File name: | Nicodrip.exe |
Full analysis: | https://app.any.run/tasks/c8bdee5c-3102-4a31-948f-d0eb93262e2f |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | October 05, 2022, 04:23:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 1634DF0E4D01E84264DA6DEC107717FB |
SHA1: | 6F6FB1EF1BAEF04881472D25E7A682CBE11226BE |
SHA256: | A919CBE6302C31ACCB9793250291D9697ADAA469FA63BA8D3A091AF8FA61365C |
SSDEEP: | 49152:P5Osl8XjAuK708sYhCZzOopmdLP9uW45uRlyEKmw1uSGKLbSOcvOeBFVWe:PQXjvKoK2yopYLPAt5uRhbwgoLOOcmkD |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 2097-Aug-14 23:34:58 |
Detected languages: |
|
FileDescription: | - |
FileVersion: | 0.0.0.0 |
InternalName: | Implosions.exe |
LegalCopyright: | - |
OriginalFilename: | Implosions.exe |
ProductVersion: | 0.0.0.0 |
Assembly Version: | 0.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 7 |
TimeDateStamp: | 2097-Aug-14 23:34:58 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
8192 | 98304 | 41918 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.97198 | |
(#2) | 106496 | 1246 | 581 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.58932 |
(#3) | 114688 | 12 | 15 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.77356 |
.imports | 122880 | 8192 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.14864 |
.rsrc | 131072 | 8192 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.73391 |
.themida | 139264 | 5324800 | 0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.boot | 5464064 | 3033600 | 3033256 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.96357 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.14148 | 596 | UNKNOWN | UNKNOWN | RT_VERSION |
1 (#2) | 5.00112 | 490 | UNKNOWN | English - United States | RT_MANIFEST |
kernel32.dll |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
868 | "C:\Users\admin\AppData\Local\Temp\Nicodrip.exe" | C:\Users\admin\AppData\Local\Temp\Nicodrip.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 RedLine(PID) Process(868) Nicodrip.exe US (153) Environment UNKNOWN . 1 cmyredmyit_cmyardmys my as21 \ Local State LocalPrefs.json Host Port : User Pass MANGO %USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal WanaLife Def Win String.Replace String.Remove windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob BCrypt.BCryptImportKey() failed with status code:{0} BCrypt.BCryptGetProperty() (get size) failed with status code:{0} BCrypt.BCryptGetProperty() failed with status code:{0} - http:// / | Yandex\YaAddon 0.tcp.ngrok.io:11252 Test123ND , asf *wallet* Armory \Armory *.wallet Atomic \atomic * ibnejdfjmmkpcnlpebklmnkoeoihofec Tronlink jbdaocneiiinmjbjlgalhcelgbejmnid NiftyWallet nkbihfbeogaeaoehlefnkodbefgpgknn Metamask afbcbjpbpfadlkmhmclhkeeodmamcflc MathWallet hnfanknocfeofbddgcijnmhnfnkdnaad Coinbase fhbohimaelbohpjbbldcngcnapndodjp BinanceChain odbfpeeihdkbihmopkbjmoonfanlbfcl BraveWallet hpglfhgfnhbgpjdenjgmdgoeiappafln GuardaWallet blnieiiffboillknjnepogjhkgnoapac EqualWallet cjelfplplebdjjenllpjcblmjkfcffne JaxxxLiberty fihkakfobkmkjojpchpfgcmhfjnmnfpi BitAppWallet kncchdigobghenbbaddojjnnaogfppfj iWallet amkmjjmmflddogmhpjloimipbofnfjih Wombat UnknownExtension _ Local Extension Settings Coinomi \Coinomi Profile_ Tel egram.exe \Telegram Desktop\tdata -*.lo--g 1*.1l1d1b String Replace System.UI File.IO *.json string.Replace Guarda \Guarda %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel ToString ( UNIQUE " Width Height CopyFromScreen kernel32 user32.dll GetConsoleWindow ShowWindow SELECT * FROM Win32_Processor Name NumberOfCores root\CIMV2 SELECT * FROM Win32_VideoController AdapterRAM ROWindowsServiceOT\SecurityCenteWindowsServicer2 ROWindowsServiceOT\SecurWindowsServiceityCenter AntqueiresivirusProdqueiresuct AntqueiresiSpyqueiresWareProdqueiresuct FiqueiresrewallProqueiresduct WindowsService SELECT * FROM queires SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELECT * FROM Win32_DiskDrive SerialNumber ' ExecutablePath [ ] 0 Mb or 0 SELECT * FROM Win32_OperatingSystem TotalVisibleMemorySize {0} MB or {1} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ BotnetTest123ND C2 (1)0.tcp.ngrok.io:11252 |
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (868) Nicodrip.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC51D.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC545.tmp | sqlite | |
MD5:8BB736AB1E4300EF81B27CDBF26D78B0 | SHA256:7059AEA2275152A5390580485A2180143879F721C88A4CB0D7702A832751A952 | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC4F8.tmp | sqlite | |
MD5:B8E63E7225C9F4E0A81371F29D6456D8 | SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8 | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC531.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC51B.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC51C.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC533.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC52F.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC50B.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
868 | Nicodrip.exe | C:\Users\admin\AppData\Local\Temp\tmpC51E.tmp | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
868 | Nicodrip.exe | POST | 200 | 3.22.30.40:11252 | http://0.tcp.ngrok.io:11252/ | US | text | 147 b | malicious |
868 | Nicodrip.exe | POST | 200 | 3.22.30.40:11252 | http://0.tcp.ngrok.io:11252/ | US | text | 261 b | malicious |
868 | Nicodrip.exe | POST | 200 | 3.22.30.40:11252 | http://0.tcp.ngrok.io:11252/ | US | text | 4.64 Kb | malicious |
868 | Nicodrip.exe | POST | 200 | 3.22.30.40:11252 | http://0.tcp.ngrok.io:11252/ | US | text | 212 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
868 | Nicodrip.exe | 172.67.75.172:443 | api.ip.sb | CLOUDFLARENET | US | suspicious |
868 | Nicodrip.exe | 3.22.30.40:11252 | 0.tcp.ngrok.io | AMAZON-02 | US | malicious |
Domain | IP | Reputation |
---|---|---|
0.tcp.ngrok.io |
| shared |
api.ip.sb |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET INFO DNS Query to a *.ngrok domain (ngrok.io) |
868 | Nicodrip.exe | A Network Trojan was detected | AV TROJAN RedLine Stealer Config Download |
868 | Nicodrip.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |