File name:

newbing

Full analysis: https://app.any.run/tasks/61129f24-96ab-4bfb-8425-4a1a520a540e
Verdict: Malicious activity
Analysis date: April 04, 2023, 07:07:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

10BDBF0990E7A403F710EA3E3636A3B3

SHA1:

838B44394870F48D4225DABE71C3B841DB745D55

SHA256:

4DACA38854BA0A471D25250F106122FF81B8BBDA2B19569A9E0B6E7F56187746

SSDEEP:

196608:6Ig/24EmPXDHoTDphRQeUpg176jBxxeqURusMcz:w/24PsDRVMg1OVnVtg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • newbing.exe (PID: 3544)

    • Create files in the Startup directory

      • newbing.exe (PID: 3544)

    • Steals credentials from Web Browsers

      • newbing.exe (PID: 3544)

    • Modifies files in the Chrome extension folder

      • newbing.exe (PID: 3544)

    • Actions looks like stealing of personal data

      • newbing.exe (PID: 3544)

  • SUSPICIOUS

    • Application launched itself

      • newbing.exe (PID: 3376)

    • Loads Python modules

      • newbing.exe (PID: 3544)

    • Reads browser cookies

      • newbing.exe (PID: 3544)

    • Executes as Windows Service

      • SearchIndexer.exe (PID: 3484)

    • Executable content was dropped or overwritten

      • newbing.exe (PID: 3376)

  • INFO

    • Checks supported languages

      • newbing.exe (PID: 3376)
      • newbing.exe (PID: 3544)

    • Reads the computer name

      • newbing.exe (PID: 3376)
      • newbing.exe (PID: 3544)

    • The process checks LSA protection

      • newbing.exe (PID: 3544)
      • SearchIndexer.exe (PID: 3484)

    • Reads the machine GUID from the registry

      • newbing.exe (PID: 3544)

    • Creates files in the program directory

      • SearchIndexer.exe (PID: 3484)
      • newbing.exe (PID: 3544)

    • Create files in a temporary directory

      • newbing.exe (PID: 3544)
      • newbing.exe (PID: 3376)

    • Creates files or folders in the user directory

      • newbing.exe (PID: 3544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xa430
UninitializedDataSize: -
InitializedDataSize: 308224
CodeSize: 151552
LinkerVersion: 14.34
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2023:03:09 03:31:02+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Mar-2023 03:31:02

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 09-Mar-2023 03:31:02
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00024E72
0x00025000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65117
.rdata
0x00026000
0x0000DD2C
0x0000DE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.12435
.data
0x00034000
0x0000F8D4
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.89596
.rsrc
0x00044000
0x0003A8C0
0x0003AA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.67761
.reloc
0x0007F000
0x00001E08
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.50814

Resources

Title
Entropy
Size
Codepage
Language
Type
0
2.16096
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.2849
1433
Latin 1 / Western European
UNKNOWN
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start newbing.exe newbing.exe searchindexer.exe no specs newbing.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Users\admin\AppData\Local\Temp\newbing.exe" C:\Users\admin\AppData\Local\Temp\newbing.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\newbing.exe
c:\windows\system32\ntdll.dll
3376"C:\Users\admin\AppData\Local\Temp\newbing.exe" C:\Users\admin\AppData\Local\Temp\newbing.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\newbing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
3484C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\System32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3544"C:\Users\admin\AppData\Local\Temp\newbing.exe" C:\Users\admin\AppData\Local\Temp\newbing.exe
newbing.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\newbing.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
Total events
1 680
Read events
1 640
Write events
34
Delete events
6

Modification events

(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003f5
Value:
0100000086153BB81B0C00000300000000000000
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:000003eb
Value:
01000000486E3BB81B0C00000300000000000000
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:delete valueName:00000bdc
Value:
01000000906F3BB81B0C00000300000000000000
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gathering Manager
Operation:writeName:UseSystemTemp
Value:
0
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex
Operation:writeName:SystemLcid
Value:
1033
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\0
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\1
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\2
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\3
Operation:writeName:CrawlControl
Value:
0
(PID) Process:(3484) SearchIndexer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\StartPages\5
Operation:writeName:CrawlControl
Value:
0
Executable files
126
Suspicious files
6 274
Text files
68
Unknown types
232

Dropped files

PID
Process
Filename
Type
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_ARC4.pydexecutable
MD5:90BBA093C80EE77B90638B209B0F6876
SHA256:ED3B5ED1734B132C82BF4947B0BAC8FE5AF8CBBB0E1547AEABF4323A681813CD
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_Salsa20.pydexecutable
MD5:8783820B4CB08ACFCE562717CE108857
SHA256:D63292E4063D1149D2A535AF6C2BC35FF9D347DA3C8A016ADEA1463248EDD193
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:85AD30B80FDF81FBCE87DFA187D41ED9
SHA256:7BCF25EA46C571B259610EC4C25B852666860CB9447E22FBF5916D922D28034B
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_pkcs1_decode.pydexecutable
MD5:848100E196E58F940871856374CB9F1D
SHA256:98AC6F4FE3BD2580FD3573068888BC77C6144243BEF509866EA19067F6D993B2
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_aesni.pydexecutable
MD5:7AB011ACE570B0B4CB84EB0320BA063A
SHA256:6FA9E5467E44922BE1BAC7EDB023B68B242DDF0AE40C1B0B4574A73BA0A70B39
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_cbc.pydexecutable
MD5:B2A7AB01312F66E88132EE08E7AB27F0
SHA256:9C44C477C8EBC0716E57786D9A1C4EBC5290789FAB76D7B90B671A5818F9999C
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:21FC7C7B8EB0B12924795F093768E9E4
SHA256:9DE33F7E2EC083679FC158EF890FA5F896C9635BB769C8DC628489A135A891F3
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_des.pydexecutable
MD5:146BB294BDBB2F1C9651FCE02EA8A7E9
SHA256:F156C58370C810F8A309A4950E9151F422E7A19BAF164EF1481D46C961A8C6AF
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_ctr.pydexecutable
MD5:F0680F6CCBE367F0C2B79FB3B7F7929D
SHA256:A6710CE74236221EAC7C38068BFB9DB413379F51B50AEB0635C88CDCD8F12E7B
3376newbing.exeC:\Users\admin\AppData\Local\Temp\_MEI33762\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:B11354BFA5C2E81C0175589760073475
SHA256:611EEC3E89160E949499558764C0C8C4702B8CD8DDB1AF49775C1DF5FCA4B155
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
newbing