File name:

usbgrab.exe

Full analysis: https://app.any.run/tasks/b919fb1d-8a0b-4e32-982a-852c0a100da9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 03, 2023, 02:42:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

3828D62F23A6FF5A2FFDB98877846E1B

SHA1:

354FEEF438F4EDD3D1B1C74A482AF4BF2DF4B492

SHA256:

E03879E5BFC2A5008A45023F87809208076B4A9BBC612195D3B2085684EC55EC

SSDEEP:

98304:pSEsM6PEh8sdkycwbA+oXt5WfNEJm59NZDpNtXIjZx8tqzj83zQztZGyShq+0IGX:FO2qj8RydhVge

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • usbgrab.exe (PID: 844)

    • Steals credentials

      • usbgrab.exe (PID: 844)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • usbgrab.exe (PID: 844)

    • Reads the computer name

      • usbgrab.exe (PID: 844)

    • Create files in a temporary directory

      • usbgrab.exe (PID: 844)

    • Manual execution by a user

      • explorer.exe (PID: 3264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (49.3)
.exe | Win64 Executable (generic) (32.7)
.dll | Win32 Dynamic Link Library (generic) (7.8)
.exe | Win32 Executable (generic) (5.3)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, No line numbers, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 2.36
CodeSize: 2333696
InitializedDataSize: 4033536
UninitializedDataSize: 179712
EntryPoint: 0x14c0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start usbgrab.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\usbgrab.exe" C:\Users\admin\AppData\Local\Temp\usbgrab.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\usbgrab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
3264"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
3221225547
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
175
Read events
175
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
46
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
844usbgrab.exeC:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.387hbinary
MD5:17140A2309CFDE5E4C1BDF8DCA63D16E
SHA256:EFA55CA7A3E1B30E9802A1E624F7584A244E670DD62AB553FD85BCE58557C135
844usbgrab.exeC:\Users\admin\Documents\Outlook Files\honey@pot.com.387hbinary
MD5:C36DE0C23BB0458B622CEC7C246FDF4A
SHA256:E51B2ECF676079C0E28C12C1CA43A17A53A1D59CC04E2152179F869599A36A3D
844usbgrab.exeC:\Users\admin\AppData\Local\Temp\lyrfremanwwawumrphnjm1426195784binary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\New-SqliteConnection.387hbinary
MD5:9310FA29305033E13AC95BDEB38471DE
SHA256:E49D13E1DA3291AB357DD688FA8532474EB5A67C1A7992430359B3796C8D2FBC
844usbgrab.exeC:\Users\admin\Documents\Outlook Files\Outlook Data File - test.387hbinary
MD5:C87694827C37043AD45D9B384D41D4A2
SHA256:27C82ABA42E182D25760448C85E32DECBC97F8DB344CF07B7A56EFBAF0A59EBF
844usbgrab.exeC:\Users\admin\Documents\Outlook Files\Outlook.387hbinary
MD5:D124993F220B62FE519121591B18EF11
SHA256:C2B1B9D13222BC9878CD7F6B022CFC832C484F9A25275E0910C4B8DF57FC7ACD
844usbgrab.exeC:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.387hbinary
MD5:4857859288E2D21C40EA73D20E3AF3FA
SHA256:4DAED6380E636E4663F16CFE8799B6411639462DCC7590C4D5D6FA3DDAC79946
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\PSSQLite.387hbinary
MD5:0C56B8A2C8FC0C30B7285C56FC3023E1
SHA256:D245FFECEAA9FE12B71E0D2C0D7155D6261EB0AB32CF678B5D471D2D8F85143E
844usbgrab.exeC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.387hbinary
MD5:B9D5CA205D68A1A140CB5D7A7F794071
SHA256:3CB39D9B6183F7F3DD5AF9BA25DDB0939ACE93727094F528420FBDC910B0053E
844usbgrab.exeC:\Users\admin\Documents\PowerShell\Modules\PSSQLite\1.1.0\Invoke-SqliteQuery.387hbinary
MD5:08153F5D5FFF22EA13E4B1CD0FECFC89
SHA256:CE8F4A88C41FBC0AC43CC09B294CA05EE4B43D6A5E0ACF2292DF124A7A4974F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
usbgrab.exe