8a677594210e65550fded48a05c Copy to Clipboard
SSDeep 3072:fbAUogIeIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39fWuE7AW:fbHoHZUtbPJjcf20rTmY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-37186.exe 50 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 50 0x004C0000 0x004EFFFF Marked Executable False 32-bit - False
...
buffer 50 0x004C0000 0x004C9FFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-34596.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 a48ee1e060acafa04defcd057baf558a Copy to Clipboard
SHA1 2ae97e18e6d90c3332d7edc92e3f2e969d04109f Copy to Clipboard
SHA256 ad08c4f20ba1a2e92f8a0951d1792dbcaa3548c55bf05d72b2209ca1c1f2cb4f Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuUkYc39SLuK7AW:fb3owZUtbPJjcf20zTkY24LuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-34596.exe 72 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 72 0x00590000 0x005CFFFF Marked Executable False 32-bit - False
...
buffer 72 0x00590000 0x00599FFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-43392.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 f2ead88962329916a9c43acd3eeb2dfa Copy to Clipboard
SHA1 757bade4be580ae0c7a0b15ac9ad7bdae73b4a11 Copy to Clipboard
SHA256 cc72758558832441644c0df4032f808ab5363ce028df120a65cde8a8cd812f34 Copy to Clipboard
SSDeep 3072:fbAiogIdIH5UtbyCPztjcf8/EChvPIponJHexVuUkYc39SAuK7AW:fbFowZUtbPJjcf20zTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-43392.exe 43 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 43 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 43 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50210.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3bd621fcfbf8938713818ed9b20cea95 Copy to Clipboard
SHA1 f1c109878885a99f4b8a3cbf072e8a0caea129e8 Copy to Clipboard
SHA256 41b69364214d5f73b10af42a1e8676b8240431770221822df6156f77aa83ff99 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc39SAuK7AC:fb3owZUtbPJjcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50210.exe 53 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 53 0x005D0000 0x005DFFFF Marked Executable False 32-bit - False
...
buffer 53 0x005D0000 0x005DFFFF First Execution False 32-bit 0x005D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-63547.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 007a5527eb09015f158d56ce22a14bab Copy to Clipboard
SHA1 e6065d901f29f0930813aa977bed6e59c67d41cd Copy to Clipboard
SHA256 5ecc7525ae5a5687fa49df7c69db817c4e43015cbedc082dad5006a2c7b27270 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc39STuK7AW:fb3owZUtbPJjcfW0rTkY24TuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-63547.exe 35 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 35 0x020A0000 0x020AFFFF Marked Executable False 32-bit - False
...
buffer 35 0x020A0000 0x020AFFFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-57162.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 56b95980893491b85d9b287b6c2106f0 Copy to Clipboard
SHA1 fa2093da624db1b14e9f98e8c35218b2c1e68e67 Copy to Clipboard
SHA256 33a6984397b838103fda963e90b595c002ad7e808bb97f195e473890dda2ca02 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcf20zTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-57162.exe 15 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 15 0x004D0000 0x004FFFFF Marked Executable False 32-bit - False
...
buffer 15 0x004D0000 0x004FFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-37106.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 8e3e9486acea3f33c1f50f4a1e0e81d4 Copy to Clipboard
SHA1 cbcb5e6775851fc4ff2f2c7437cdf9789b2649a4 Copy to Clipboard
SHA256 63b9a36104806e0d58be0b3385142e1e5beabf5fef1344998c1b875f7b863f5b Copy to Clipboard
SSDeep 3072:fbAUogvdIH5UtbyCPztjcf8/EChvPIpwnJHexouUkYc39SWuE7AW:fbHojZUtbPJjcf20rCkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-37106.exe 63 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 63 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 63 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-41311.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 cb24d550f886cfce3535e0d81c5fbdec Copy to Clipboard
SHA1 8ec31cda1776fc3c4519f703e340f72ee8260771 Copy to Clipboard
SHA256 ef05a39a9ab8c4e8ae92daac94ca581d024755cafa08b3bab03b3d83b70587de Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUMYc39SAuE7AW:fb3owZUtbPJjcf20rTMY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-41311.exe 38 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 38 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 38 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-36039.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 d13ed917de8b5f4c653fa24713d1fc2f Copy to Clipboard
SHA1 c188621dbb4fc85ee962d0896542e38e7f795350 Copy to Clipboard
SHA256 6cc653861f141cdd6782f492855729c7349a47e46de746bcc363a4aaccd7624e Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuIkYc39SAuE7AP:fbHowZUtbPJjcf20rfkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-36039.exe 85 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 85 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 85 0x005A0000 0x005AFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-64220.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 b055852ea697529f593f95788909aca3 Copy to Clipboard
SHA1 e649ebb459143634d255d680c146f6c6e8c91cc5 Copy to Clipboard
SHA256 02a8f0792e02abf7bf1442a8fe698dde64a90a8266dab4c5d04d494e26d28b87 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAu97An:fb3owZUtbPJjcf20rTkY24Au9 Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-64220.exe 60 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 60 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 60 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-2545.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 afe0cd661fdd2cefb85f02ca0c8683d4 Copy to Clipboard
SHA1 2f94e7fc6693ef0174b00f6da9aeb57b27207564 Copy to Clipboard
SHA256 5d3677eb8d14fe5347ae5ac7e355b54916dc7d6cc35fa5b0bafcb6e525235db8 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChEPIpwnJHexVuUfYc39SAuE7AW:fb3owZUtbPJjcft0rTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-2545.exe 54 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 54 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 54 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-4031.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 206a566441dbd27caffcd3e218ac448c Copy to Clipboard
SHA1 3c87fed74ee554f74a7d5e0e0dba2f7177832868 Copy to Clipboard
SHA256 923a528e5f6bce8998829af63ab55b81a49b46f178991ea24048bd6886a524aa Copy to Clipboard
SSDeep 3072:fbAEogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39SWuE7AW:fbXowZUtbPJjcf20rTmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-4031.exe 62 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 62 0x020B0000 0x020FFFFF Marked Executable False 32-bit - False
...
buffer 62 0x020B0000 0x020FFFFF First Execution False 32-bit 0x020B5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-24860.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 459e9e2c6f8c3ab3acb3085ad12c3d6d Copy to Clipboard
SHA1 76cc8804f496fb9cf3d832d200e6f6f825c8ccbf Copy to Clipboard
SHA256 e57f84fd974e5dacc91fb27983145e1905e282f7accfc8fa32a70b1190adb7cf Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexouHkYc39SWuE7AW:fbHowZUtbPJjcf20rtkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-29034.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 286ef1dceb69e134921992a7ed8c3b3c Copy to Clipboard
SHA1 ad23aece917dc07f06b621bfc6be64361b514f38 Copy to Clipboard
SHA256 4d38134e9901887fce92061618f6e105041e736fb4927767b52bfbfa4372deed Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnrHexouUkYc39SWuE7AW:fbHowZUtbPJjcf201CkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-29034.exe 29 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 29 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 29 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-1002.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 7d3f08bd7650140be1e272146eccfce3 Copy to Clipboard
SHA1 72ee277e8c0b1c9f0fe36c89f7627ac51b7ccf84 Copy to Clipboard
SHA256 f0886b0dd2fad1b83798509bda52e12c8b713764053fce2638dc63a9580fb846 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39SduE7AW:fbHowZUtbPJjcf20rTmY24duE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-1002.exe 77 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 77 0x005A0000 0x005BFFFF Marked Executable False 32-bit - False
...
buffer 77 0x005A0000 0x005BFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-51023.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 2d6464f811b2991d655d124048274f7e Copy to Clipboard
SHA1 f58f2c56cd6942422813a386243d6d0ca460fa74 Copy to Clipboard
SHA256 0f165d24ac2ca5e8e5a245ff28d7a59f67c44f2d6634920ec8ad527a4f42d650 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39fWuE7AW:fbHowZUtbPJjcf20rTmY2hWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-51023.exe 10 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 10 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 10 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-21999.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 93e594ae86dd72e3bd05363973659324 Copy to Clipboard
SHA1 e71d55ef15a8e1d48903f5b072e5bdaf418f29ac Copy to Clipboard
SHA256 76ef843bb12d7c163af9e96480b61915e6acecbf869899a98ade430d20f13a85 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-21999.exe 6 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 6 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 6 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-39045.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 631349b1d442b50c124aa30d94d455f5 Copy to Clipboard
SHA1 eac04e3cc8c8281f4b19c94fc7991f0388289569 Copy to Clipboard
SHA256 ced8a7128506c8629c97c2af385398b42448d2a5b1b0104292396f6cdc00cb7f Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVWUkYc39SAuK7AW:fb3owZUtbPJjcf20rrkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-39045.exe 75 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 75 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 75 0x00590000 0x0059FFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-32676.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 77f5161e4f7e49f1e909fbf1682595fe Copy to Clipboard
SHA1 8b9bc534a30d1505e17e8f33120547b39afd4657 Copy to Clipboard
SHA256 03781bc493f43d36f78188f994c4a743066fefb4d1a09981dbdc82a296828e6d Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc/9SAuE7An:fb3owZUtbPJjcf20rTkYe4AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-32676.exe 45 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 45 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 45 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-60479.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 bd44766721d9e5dc4e41f6adac5a24be Copy to Clipboard
SHA1 402fbb92169fe766f1792f058d26da30f0fe6798 Copy to Clipboard
SHA256 d3a32bbdb3193b26790b2c63ef3f82f55d0f95bc9629e73ba61d8cae63e2992f Copy to Clipboard
SSDeep 3072:f9A6ogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:f9towZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-54568.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 136aae00687d2405360fd050be41b6f8 Copy to Clipboard
SHA1 f443c2fe78677b06995a8c6c3ae74564b8aee024 Copy to Clipboard
SHA256 f4dcb138053d449a89376b7dade29058a96ad4f2491b992522e34580ffcd5e4f Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPkpwnJHexVuUmYc39SWuE7AW:fbHowZUtbPJjcf2orTmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-54568.exe 93 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-8421.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 4425156f5eb9c0e0a0790434af98dd42 Copy to Clipboard
SHA1 643096c1da90da8117f7686539b0391316bbd2f0 Copy to Clipboard
SHA256 af00afee474e0fd3747f2dd5edf5c91a2296cce8869ce614038cec0c253a8151 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChuPIpwnJHexVuUkYc39SAuE7An:fb3owZUtbPJjcf70rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-8421.exe 30 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 30 0x005D0000 0x005DFFFF Marked Executable False 32-bit - False
...
buffer 30 0x005D0000 0x005DFFFF First Execution False 32-bit 0x005D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-20429.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 004d1819ac6d4c4a69d18ce2db932f6b Copy to Clipboard
SHA1 24e01e737358ba18699946c85ebce234c7ddb934 Copy to Clipboard
SHA256 58e310f1482e66e05ad2830ac8edecaa4ed1642410b0e0e36a48f971683e5a24 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHNxVuUkYc39SAuK7AW:fb3owZUtbPJjcf204TkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-20429.exe 59 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 59 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 59 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-29494.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 188d529a47fb7ea11a1b59c9c7e8afe2 Copy to Clipboard
SHA1 2362dd5d11cfc89b30447993b0fca6c2a1a53d80 Copy to Clipboard
SHA256 6cd4d406a189b77d55eeb82a635eb1dbcb4f38994d1fa99b2b5f6e4d21fb9f2a Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39SWuE3AW:fbHowZUtbPJjcf20rTmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-29494.exe 48 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 48 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 48 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-31495.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 284b27d5ee90c1a016423709a55a3453 Copy to Clipboard
SHA1 4435b260d68e1f6df82130c8d2bf069a015ed9c5 Copy to Clipboard
SHA256 b9e6710e654930a91b3a0ac9f31875c48685a65f8e389f7a7f3ec413e0b8c989 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/ECFvPIpwnJHexVuUfYc39SAuE7AW:fb3owZUtbPJjcfq0rTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-31495.exe 89 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 89 0x020B0000 0x020EFFFF Marked Executable False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-17496.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 135e5863ffd480fe33ba9bd1cdc0bc18 Copy to Clipboard
SHA1 2e18e5704b4401bd6872e9ec43c7574f3cf70754 Copy to Clipboard
SHA256 0268d4c1be27787f8e43104189d40e57e5b456737df1f65fc7f4b0d69c665b71 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYG39SWuE7AW:fbHowZUtbPJjcf20rTmYE4WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-23193.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 5a7b9c5c0ed51c43c0fe59019c40be7f Copy to Clipboard
SHA1 013e79ef599fd56ae0c7ae2ac94a621ace66e6dd Copy to Clipboard
SHA256 1d9b3789bd3479b320a210d26bffd1e90989b3cd6e47c83b591872dfa884b56e Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc39SAuk7AW:fb3owZUtbPJjcf20rTfY24Auk Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-22151.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 a909c40a3419822ff3b2dc16ff06e510 Copy to Clipboard
SHA1 2223319aa93cad935769422cbfdf11c635c79b0c Copy to Clipboard
SHA256 662cc7ab688898372fa1ae4075b8e6042c197a0adac271e9f9e2a900c067d17a Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpNnJHexVuUkYc39SAuE7An:fb3owZUtbPJjcf206TkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (1)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-22151.exe 94 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-9934.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 240a7c4a5b2e04bba672d50c65fa4d26 Copy to Clipboard
SHA1 1e0e62dc472c00010a98a554d0cfe97d570aa118 Copy to Clipboard
SHA256 3328d693c28632607d48dcc0a929ce6a3eada450203b34a149201509217a0520 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvP3pwnJHexVuUkYc3dSWuE7AW:fbHowZUtbPJjcf2ZrTkY2YWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-40756.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 b450640890d23c79a88d69b0f2226271 Copy to Clipboard
SHA1 c2ff3937397ae2b220071d2787dacbb42a99643e Copy to Clipboard
SHA256 17340533a1df92fff7e5552ef9e228fc11067747014afedbaa72a73ba1843b3f Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SBuE7An:fb3owZUtbPJjcf20rTkY24BuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-40756.exe 78 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 78 0x00560000 0x0056FFFF Marked Executable False 32-bit - False
...
buffer 78 0x00560000 0x0056FFFF First Execution False 32-bit 0x00565318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-11015.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 630f22c74a50a5a19d04dcf157f99261 Copy to Clipboard
SHA1 cb5ca14a83dd56ae50ee1e087185a3c87bb52042 Copy to Clipboard
SHA256 7e99e495e17a0eda4022cda949ec32f51e72de49bcb67f302eb272efeb6f89ef Copy to Clipboard
SSDeep 3072:fbASogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuESAN:fblowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-11015.exe 76 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 76 0x005B0000 0x0062FFFF Marked Executable False 32-bit - False
...
buffer 76 0x005B0000 0x0062FFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-1075.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c3b0e6421a5d1fa222dc7aa0c8b5fefa Copy to Clipboard
SHA1 ca2b3a2e7e04d0118dc28416f9f716e811bf5759 Copy to Clipboard
SHA256 f163f8abdff796611227b0aa9f616f1f09ac6c05c290da2d403d6b268c9b250a Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7AW:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-1075.exe 14 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 14 0x00510000 0x0051FFFF Marked Executable False 32-bit - False
...
buffer 14 0x00510000 0x0051FFFF First Execution False 32-bit 0x00515318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-57664.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 49fd85f3f0ab766b0bc2f8c77528c4ab Copy to Clipboard
SHA1 f900a4590cd796dda798e04a37dbeab046471e62 Copy to Clipboard
SHA256 88c607f7ff92d5fc02857bcce2910b002dd8c5328fccade0a6810e1a8d0fc03f Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc39SAuEkAW:fb3owZUtbPJjcf20rTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-57664.exe 69 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 69 0x004D0000 0x0051FFFF Marked Executable False 32-bit - False
...
buffer 69 0x004D0000 0x0051FFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-14755.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 dc7f1a48901f114c39dcc9d119498417 Copy to Clipboard
SHA1 69b51dc66a2b8c41c20c98e9e3fc2bff8c9b29e4 Copy to Clipboard
SHA256 79b42a9cdeaf972b9116c3d2778afacf1ba380ab415e832afb83c27c53355444 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuIkYc3QSAuE7AN:fbHowZUtbPJjcf20rfkY2DAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-49205.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 6340ffc889ad70933ca2645ae97c3de9 Copy to Clipboard
SHA1 5eb1230da7b80111bf5403c67c0d3f9419b0740f Copy to Clipboard
SHA256 686e64eee45fc7ff3e94600d0563ed5deb89b41283ec5f4c2f11bfc256b7032a Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHAxVuUkYc39SAuESAN:fbHowZUtbPJjcf20tTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-49205.exe 44 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 44 0x020A0000 0x020AFFFF Marked Executable False 32-bit - False
...
buffer 44 0x020A0000 0x020AFFFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-61.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 49182d88a540fc3f5808172b343be0c7 Copy to Clipboard
SHA1 638331ce7bd9a3b8d5aeaca30fde241e477b21b7 Copy to Clipboard
SHA256 38dc724f0593cecd24cca547a1d4bd5bbe81ef1f3a69a0e76a7ee1b95403a972 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc3ASAuESAN:fbHowZUtbPJjcf20rTkY2TAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-61.exe 28 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 28 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 28 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-14785.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 36a416ff5e76d54f0bc919f717ac530c Copy to Clipboard
SHA1 2a911d74626ab4c1b79bb036a25fd8a7a4f4b970 Copy to Clipboard
SHA256 1e248ce7786b1360ab34ec932287f10ef3d4ded5a6e44644cec12b220c425c35 Copy to Clipboard
SSDeep 3072:fbAUogId1H5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39SWuE7AW:fbHoNZUtbPJjcf20rTmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-14785.exe 19 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 19 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 19 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
unicorn-14785.exe 19 0x00400000 0x00474FFF Final Dump False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-22535.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 f5d60d6617570d57e4bf5201927b3b4d Copy to Clipboard
SHA1 82d38600c77d7a0d71c38052a2aab4f4581d9cc7 Copy to Clipboard
SHA256 5bb1c8d05b6ced5fa73877c622b3920e10f06704861e6365b40e8bc8b84c1172 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexV+UkYc39SAuESAN:fbHowZUtbPJjcf20rDkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-26074.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 307b38464c815005cf25c7ef2ca250aa Copy to Clipboard
SHA1 3077976c70acfb7bb36d517b1642a09342051499 Copy to Clipboard
SHA256 879f62dc6df84f9d8eafa52867e0a7f23a97eacfab0169d92a9f8df5ce9f1e1c Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc3DSWuE7AW:fbHowZUtbPJjcf20rTmY2mWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-26074.exe 33 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 33 0x005C0000 0x0063FFFF Marked Executable False 32-bit - False
...
buffer 33 0x005C0000 0x005C9FFF First Execution False 32-bit 0x005C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-12573.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 1e513aed6e440cdac6fe366e0d2596ed Copy to Clipboard
SHA1 36cfd8200bd824b4a85984f4608dcedacaedda62 Copy to Clipboard
SHA256 0df9bb987582b687650f02473c5a532026f98c5404a48c9fbda7fd50bb5d04ac Copy to Clipboard
SSDeep 3072:fbAkogIYIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuK7AW:fb3oVZUtbPJjcf20rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-12573.exe 42 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 42 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 42 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-24797.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 f75cf3bbeb7280a504be0e097090a726 Copy to Clipboard
SHA1 519aee71033c65efd50b5ee4f6d76eb6d7902500 Copy to Clipboard
SHA256 880596d0efa39d56646257149b2692b6b65f6e438876b3cf6d28ed44fdc06eec Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8//ChvPIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcfr0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-24797.exe 22 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 22 0x00590000 0x005DFFFF Marked Executable False 32-bit - False
...
buffer 22 0x00590000 0x00599FFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-59443.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 8e21f1ed1202896723ab52a84a727960 Copy to Clipboard
SHA1 469025a2704adc4fe0e6523a163a153bcad0b2ff Copy to Clipboard
SHA256 4c6fd23b9bd3a5da91fcdb4fef72cfd77166010e0afc108fba543b44462c3cc0 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHDxVuUfYc39SAuE7AW:fb3owZUtbPJjcf20mTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-59443.exe 23 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 23 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 23 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-23076.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 7a214e1eb5b2f32b62290748a79a97c9 Copy to Clipboard
SHA1 8d0535a9346c3caa95de12b3e479af894af73796 Copy to Clipboard
SHA256 947888c055fdc1092f49871d2f9c8973b554e93db17cea9093236794ce5944ff Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexouUkY939SWuE7AW:fbHowZUtbPJjcf20rCkYZ4WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-23076.exe 47 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 47 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 47 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-15335.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 126861d6157b64019376e9687eeacaa4 Copy to Clipboard
SHA1 87dd5926a7ffdeb9bec38e4c87c49cb90356bde2 Copy to Clipboard
SHA256 a8234265a9b42fafd6db085ab55cffe12c5310f14842fb8aaf72ddfb95c0c60d Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuESAN:fbHowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-15335.exe 11 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 11 0x004D0000 0x0051FFFF Marked Executable False 32-bit - False
...
buffer 11 0x004D0000 0x0051FFFF First Execution False 32-bit 0x004D5318 False
...
unicorn-15335.exe 11 0x00400000 0x00474FFF Final Dump False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-60201.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c9729a5c5d99b01d870a2bd59863de04 Copy to Clipboard
SHA1 17e7c0c112ec0a54291666c4d120aa0a61d25138 Copy to Clipboard
SHA256 b896be21062af69800df4e12ff722f0261632e195a878c53e806ae95194b2f3f Copy to Clipboard
SSDeep 3072:fbA6ogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fbtowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-60201.exe 24 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 24 0x005A0000 0x005CFFFF Marked Executable False 32-bit - False
...
buffer 24 0x005A0000 0x005CFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-14432.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 cfba396a3faea84c5ff8fbe0e6a4353c Copy to Clipboard
SHA1 46a67241715a4b8ed473ab9ce82993e6206fa47f Copy to Clipboard
SHA256 4724dca237b32db392f7cdf932b9adad1a6932982a24ebfd7b555fc2a270aeac Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVvUkYc39SAuE7AW:fb3owZUtbPJjcf20rYkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-14432.exe 39 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 39 0x005A0000 0x005BFFFF Marked Executable False 32-bit - False
...
buffer 39 0x005A0000 0x005A9FFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-7945.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 35d20f1b568206f74005f78592b0a49d Copy to Clipboard
SHA1 1cb613d8b0d2442da9f2c86f961f671c613295b3 Copy to Clipboard
SHA256 43047dae80fded33b0d857877a87d60bd0519351659a4f6360fa19a848b2c532 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc39SAuE7AW:fb3owZUtbPJjcf20rTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-7945.exe 8 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 8 0x005D0000 0x005DFFFF Marked Executable False 32-bit - False
...
buffer 8 0x005D0000 0x005DFFFF First Execution False 32-bit 0x005D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-34718.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 e1a1b54376736a4d230631d9aba09a92 Copy to Clipboard
SHA1 2fc458f3f5082936f7c4297f72d8607f553fa52b Copy to Clipboard
SHA256 227d2a216a681cf802239ad9793a1eac0ada50413796b1f626d154359d448ab5 Copy to Clipboard
SSDeep 3072:fbEUogIdIH5UtbyCPztjcf8/0ChvPIpwnJHexVuUkYc39SAuE7AW:fb7owZUtbPJjcfG0rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-34718.exe 68 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 68 0x00590000 0x005DFFFF Marked Executable False 32-bit - False
...
buffer 68 0x00590000 0x00599FFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-46820.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 42c9e54a8725a7ff6a758dd988b7f20a Copy to Clipboard
SHA1 6a53494a78f0eff3d212cfca976e70cb63f96d82 Copy to Clipboard
SHA256 fd1ff99cfba4d53b74635939b090ee871c05f57f304b07aa187367fe90012d8d Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztGcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fb3owZUtbPJGcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-46820.exe 86 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 86 0x006A0000 0x006AFFFF Marked Executable False 32-bit - False
...
buffer 86 0x006A0000 0x006AFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-30329.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 9a6299dcafef3f7f0cf46424cb6c838b Copy to Clipboard
SHA1 35745e5b7b9d9cbe24a3d44d08994cb33117c5fc Copy to Clipboard
SHA256 de69c39161d24de3697516f128a35f7362d24d4da64111a3d4b08b1904d4f481 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7A5:fbHowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-45209.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 bda3a539c2ab68ca3a315c8105496eab Copy to Clipboard
SHA1 2765462454d7f1c3381c6b7db1b5a4833007e1f8 Copy to Clipboard
SHA256 183807f12c2dd439b3f084a582ff197ed48332035e5e18c020e63087628fa011 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtkyCPztjcf8/EChvPIpwnJHexVuUkYc39SWuE7AW:fbHowZUtWPJjcf20rTkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-45209.exe 90 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 90 0x004E0000 0x004EFFFF Marked Executable False 32-bit - False
...
buffer 90 0x004E0000 0x004EFFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-21549.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 27d9e7cf35486ab1070fd6f7c8bdde1f Copy to Clipboard
SHA1 5a77c95dce973207bba9de30b7527a95ee0bd127 Copy to Clipboard
SHA256 864cc3b7fdb0a38269e82517b96398ef3576b908b7f04308f85080982f1ccc74 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39S6uE7AW:fb3owZUtbPJjcf20rTkY246uE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-21549.exe 71 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 71 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 71 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-18783.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 12d43a4ec38ec325fe029a138bf9d88d Copy to Clipboard
SHA1 6d0af0332f38a05584edf8a5e0f2005dc5bf69c8 Copy to Clipboard
SHA256 1884634808dd89ba39b25e7ede717b55c8dd2891320d98c2e6ef009721e8d9e3 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5btbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AN:fbHowZbtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-18783.exe 31 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 31 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 31 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-44670.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 b6c33f04552f7869b31abfc72349818b Copy to Clipboard
SHA1 d43d679d179a18aab8b07b8f5b693688410c8a57 Copy to Clipboard
SHA256 e02ba62f357552d72203d51eed9d41d8ba85c892a1e215251498536d109cc095 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SWuE7AE:fbHowZUtbPJjcf20rTkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-44670.exe 41 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 41 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 41 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-21580.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 0d200f8a3978f4f264824324e1123fe7 Copy to Clipboard
SHA1 fb46d19389d0c6856384af7e5d8c1e3ad1087b57 Copy to Clipboard
SHA256 fd24bf1156fe71222183a17d9a2d527abfadd8dc6d6f79e0c31795be3877ec96 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc3CSWuE7AW:fbHowZUtbPJjcf20rTkY2NWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-56237.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 460cef3787ace4e27567833e0b2aa8ba Copy to Clipboard
SHA1 5f2610ac322e86ffadd3e3b9a9cb3b7b6fb8e717 Copy to Clipboard
SHA256 17d327bd7b058a8f7cbadcd9c47ac1a0dd9e26f01699cade293bb5b5541a8d08 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/0ChvPIpwnJHexVuUfYc39SAuE7AW:fbHowZUtbPJjcfG0rTfY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-56237.exe 52 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 52 0x005B0000 0x005BFFFF Marked Executable False 32-bit - False
...
buffer 52 0x005B0000 0x005BFFFF First Execution False 32-bit 0x005B5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-60706.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 d3ac92f57b1797d54a7282d6c3668bde Copy to Clipboard
SHA1 759c388ca2aebcc7ee5a0524cdab13f40cdacbc3 Copy to Clipboard
SHA256 1f80ab3757eeb1ee93b9f5544a97ccf14a99ce0fef063e6e2851965c99b388c0 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexouUkYc39SWuE7AW:fbHowZUtbPJjcf20rCkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-60706.exe 12 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 12 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 12 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
unicorn-60706.exe 12 0x00400000 0x00474FFF Final Dump False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-38432.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 39dddbca16aa76a5fda30b6d4b2bf9b5 Copy to Clipboard
SHA1 94dab55904bd58f4ca1d437db0f790b003d8dd0a Copy to Clipboard
SHA256 52c78235c114a2b76215a5ea28fdbfac0d9648b1549ffb5cc1484eb1a8e4e819 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuRkYc39SAuE7AN:fbHowZUtbPJjcf20rKkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-38432.exe 65 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 65 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 65 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-15193.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 5fff66507bb6c260a1d24ce740be2e42 Copy to Clipboard
SHA1 9f5bb4dc197429d65b4a67024da77654cdf1ff34 Copy to Clipboard
SHA256 41d968de7e7ed80930197032d23670f6c2a371ef1b6170a6cc5df7aa9ae9c3b6 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuHkYc39SWuE7AW:fbHowZUtbPJjcf20rokY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-15193.exe 57 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 57 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 57 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-25264.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 2d0c727da1a70a9f8bfa6c1f9fbc1ab2 Copy to Clipboard
SHA1 90c491a318a3c3aaf063e52cbed0daaae25628e4 Copy to Clipboard
SHA256 7fc3cebf8816cde1971e534c60236295fd56cfbd91a47266939dc4fd52369de2 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UbbyCPztjcf8/EChQPIpwnJHexVuUkYc39SAuE7AW:fbHowZUbbPJjcfh0rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-53104.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 83a0be8f75fadf3a4a8f4a003a94f538 Copy to Clipboard
SHA1 a5f02dfb358473951e6a04c62ad6ccc1d0d467c0 Copy to Clipboard
SHA256 7187005fa2740d2c3d3b0378ed67badce8209b77f9a55c899bc5ba56737fd3e8 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/0ChvPIpwnJHexVuUkYc39SAu/7AW:fbHowZUtbPJjcfG0rTkY24Au/ Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-7332.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 fe851b798a82d4b3c2fc75287dfbd2dc Copy to Clipboard
SHA1 2ff355ebee6c9c6703fcf9737104600da38eff82 Copy to Clipboard
SHA256 57b185b5842d034ad0302bef34002cb654c1c18fa4210104c2777bab352a8d2c Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7An:fb3owZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-7332.exe 16 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 16 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 16 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-33386.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 5611700a8f8fbbe0a92bf5ceb816fa52 Copy to Clipboard
SHA1 5ef4cdee3fd8c3698bfa9dc3c1f4817ca2a7936e Copy to Clipboard
SHA256 7858d85bded4a8d45ed52a8b5b74b9dc79c2ed3eb4a161f39063d2c8ad86cd66 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc3pSAuE7AN:fbHowZUtbPJjcf20rTkY2cAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-33386.exe 46 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 46 0x004F0000 0x004FFFFF Marked Executable False 32-bit - False
...
buffer 46 0x004F0000 0x004FFFFF First Execution False 32-bit 0x004F5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50030.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 e6c5f25cbc129d51642107bb4fd97317 Copy to Clipboard
SHA1 d54422a3345c838c1767219a52707a76ccb4a72c Copy to Clipboard
SHA256 ba4546fcdf35d2feafddc23d6bca13b02b6a29bd3dcb6eb8602bdaedd1fb105c Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/0ChvPIpwnJHexVuUkYc39OAuE7AW:fbHowZUtbPJjcfG0rTkY2cAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50030.exe 37 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 37 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 37 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-35211.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 719f5eae66f139d0232efc7145e38da4 Copy to Clipboard
SHA1 1880a7dde4154df0b31dbb184d6afbfa976bbb6d Copy to Clipboard
SHA256 12ab4936683d49728a2a3980381e2c8a4dd5437becf28abd648f5d0bd3e028b4 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc39SWuE7AW:fbHowZUtbPJjcf20rTmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-35211.exe 7 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 7 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 7 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-48133.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 f7c605d9fa794871f188c50ba6567b66 Copy to Clipboard
SHA1 b7f4aada8b8b9c65b333fedc4021b386798bf146 Copy to Clipboard
SHA256 522320f2812714cd1230246230f7740c3834b559269c77579ab06472080a3142 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUQYc39SAuE7AW:fb3owZUtbPJjcf20rTQY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-48133.exe 55 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 55 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
buffer 55 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-36274.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 4cb7a45dad363ddb0dca3a2435f05fc9 Copy to Clipboard
SHA1 88bf28716d01714372c2f23d347a5809609678ef Copy to Clipboard
SHA256 04695b3c187027997f2c5f1086faac843ab9f6fac14b2aff907b682c3d39a4ec Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuIkYc39SAuE7AN:fbHowZUtbPJjcf20rfkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-36274.exe 18 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 18 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 18 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-59546.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 02b338705a0acb235430ef868ccf8753 Copy to Clipboard
SHA1 7949093c746fc58c1a8491a3ce8ec765d9259cd6 Copy to Clipboard
SHA256 18d305c776e3247b6b92776afd9812cbccb266c5d27b07e4284d64075118e74d Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc3dSWuE7AW:fbHowZUtbPJjcf20rTkY2YWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (4)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-59546.exe 26 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 26 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 26 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
unicorn-59546.exe 26 0x00400000 0x00474FFF Final Dump False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-40441.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 a986b04f49db0f170a86f6c915bf9328 Copy to Clipboard
SHA1 82702f117a53fd4d5ea9e25f01f5269828d0363b Copy to Clipboard
SHA256 1ba878c5752f0fd84f14b7c0795faac6b4b2be034788df47d5fecfa575f84ab5 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwFJHexVuUkYc39SAuE7AN:fbHowZUtbPJjcf20pTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-40441.exe 80 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 80 0x00560000 0x0056FFFF Marked Executable False 32-bit - False
...
buffer 80 0x00560000 0x0056FFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-15242.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 e61755e1d1224120395837c8425b450c Copy to Clipboard
SHA1 1318cf7373bf267a584aec61fc44f03ffd17b0ba Copy to Clipboard
SHA256 455d1497511e25999b915eb8f24bd469f6243045a4a196080d9f52aebc09a364 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtKyCPztjcf8/0ChvPIpwnJHexVuUkYc39SAuE7AW:fbHowZUtMPJjcfG0rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-15242.exe 84 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 84 0x020A0000 0x020AFFFF Marked Executable False 32-bit - False
...
buffer 84 0x020A0000 0x020AFFFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-44780.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 9dc5300e5e2fb4eebdbced34b9783aa9 Copy to Clipboard
SHA1 dbb0191120eafc37e9d33b22856f86c24502f519 Copy to Clipboard
SHA256 b5b65d1cea76feae7f994ff81d0607fcaf97874974c20e4853eb0d2ebd1d1d1c Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcf20rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-44780.exe 3 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 3 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 3 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-65522.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 07db939653758a86ccaf8470a5573796 Copy to Clipboard
SHA1 cde766dd1ceedde23788e0811e2ee45d867d3eb7 Copy to Clipboard
SHA256 2a63eff4943c902acc0134f84a366ca83c56fd7bd67728e7a9ed6f8fc28049db Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/0ChvPIpwnJHexVuUkYc39SAuE7AW:fbHowZUtbPJjcfG0rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-65522.exe 13 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 13 0x005C0000 0x005CFFFF Marked Executable False 32-bit - False
...
buffer 13 0x005C0000 0x005CFFFF First Execution False 32-bit 0x005C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-23559.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 cbbe4320c420d55d57d87c6a6be5d7e1 Copy to Clipboard
SHA1 08e81a55e2e663e29e04815eaefc4068a27c51d9 Copy to Clipboard
SHA256 2e95acc5c9193f046a1d5115987e3730e0826ada3ba8c7d5ddb1e53585480ddd Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SPuE7AW:fbHowZUtbPJjcf20rTkY24PuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-23559.exe 56 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 56 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 56 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-7893.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 13cf0f93f89943abff8e56f72a6e165c Copy to Clipboard
SHA1 99ef94d3c40b97208b215f50079ebfb8e3df9bfb Copy to Clipboard
SHA256 bedf163e98fe4d32c67740422421216557686edc6272a0dc689e48e62c91a010 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UbbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fbHowZUbbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-7893.exe 25 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 25 0x020A0000 0x020CFFFF Marked Executable False 32-bit - False
...
buffer 25 0x020A0000 0x020A9FFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-25995.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 ca0c38fa45ad65b3861024ea59442696 Copy to Clipboard
SHA1 05ea2de76a92ee8ea41d5ffdae7259b89b54b2ea Copy to Clipboard
SHA256 3fd2aa5859048abc91ea74f1409d16f050e55c5c540f509ecd3d27d5bb8fea84 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SiuE7AW:fbHowZUtbPJjcf20rTkY24iuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (2)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-25995.exe 91 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 91 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-3989.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 5e28ecf036d728632a28b9f0915b447f Copy to Clipboard
SHA1 754c572c1b2917a39a77945732d462399c2df08e Copy to Clipboard
SHA256 4a80535124b8e174f02092af4ae6e0ade865b5e3e22cb5177076406b12d83496 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYU39SAuE7AW:fbHowZUtbPJjcf20rTkYu4AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-3989.exe 74 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 74 0x020A0000 0x020AFFFF Marked Executable False 32-bit - False
...
buffer 74 0x020A0000 0x020AFFFF First Execution False 32-bit 0x020A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-38283.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 0f3f3e2ff2b4d1fa0a4c1bb00f7c348c Copy to Clipboard
SHA1 c2f60beac96045c6106cd0d896b83d3f129f93ac Copy to Clipboard
SHA256 522214d37a7f88f94cdba89a976639b73751b51b309d47319d008509f167fdf0 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexyuUkYc39SAuE7AW:fbHowZUtbPJjcf20r8kY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-38283.exe 40 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 40 0x005A0000 0x005BFFFF Marked Executable False 32-bit - False
...
buffer 40 0x005A0000 0x005BFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-32917.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 34a7544e6f5f439768c1263d7547b7f1 Copy to Clipboard
SHA1 90348d09f8739cf46fa6dfd76ccc0ba2fa6b2bb5 Copy to Clipboard
SHA256 686a56ac2c771ea939ff6e9e8199ba02953e9f93d26e78e4158fced99c347272 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fb3owZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-32917.exe 2 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 2 0x004C0000 0x004EFFFF Marked Executable False 32-bit - False
...
buffer 2 0x004C0000 0x004EFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-6413.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 3877a560bee196544810907fe63d5b9c Copy to Clipboard
SHA1 9e272aab3d51ba696b2816c40e3bc0cef9839fae Copy to Clipboard
SHA256 d45cad9ddeed5478c68f566a3bbecd639c410408a491613f9a0af4b6479a7c9f Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AN:fbHowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-6413.exe 5 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 5 0x00590000 0x0059FFFF Marked Executable False 32-bit - False
...
buffer 5 0x00590000 0x0059FFFF First Execution False 32-bit 0x00595318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-40757.exe Dropped File Binary
Malicious
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c238033e64f08fbdbf2f8173dd1961bf Copy to Clipboard
SHA1 9f4f1834fdcafbf0efc115d58547cb3172c21236 Copy to Clipboard
SHA256 99d2769997f241e1e0051a27ffa852ce6a0aab4286d84cf94d2f6c596566517a Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SWuE7AW:fbHowZUtbPJjcf20rTkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-40757.exe 4 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 4 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
...
buffer 4 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-29747.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 7cde8d6f9f7f2a73254fd4a1ccb40d37 Copy to Clipboard
SHA1 629c748127bd585ebf0e55c81807fff50757eb7b Copy to Clipboard
SHA256 bcef8b9151867ffd6dbae1df2329e744c69259395628efdf87eba0c8d8ad6f8f Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbylPztjcf8/EChvvIpwnJHexVuUkYc39SAuM7AW:fb3owZUtkPJjcfW0rTkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-48888.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 85f410f0507498db46e88c83a501d7f8 Copy to Clipboard
SHA1 b100312a0a3dcf7e279131ed0116c079e2aefcea Copy to Clipboard
SHA256 728a5e5e76678b7df7fb23dfbb6a678e6f845f7a39755f6d253dcbfe598c6a2e Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbylPztjcf8/EChvvIpwnJHexVuUkYc39PAuK7AW:fb3owZUtkPJjcfW0rTkY2dAuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-48888.exe 87 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 87 0x020A0000 0x0215FFFF Marked Executable False 32-bit - False
...
buffer 87 0x020A0000 0x0215FFFF Content Changed False 32-bit - False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-56784.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 b35d05aaec74fdafeeb815bf1e397f9d Copy to Clipboard
SHA1 8e1dd528decd5590d345ef282a1de48136030fbc Copy to Clipboard
SHA256 8c7f4c94808e4bc1f8578cebe14b0d81077d4ac7cc378ebefaa95e9aeaf809ce Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVu1mYc39fWuR7AW:fbHowZUtbPJjcf20rimY2hWuR Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-40951.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3a66dc6cbdc9473d91c796b25c2a17cf Copy to Clipboard
SHA1 2b7a059f010c7c9d09e1808df4e754bfca13e368 Copy to Clipboard
SHA256 ce612e014f73d90adaf4d00ecfa6a9aaa71a8d072a564c84cafbb39ce4c8f6c4 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHDxVuUfYc39S6uE7AW:fb3owZUtbPJjcf20mTfY246uE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-51014.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 a064bac7a40f8e5e3ad645d8c702bcd7 Copy to Clipboard
SHA1 073b9ebed6cfa38cb432fcda771be37097fd39d6 Copy to Clipboard
SHA256 9319a06a12120202b6d490f7338c24ff527badcf222a9c05369b0fceccb2eb06 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/fChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJjcfD0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-57342.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 5a3b0ba995547dd17940c9d8a36888ad Copy to Clipboard
SHA1 ce4434b01174771ecbcd6c42b447eb6dd08954cd Copy to Clipboard
SHA256 c3e78864104720930a5bdd0d983cf6bf0e24da951f303c1eb35ef84eccfb5568 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUmYc3rfWuE7AW:fbHowZUtbPJjcf20rTmY2rWuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50692.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 b7d5cabbdfe0aaf2a04799a3011a325c Copy to Clipboard
SHA1 91b47349bce157bd9cd1cf102b0b2de344df4773 Copy to Clipboard
SHA256 8674411b8bc417d3a5d8b3c946aaf661c87d398da982d8b128f8f6fa1165ad6d Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/qChvPIpwnJHexVuUkYc39OAuE7AW:fbHowZUtbPJjcf80rTkY2cAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-57329.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 1922f9a75a14e74782dedc75b0c82952 Copy to Clipboard
SHA1 feb4c91c2bee400a9beb77f2a30cf10254ae35d4 Copy to Clipboard
SHA256 079a876c12898fda76cb7cc92f0859c932c870dbedcc9c2bc7dd560f7ddc00cc Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SIuK7AW:fb3owZUtbPJjcf20rTkY24IuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-64431.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 a00643aa815075ad0da11f466e203777 Copy to Clipboard
SHA1 cae2278869d8f946c6e14fe947f487036174d768 Copy to Clipboard
SHA256 1cc00bc6296ff68d3cc6635bdfe365ced632706c1f2d4cb5d802e93cf37e1b6f Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexouUkYc39SWuE7AW:fbHowZUtbPJjcf20rCkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-51968.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c8b5d0bbf2f81c55a2264f7f07d105b3 Copy to Clipboard
SHA1 3505b7c7603787db543a41e31e20380545fd6b24 Copy to Clipboard
SHA256 8e99785ddbe435ee9f9bd9cde880c36919a09404001d3fb1d617e5794dc9256c Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc3ZSAuESAN:fbHowZUtbPJjcf20rTkY2sAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-51968.exe 61 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 61 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 61 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-50325.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c491e9941f8e782da1af269f283080c9 Copy to Clipboard
SHA1 f47c30bb7231331b24e07da69c99ad2afea17a6a Copy to Clipboard
SHA256 14fbfc9b60879960a4c109c2f42603abdf4ba50772788b6e012820bbb6ec0803 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexouUkYc39SWuE7Ab:fbHowZUtbPJjcf20rCkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50325.exe 79 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 79 0x005A0000 0x005AFFFF Marked Executable False 32-bit - False
...
buffer 79 0x005A0000 0x005AFFFF First Execution False 32-bit 0x005A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-25677.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 519f428f6a2ee7d40c4bdcdace9cda71 Copy to Clipboard
SHA1 4a3116b77017598b5271cdfc1924586d1d162ad2 Copy to Clipboard
SHA256 8261694d455c3ad753ee71f7604fe7f47e086b5ca80bb18bfc2095a76c9d1253 Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyGPztjcf8/EChvPIpwnJHexVuUkYc39SWuE7AW:fbHowZUtvPJjcf20rTkY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-25677.exe 73 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
...
buffer 73 0x006A0000 0x006CFFFF Marked Executable False 32-bit - False
...
buffer 73 0x006A0000 0x006A9FFF First Execution False 32-bit 0x006A5318 False
...
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-42288.exe Dropped File Binary
Clean
...
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 c53caacb66161c6b3da313952db2f567 Copy to Clipboard
SHA1 64e35b797cbb576f82e57b412bbf3d14d62b26fc Copy to Clipboard
SHA256 94bab98da5d79df31f30de3bb423e058ef6d0fb1d9c74e70f96a183b6102a3c1 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AK:fb3owZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
...
C:\Users\OqXZRaykm\Desktop\Unicorn-11159.exe Dropped File Empty
Clean
...
  • Actions
»
Also Known As C:\Users\OqXZRaykm\Desktop\Unicorn-13655.exe (Dropped File, Accessed File)
C:\Users\OqXZRaykm\Desktop\Unicorn-20620.exe (Dropped File, Accessed File)
C:\Users\OqXZRaykm\Desktop\Unicorn-44586.exe (Dropped File, Accessed File)
C:\Users\OqXZRaykm\Desktop\Unicorn-46520.exe (Dropped File, Accessed File)
C:\Users\OqXZRaykm\Desktop\Unicorn-57799.exe (Dropped File, Accessed File)
C:\Users\OqXZRaykm\Desktop\Unicorn-8969.exe (Dropped File, Accessed File)
MIME Type application/x-empty
File Size 0 Bytes (not extracted)
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image