File name:

usbgrab.exe

Full analysis: https://app.any.run/tasks/b919fb1d-8a0b-4e32-982a-852c0a100da9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 03, 2023, 02:42:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

3828D62F23A6FF5A2FFDB98877846E1B

SHA1:

354FEEF438F4EDD3D1B1C74A482AF4BF2DF4B492

SHA256:

E03879E5BFC2A5008A45023F87809208076B4A9BBC612195D3B2085684EC55EC

SSDEEP:

98304:pSEsM6PEh8sdkycwbA+oXt5WfNEJm59NZDpNtXIjZx8tqzj83zQztZGyShq+0IGX:FO2qj8RydhVge

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials

      • usbgrab.exe (PID: 844)

    • Actions looks like stealing of personal data

      • usbgrab.exe (PID: 844)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Create files in a temporary directory

      • usbgrab.exe (PID: 844)

    • Checks supported languages

      • usbgrab.exe (PID: 844)

    • Reads the computer name

      • usbgrab.exe (PID: 844)

    • Manual execution by a user

      • explorer.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (49.3)
.exe | Win64 Executable (generic) (32.7)
.dll | Win32 Dynamic Link Library (generic) (7.8)
.exe | Win32 Executable (generic) (5.3)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 2.36
CodeSize: 2333696
InitializedDataSize: 4033536
UninitializedDataSize: 179712
EntryPoint: 0x14c0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start usbgrab.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\usbgrab.exe" C:\Users\admin\AppData\Local\Temp\usbgrab.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\usbgrab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
3264"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
175
Read events
175
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
46
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
844usbgrab.exeC:\Users\admin\AppData\Local\Temp\lyrfremanwwawumrphnjm1426195784binary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteBulkCopy.387hbinary
MD5:D50D338F8C3CE491475D49312E9865DE
SHA256:928D0E876C053FA4E6F57380970D6C77C6711F24E3A1DAD2A56995083E6966EB
844usbgrab.exeC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.387hbinary
MD5:B9D5CA205D68A1A140CB5D7A7F794071
SHA256:3CB39D9B6183F7F3DD5AF9BA25DDB0939ACE93727094F528420FBDC910B0053E
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\core\osx-x64\SQLite.Interop.387hbinary
MD5:807BB248CF81D90A2F6EF935CEDF82D5
SHA256:BE35A2577C23C7CE53747BD91C8CE6AEAE22AD5BABD357D8892C313FCCEEE3D8
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Out-DataTable.387hbinary
MD5:07E64DAFA8B407BA22033C0DC8C32FE7
SHA256:4E390189E9D5751D4F4DB644584F7BED4475A484C591F06EE71B9D22C8D1DA7F
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteQuery.387hbinary
MD5:08153F5D5FFF22EA13E4B1CD0FECFC89
SHA256:CE8F4A88C41FBC0AC43CC09B294CA05EE4B43D6A5E0ACF2292DF124A7A4974F4
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\PSGetModuleInfo.387hbinary
MD5:098A0ACCD15BE639B495BA05AF45A208
SHA256:EA8693B88E0E0E3384C08AD7914BED2EA5C78CBA698AFAB167FB945BD37ABA9D
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Update-Sqlite.387hbinary
MD5:FA513EE76036C6B829797510DF34F306
SHA256:818784B83A2A16089E1389FD16A2BE15524F27095E171C12D7565E87242B31D4
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\core\linux-x64\SQLite.Interop.387hbinary
MD5:BF34814E73F7775AC55799747DF401D9
SHA256:0F1E7ECA71FB8540AA835F82AD1EC1389E9CEDB1069B83459B81186CC8D0A349
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\core\osx-x64\System.Data.SQLite.387hbinary
MD5:AE2DC41A2730CA6E8E7599C72EE7AC3E
SHA256:AC0A0D252849E97619593CC3D892331C3B4A686F16C38DA58898EAD0D7FE32A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
usbgrab.exe