File name:

2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe

Full analysis: https://app.any.run/tasks/7e7ace2d-bc4b-487d-b233-6e15648a0aa2
Verdict: Malicious activity
Threats:

Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 02:37:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
raspberryrobin
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E159316A115E42AFBE6BF21690C114EF

SHA1:

95E7CDC62C7169E9AC58F9B342C7155EA654F19A

SHA256:

E4BC2949A2DFC6FA3D00401C5816EAFD35DA6A9DC9AB5504535255287EDB461C

SSDEEP:

6144:J9+bFc+O875/HbWpzAoabkFJl5OTeVDRWBItct+EpanA:J9+Jc+O8oVl5CoWBWs+U6A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RASPBERRYROBIN has been detected (YARA)

      • svchost.exe (PID: 6620)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • Identifying current user with WHOAMI command

      • svchost.exe (PID: 6620)

    • Starts NET.EXE for network exploration

      • svchost.exe (PID: 6620)

    • Searches for installed software

      • svchost.exe (PID: 6620)

  • INFO

    • Reads the computer name

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • Process checks whether UAC notifications are on

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • Checks supported languages

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • The sample compiled with english language support

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • Reads the machine GUID from the registry

      • 2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe (PID: 4688)

    • Checks proxy server information

      • svchost.exe (PID: 6620)
      • slui.exe (PID: 6108)

    • Reads the software policy settings

      • slui.exe (PID: 6108)
      • slui.exe (PID: 4932)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:07:24 14:14:59+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 102400
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x1b51
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.3.9600.17415
ProductVersionNumber: 6.3.9600.17415
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporatio
FileDescription: Belgian Keyboard Layout
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName: kbdbe (3.13)
LegalCopyright: © Microsoft Corporation. All rights reserv
OriginalFileName: kbdbe.dll
ProductName: Microsoft® Windows® Operating S
ProductVersion: 6.1.7600.1638
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2018-12-10-dridex-retrieved-by-ursnif-infected-host.exe no specs #RASPBERRYROBIN svchost.exe sppextcomobj.exe no specs slui.exe whoami.exe no specs conhost.exe no specs net.exe no specs conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4408C:\WINDOWS\system32\whoami.exe /allC:\Windows\SysWOW64\whoami.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4688"C:\Users\admin\AppData\Local\Temp\2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe" C:\Users\admin\AppData\Local\Temp\2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exeexplorer.exe
User:
admin
Company:
Microsoft Corporatio
Integrity Level:
MEDIUM
Description:
Belgian Keyboard Layout
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\2018-12-10-dridex-retrieved-by-ursnif-infected-host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4756\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4932"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4988C:\WINDOWS\system32\net.exe viewC:\Windows\SysWOW64\net.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
6028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewhoami.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6620C:\WINDOWS\system32\svchost.exe "C:\Users\admin\AppData\Local\Temp\2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe"C:\Windows\SysWOW64\svchost.exe
2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
7148C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
10 687
Read events
10 684
Write events
3
Delete events
0

Modification events

(PID) Process:(6620) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6620) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6620) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620svchost.exeC:\Users\admin\AppData\Local\Temp\OVC7D6.tmptext
MD5:46ED8955B55EF2FE721CD9F4D9DC92B9
SHA256:57C962A0605FA1F6189375C8ECE2E72EA2A266BF8DF33D122F4556B060138661
6620svchost.exeC:\Users\admin\AppData\Local\Temp\MC875.tmptext
MD5:7133E8820C91DA936F72796563D34F25
SHA256:2218F46AE869D866784058155133A5ED9A741FBB738C6881BE381343D8430041
6620svchost.exeC:\Users\admin\AppData\Local\Temp\EdC7D7.tmptext
MD5:A960681B2AFDB18ADA1C447B22994108
SHA256:23B192F54E804602AA1061819B5459F07F67CE5FE95C0B5E2BB5695C96514C12
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
11
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6620
svchost.exe
174.34.253.11:443
ENT-KM2
US
unknown
4932
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6108
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6620
svchost.exe
185.16.41.247:443
Valid Technology L.p.
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
  • 2603:1030:800:5::bfee:a08d
whitelisted
171.39.242.20.in-addr.arpa
unknown
d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exe