analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Nicodrip.exe

Full analysis: https://app.any.run/tasks/c8bdee5c-3102-4a31-948f-d0eb93262e2f
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 05, 2022, 04:23:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
redline
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

1634DF0E4D01E84264DA6DEC107717FB

SHA1:

6F6FB1EF1BAEF04881472D25E7A682CBE11226BE

SHA256:

A919CBE6302C31ACCB9793250291D9697ADAA469FA63BA8D3A091AF8FA61365C

SSDEEP:

49152:P5Osl8XjAuK708sYhCZzOopmdLP9uW45uRlyEKmw1uSGKLbSOcvOeBFVWe:PQXjvKoK2yopYLPAt5uRhbwgoLOOcmkD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REDLINE was detected

      • Nicodrip.exe (PID: 868)

    • REDLINE detected by memory dumps

      • Nicodrip.exe (PID: 868)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(868) Nicodrip.exe
US (153)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
0.tcp.ngrok.io:11252
Test123ND
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
BotnetTest123ND
C2 (1)0.tcp.ngrok.io:11252
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 2097-Aug-14 23:34:58
Detected languages:
  • English - United States
FileDescription: -
FileVersion: 0.0.0.0
InternalName: Implosions.exe
LegalCopyright: -
OriginalFilename: Implosions.exe
ProductVersion: 0.0.0.0
Assembly Version: 0.0.0.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 7
TimeDateStamp: 2097-Aug-14 23:34:58
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
8192
98304
41918
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.97198
(#2)
106496
1246
581
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.58932
(#3)
114688
12
15
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.77356
.imports
122880
8192
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.14864
.rsrc
131072
8192
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.73391
.themida
139264
5324800
0
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot
5464064
3033600
3033256
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96357

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.14148
596
UNKNOWN
UNKNOWN
RT_VERSION
1 (#2)
5.00112
490
UNKNOWN
English - United States
RT_MANIFEST

Imports

kernel32.dll
mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REDLINE nicodrip.exe

Process information

PID
CMD
Path
Indicators
Parent process
868"C:\Users\admin\AppData\Local\Temp\Nicodrip.exe" C:\Users\admin\AppData\Local\Temp\Nicodrip.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
RedLine
(PID) Process(868) Nicodrip.exe
US (153)
Environment
UNKNOWN
.
1
cmyredmyit_cmyardmys
my
as21
\
Local State
LocalPrefs.json
Host
Port
:
User
Pass
MANGO
%USEWanaLifeRPROFILE%\AppDaWanaLifeta\LWanaLifeocal
WanaLife
Def
Win
String.Replace
String.Remove
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
-
http://
/
|
Yandex\YaAddon
0.tcp.ngrok.io:11252
Test123ND
,
asf
*wallet*
Armory
\Armory
*.wallet
Atomic
\atomic
*
ibnejdfjmmkpcnlpebklmnkoeoihofec
Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid
NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn
Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc
MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Coinbase
fhbohimaelbohpjbbldcngcnapndodjp
BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl
BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln
GuardaWallet
blnieiiffboillknjnepogjhkgnoapac
EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne
JaxxxLiberty
fihkakfobkmkjojpchpfgcmhfjnmnfpi
BitAppWallet
kncchdigobghenbbaddojjnnaogfppfj
iWallet
amkmjjmmflddogmhpjloimipbofnfjih
Wombat
UnknownExtension
_
Local Extension Settings
Coinomi
\Coinomi
Profile_
Tel
egram.exe
\Telegram Desktop\tdata
-*.lo--g
1*.1l1d1b
String
Replace
System.UI
File.IO
*.json
string.Replace
Guarda
\Guarda
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPstring.ReplaceROFILE%\Apstring.ReplacepData\Locastring.Replacel
ToString
(
UNIQUE
"
Width
Height
CopyFromScreen
kernel32
user32.dll
GetConsoleWindow
ShowWindow
SELECT * FROM Win32_Processor
Name
NumberOfCores
root\CIMV2
SELECT * FROM Win32_VideoController
AdapterRAM
ROWindowsServiceOT\SecurityCenteWindowsServicer2
ROWindowsServiceOT\SecurWindowsServiceityCenter
AntqueiresivirusProdqueiresuct
AntqueiresiSpyqueiresWareProdqueiresuct
FiqueiresrewallProqueiresduct
WindowsService
SELECT * FROM
queires
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELECT * FROM Win32_DiskDrive
SerialNumber
'
ExecutablePath
[
]
0 Mb or 0
SELECT * FROM Win32_OperatingSystem
TotalVisibleMemorySize
{0} MB or {1}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
BotnetTest123ND
C2 (1)0.tcp.ngrok.io:11252
Total events
4 090
Read events
4 064
Write events
26
Delete events
0

Modification events

(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(868) Nicodrip.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nicodrip_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
24

Dropped files

PID
Process
Filename
Type
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC51D.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC545.tmpsqlite
MD5:8BB736AB1E4300EF81B27CDBF26D78B0
SHA256:7059AEA2275152A5390580485A2180143879F721C88A4CB0D7702A832751A952
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC4F8.tmpsqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC531.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC51B.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC51C.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC533.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC52F.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC50B.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
868Nicodrip.exeC:\Users\admin\AppData\Local\Temp\tmpC51E.tmpsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
868
Nicodrip.exe
POST
200
3.22.30.40:11252
http://0.tcp.ngrok.io:11252/
US
text
147 b
malicious
868
Nicodrip.exe
POST
200
3.22.30.40:11252
http://0.tcp.ngrok.io:11252/
US
text
261 b
malicious
868
Nicodrip.exe
POST
200
3.22.30.40:11252
http://0.tcp.ngrok.io:11252/
US
text
4.64 Kb
malicious
868
Nicodrip.exe
POST
200
3.22.30.40:11252
http://0.tcp.ngrok.io:11252/
US
text
212 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
868
Nicodrip.exe
172.67.75.172:443
api.ip.sb
CLOUDFLARENET
US
suspicious
868
Nicodrip.exe
3.22.30.40:11252
0.tcp.ngrok.io
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
0.tcp.ngrok.io
  • 3.22.30.40
shared
api.ip.sb
  • 172.67.75.172
  • 104.26.13.31
  • 104.26.12.31
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
868
Nicodrip.exe
A Network Trojan was detected
AV TROJAN RedLine Stealer Config Download
868
Nicodrip.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Nicodrip.exe