Try VMRay Platform
Malicious
Classifications

Virus

Threat Names

KawaiiUnicorn

Remarks (1/1)

(0x0200000E): The overall sleep time of all monitored processes was truncated from "16 minutes, 12 seconds" to "1 second" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\OqXZRaykm\Desktop\Kawaii-Unicorn.exe Sample File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.29 KB
MD5 bc8ed73cc27fba29d082b9b85e99775f Copy to Clipboard
SHA1 f5b74fcd861cd8bac24f1d7f43897459c9810ba9 Copy to Clipboard
SHA256 3bf4b24335d22062415115fcc53aa923aab5a47b07de631db8963699678e499d Copy to Clipboard
SSDeep 3072:fbAUogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUkYc39SAuE7AW:fbHowZUtbPJjcf20rTkY24AuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
kawaii-unicorn.exe 1 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 1 0x020B0000 0x0215FFFF Marked Executable False 32-bit - False
buffer 1 0x020B0000 0x020B9FFF First Execution False 32-bit 0x020B5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-183.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 95aed1a8478c04877d72441b71ecc5c4 Copy to Clipboard
SHA1 c4ccc3abbc2a2d9f42366ac5e3dad50fd764053e Copy to Clipboard
SHA256 4ab314335c6a8b9c2bf7f01385fdf6f749e0318d5eb4fd5d8c2a1de23e389dee Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuM7AL:fb3owZUtbPJjcfW0rtkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-36048.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3643650c74252b5e84ad4ccf4e240b76 Copy to Clipboard
SHA1 73627fc29838fadadafeb36554159277883d9e43 Copy to Clipboard
SHA256 d40b70604d1726df6b2c90675a28218a8761c29cd578cf4f81474a066218d3bc Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIponJHexVuU0Yc3wSAuK7AW:fb3owZUtbPJjcf20zT0Y2jAuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-50206.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 c281b6e715e06cd808d195a29cab58de Copy to Clipboard
SHA1 ce0cd3b0b3ac8d43ff1df44b799903960fd0c5ba Copy to Clipboard
SHA256 6f6cfcb7468cb70dd960ae51fd903c813b84eb5fe2b121172717984df48134d5 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc3zSAuK7AW:fb3owZUtbPJjcfW0rtkY22AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50206.exe 51 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 51 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
buffer 51 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-34283.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3d6cd51add6a30ba4ced949708abcf75 Copy to Clipboard
SHA1 c52c8d24f86cc36b7565469d5bea2b38a6a85e9f Copy to Clipboard
SHA256 d8253168ca826d79f7f4f0023f477b2e98456c1f7128295b59e2358eaaf026f8 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/iChvvIpwnJHexVuSkYc39SAuK7AW:fb3owZUtbPJjcfE0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-34283.exe 82 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 82 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
buffer 82 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-23257.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 5b24a9699b475a4db21ed41616a452ca Copy to Clipboard
SHA1 2ffb9b4274d63bbe982f880d2873f5824af021ca Copy to Clipboard
SHA256 f2bafdfd06b11299457cf905142932c5e932a8eb2407905651eed5aec1bbd705 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkPc39SAuK7AW:fb3owZUtbPJjcfW0rtkP24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-23257.exe 66 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 66 0x004D0000 0x004DFFFF Marked Executable False 32-bit - False
buffer 66 0x004D0000 0x004DFFFF First Execution False 32-bit 0x004D5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-61101.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 639c22f64c4249905f99aa726f6b67b1 Copy to Clipboard
SHA1 e2c7e96ab9ec3f64a68bd9101230a9c22e7a7e17 Copy to Clipboard
SHA256 e23808d8e782af74ccbf39f36f66025da1272456da024cb310f0d86e6578c4b2 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuM7AW:fb3owZUtbPJjcfW0rtkY24AuM Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-61101.exe 20 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 20 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
buffer 20 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-30812.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 ea8d26ab17786723aa7452c9d9bf0d2d Copy to Clipboard
SHA1 d5338ecfcefc3fe89a2c15e811cb1165d5d34ded Copy to Clipboard
SHA256 220a8a1736657a5b1616dedd1c41d8f85cf36a9ab6c2806278ec27e144b0dfbe Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYf3R9AuE7AW:fb3owZUtbPJjcf20rTfYPfAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-33308.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 54068253e5d76cdef5011e2381c1153d Copy to Clipboard
SHA1 8c90f968014be5880bbdd96eeb088be391fea6d0 Copy to Clipboard
SHA256 2c8bf7b27099ec2a95309d9ee52774e7de9a0a98ba5715631e768d1d63399ab1 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuUkYc33STuK7AW:fb3owZUtbPJjcfW0rTkY2CTuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-30351.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 9406a6cf59c5b02a2de8b6c6137910bc Copy to Clipboard
SHA1 c6df1cddba5e572eb2101c48c5af48a7aee31f12 Copy to Clipboard
SHA256 3ff599cde8e1322369edf0974cfa1217387b2f8f89e2c862d0226149fa0744ad Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvvIpwnJHexVuSkYc39SAuKHAW:fb3owZUtbPJjcfW0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-30351.exe 36 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 36 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
buffer 36 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-32837.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 3f205e24f5d14d1cb142cd11c2edeb67 Copy to Clipboard
SHA1 044b344dbfa09ff93eb3bbf8dc400e7227ef938f Copy to Clipboard
SHA256 fe6cae8c06e56354b530026c8dbc5494249fa353bbbc3bb6f67fbc6311da5c21 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChkvIpwnJHexVuSkYc39SAuK7AW:fb3owZUtbPJjcfN0rtkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-36864.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 fd88ecd05543529efae65f358b53ed10 Copy to Clipboard
SHA1 5b1028bcf75d098d8aeac1a10c5202c75efc94ad Copy to Clipboard
SHA256 58541c2e254815a7bc7a1e668b1edc648825c9fc9d3bf65db2a689bfa448698b Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7Az:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-36864.exe 49 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 49 0x005C0000 0x005CFFFF Marked Executable False 32-bit - False
buffer 49 0x005C0000 0x005CFFFF First Execution False 32-bit 0x005C5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-62317.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 09d3650b265370fa3e0d2a5638a0fefa Copy to Clipboard
SHA1 2a2c33eecf9c9c6d3e3e8a54b5752590796cba05 Copy to Clipboard
SHA256 611932d5fab24fb7b080c4b55ad31d695d629ca105874ebf1e9f5f4be7a58167 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbykPztjcf8/EChvPIponJHexVuUkYc39SAuK7AW:fb3owZUtFPJjcf20zTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-62317.exe 92 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 92 0x00590000 0x005BFFFF Marked Executable False 32-bit - False
buffer 92 0x00590000 0x005BFFFF Content Changed False 32-bit - False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-50222.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 965721eec56f48b56e67b66fa90f94f5 Copy to Clipboard
SHA1 35f632ca9efac63469f3b219477e6e2a8b88c286 Copy to Clipboard
SHA256 85cb84de01dd8fbc3019bd516586d0430ba1717f4b31c9f409ba0c902ef2363b Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3R9AuE7AW:fb3owZUtbPJjcf20rTfY2fAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-50222.exe 34 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 34 0x006B0000 0x006BFFFF Marked Executable False 32-bit - False
buffer 34 0x006B0000 0x006BFFFF First Execution False 32-bit 0x006B5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-11779.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 2a14050b638b3d53658545a61af751a8 Copy to Clipboard
SHA1 5825713373a5ea22875765111fb0a2e7fc7ae870 Copy to Clipboard
SHA256 8e853a7835ddbdb93851abc082b4706f2ea171d6a3b930431ac09f8555876eee Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztUcf8/EChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtbPJUcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-11779.exe 70 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 70 0x006A0000 0x006AFFFF Marked Executable False 32-bit - False
buffer 70 0x006A0000 0x006AFFFF First Execution False 32-bit 0x006A5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-48636.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 e0fdc995b7b6f527d2bed1f998daa0a9 Copy to Clipboard
SHA1 2cb83b925af353d8efd92cbd78c42ac4067a6735 Copy to Clipboard
SHA256 8bb3d54d25d5e8b6a85ef29ca1377eb0c308a26b70fc05792bc7b7ea94e0cc38 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbylPztjcf8/EChvvIpwnJHexVuUkYc39SAuK7AW:fb3owZUtkPJjcfW0rTkY24AuK Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
Memory Dumps (3)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
unicorn-48636.exe 21 0x00400000 0x00474FFF Relevant Image False 32-bit 0x004013D4 False
buffer 21 0x004C0000 0x004CFFFF Marked Executable False 32-bit - False
buffer 21 0x004C0000 0x004CFFFF First Execution False 32-bit 0x004C5318 False
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-59261.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 271ed2e3391c00fc0eec370bb7382bc0 Copy to Clipboard
SHA1 259eeca60655b6f090b2220fa582b21f37675b7e Copy to Clipboard
SHA256 ac990ecc2937397227971f3893c6b41c1996a64c4bdcab626f85d81428257e70 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyCPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7Ay:fb3owZUtbPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-33432.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 8429487a067419ad08e1dd3eae71a391 Copy to Clipboard
SHA1 bbcdf34c296bf454d94262c82c46b36af766d14c Copy to Clipboard
SHA256 2297d9ce1a49e966c449ad194115e1a206376eac564b6de57d824255a5ee7eff Copy to Clipboard
SSDeep 3072:fbAUogId1H5UtbyCPztjcf8/EChvPIpwnJHexVuqmYc39SWuE7AW:fbHoNZUtbPJjcf20rVmY24WuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 0.01
.rsrc 0x0042D000 0x000479F8 0x00048000 0x0002D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.46
Imports (1)
»
MSVBVM60.DLL (67)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CIcos - 0x00401000 0x0002B0CC 0x0002B0CC 0x00000000
_adj_fptan - 0x00401004 0x0002B0D0 0x0002B0D0 0x00000000
__vbaVarMove - 0x00401008 0x0002B0D4 0x0002B0D4 0x00000000
__vbaFreeVar - 0x0040100C 0x0002B0D8 0x0002B0D8 0x00000000
None 0x0000024C 0x00401010 0x0002B0DC 0x0002B0DC -
__vbaFreeVarList - 0x00401014 0x0002B0E0 0x0002B0E0 0x00000000
__vbaEnd - 0x00401018 0x0002B0E4 0x0002B0E4 0x00000000
_adj_fdiv_m64 - 0x0040101C 0x0002B0E8 0x0002B0E8 0x00000000
__vbaFreeObjList - 0x00401020 0x0002B0EC 0x0002B0EC 0x00000000
_adj_fprem1 - 0x00401024 0x0002B0F0 0x0002B0F0 0x00000000
__vbaStrCat - 0x00401028 0x0002B0F4 0x0002B0F4 0x00000000
__vbaSetSystemError - 0x0040102C 0x0002B0F8 0x0002B0F8 0x00000000
__vbaHresultCheckObj - 0x00401030 0x0002B0FC 0x0002B0FC 0x00000000
_adj_fdiv_m32 - 0x00401034 0x0002B100 0x0002B100 0x00000000
__vbaAryDestruct - 0x00401038 0x0002B104 0x0002B104 0x00000000
None 0x00000251 0x0040103C 0x0002B108 0x0002B108 -
None 0x00000252 0x00401040 0x0002B10C 0x0002B10C -
__vbaOnError - 0x00401044 0x0002B110 0x0002B110 0x00000000
__vbaObjSet - 0x00401048 0x0002B114 0x0002B114 0x00000000
_adj_fdiv_m16i - 0x0040104C 0x0002B118 0x0002B118 0x00000000
_adj_fdivr_m16i - 0x00401050 0x0002B11C 0x0002B11C 0x00000000
_CIsin - 0x00401054 0x0002B120 0x0002B120 0x00000000
__vbaChkstk - 0x00401058 0x0002B124 0x0002B124 0x00000000
__vbaFileClose - 0x0040105C 0x0002B128 0x0002B128 0x00000000
EVENT_SINK_AddRef - 0x00401060 0x0002B12C 0x0002B12C 0x00000000
__vbaGenerateBoundsError - 0x00401064 0x0002B130 0x0002B130 0x00000000
__vbaPutOwner3 - 0x00401068 0x0002B134 0x0002B134 0x00000000
DllFunctionCall - 0x0040106C 0x0002B138 0x0002B138 0x00000000
_adj_fpatan - 0x00401070 0x0002B13C 0x0002B13C 0x00000000
__vbaRedim - 0x00401074 0x0002B140 0x0002B140 0x00000000
__vbaStrR8 - 0x00401078 0x0002B144 0x0002B144 0x00000000
EVENT_SINK_Release - 0x0040107C 0x0002B148 0x0002B148 0x00000000
None 0x00000258 0x00401080 0x0002B14C 0x0002B14C -
__vbaUI1I2 - 0x00401084 0x0002B150 0x0002B150 0x00000000
_CIsqrt - 0x00401088 0x0002B154 0x0002B154 0x00000000
EVENT_SINK_QueryInterface - 0x0040108C 0x0002B158 0x0002B158 0x00000000
__vbaExceptHandler - 0x00401090 0x0002B15C 0x0002B15C 0x00000000
_adj_fprem - 0x00401094 0x0002B160 0x0002B160 0x00000000
_adj_fdivr_m64 - 0x00401098 0x0002B164 0x0002B164 0x00000000
__vbaFPException - 0x0040109C 0x0002B168 0x0002B168 0x00000000
__vbaGetOwner3 - 0x004010A0 0x0002B16C 0x0002B16C 0x00000000
__vbaUbound - 0x004010A4 0x0002B170 0x0002B170 0x00000000
__vbaStrVarVal - 0x004010A8 0x0002B174 0x0002B174 0x00000000
__vbaVarCat - 0x004010AC 0x0002B178 0x0002B178 0x00000000
_CIlog - 0x004010B0 0x0002B17C 0x0002B17C 0x00000000
__vbaErrorOverflow - 0x004010B4 0x0002B180 0x0002B180 0x00000000
__vbaFileOpen - 0x004010B8 0x0002B184 0x0002B184 0x00000000
__vbaNew2 - 0x004010BC 0x0002B188 0x0002B188 0x00000000
None 0x0000023A 0x004010C0 0x0002B18C 0x0002B18C -
__vbaR8Str - 0x004010C4 0x0002B190 0x0002B190 0x00000000
_adj_fdiv_m32i - 0x004010C8 0x0002B194 0x0002B194 0x00000000
_adj_fdivr_m32i - 0x004010CC 0x0002B198 0x0002B198 0x00000000
__vbaFreeStrList - 0x004010D0 0x0002B19C 0x0002B19C 0x00000000
_adj_fdivr_m32 - 0x004010D4 0x0002B1A0 0x0002B1A0 0x00000000
_adj_fdiv_r - 0x004010D8 0x0002B1A4 0x0002B1A4 0x00000000
None 0x00000064 0x004010DC 0x0002B1A8 0x0002B1A8 -
__vbaI4Var - 0x004010E0 0x0002B1AC 0x0002B1AC 0x00000000
__vbaVarMod - 0x004010E4 0x0002B1B0 0x0002B1B0 0x00000000
_CIatan - 0x004010E8 0x0002B1B4 0x0002B1B4 0x00000000
__vbaStrMove - 0x004010EC 0x0002B1B8 0x0002B1B8 0x00000000
_allmul - 0x004010F0 0x0002B1BC 0x0002B1BC 0x00000000
_CItan - 0x004010F4 0x0002B1C0 0x0002B1C0 0x00000000
__vbaFPInt - 0x004010F8 0x0002B1C4 0x0002B1C4 0x00000000
__vbaUI1Var - 0x004010FC 0x0002B1C8 0x0002B1C8 0x00000000
_CIexp - 0x00401100 0x0002B1CC 0x0002B1CC 0x00000000
__vbaFreeStr - 0x00401104 0x0002B1D0 0x0002B1D0 0x00000000
__vbaFreeObj - 0x00401108 0x0002B1D4 0x0002B1D4 0x00000000
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
KawaiiUnicorn KawaiiUnicorn Virus
5/5
C:\Users\OqXZRaykm\Desktop\Unicorn-20961.exe Dropped File Binary
Malicious
»
MIME Type application/vnd.microsoft.portable-executable
File Size 468.30 KB
MD5 c861b88300cc6079c338c0da121a20ba Copy to Clipboard
SHA1 3b86dbcb4142a2bf2aaeee9f3427c0dd935abb42 Copy to Clipboard
SHA256 f5344d03038a5e271e32d906477be141b4f4b8ea3fd92a7a5043e9c296418b23 Copy to Clipboard
SSDeep 3072:fbAkogIdIH5UtbyEPztjcf8/EChvPIpwnJHexVuUfYc3RSAuE7AW:fb3owZUtJPJjcf20rTfY2EAuE Copy to Clipboard
ImpHash 5d6cad172c5535e4b6b6bbd246571621 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x004013D4
Size Of Code 0x0002B000
Size Of Initialized Data 0x00049000
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2019-01-19 14:34 (UTC+1)
Version Information (6)
»
CompanyName UEFI
ProductName Kawaii-Unicorn
FileVersion 1.00
ProductVersion 1.00
InternalName Kawaii-Unicorn
OriginalFilename Kawaii-Unicorn.exe
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00401000 0x0002A5C4 0x00C3B000 0x00001000 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 4.85
.data 0x0042C000 0x00000A20 0x00001000 0x0002C000