URL:

https://url.us.m.mimecastprotect.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click.securedvisit.com

Full analysis: https://app.any.run/tasks/378b1170-47eb-478f-a903-97bf2580e388
Verdict: Malicious activity
Threats:

Sneaky 2FA is an Adversary-in-the-Middle (AiTM) phishing kit targeting Microsoft 365 accounts. Distributed as a Phishing-as-a-Service (PhaaS) through a Telegram bot, this malware bypasses two-factor authentication (2FA) to steal credentials and session cookies, posing a significant threat to individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: April 11, 2025, 18:49:22
OS: Ubuntu 22.04.2
Tags:
phishing
sneaky2fa
Indicators:
MD5:

AF8187301C5D4B781BB3ABC9F5DC0AC3

SHA1:

E01325808C3C7AEB0B86561D65FD3B97B699EC9E

SHA256:

055158DB96D375DB4507EDC8BF3C560D95661D3B6017140168925D7D7413F814

SSDEEP:

3:N8UjmTSCeoKmdXaeSKi0cLPFOLWsUTXQLK:2Ujweo9dXaNKFcLPFOLUTOK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • systemd-resolved (PID: 445)

  • SUSPICIOUS

    • Reads passwd file

      • dumpe2fs (PID: 39518)
      • dumpe2fs (PID: 39511)

    • Executes commands using command-line interpreter

      • sudo (PID: 39489)
      • firefox (PID: 39490)

    • Check the Environment Variables Related to System Identification (os-release)

      • snapctl (PID: 39538)
      • snapctl (PID: 39543)
      • firefox (PID: 39490)
      • snapctl (PID: 39576)
      • snapctl (PID: 39581)

  • INFO

    • Checks timezone

      • dumpe2fs (PID: 39518)
      • dumpe2fs (PID: 39511)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
400
Monitored processes
182
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs firefox locale-check no specs snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs snap-update-ns no specs date no specs chmod no specs bash no specs md5sum no specs cat no specs bash no specs md5sum no specs cat no specs grep no specs snapctl no specs snapctl no specs mkdir no specs realpath no specs realpath no specs xdg-user-dirs-update no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs realpath no specs bash no specs ln no specs realpath no specs mkdir no specs ln no specs rm no specs ln no specs firefox no specs snapctl no specs snapctl no specs glxtest no specs snap no specs firefox no specs firefox no specs systemd-timedated no specs firefox no specs firefox no specs bash no specs dbus-send no specs cut no specs dbus-daemon no specs snap no specs dash no specs dash no specs dash no specs dash no specs basename no specs dash no specs dash no specs readlink no specs dash no specs grep no specs cut no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs tr no specs dash no specs tr no specs mawk no specs cut no specs basename no specs dash no specs dash no specs readlink no specs grep no specs cut no specs dash no specs firefox no specs firefox no specs bash no specs dbus-send no specs cut no specs dash no specs dash no specs dash no specs dash no specs basename no specs dash no specs dash no specs readlink no specs dash no specs grep no specs cut no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs tr no specs dash no specs tr no specs mawk no specs cut no specs basename no specs dash no specs dash no specs readlink no specs grep no specs cut no specs dash no specs systemctl no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs systemctl no specs firefox no specs firefox no specs systemctl no specs firefox no specs firefox no specs bash no specs dbus-send no specs cut no specs dash no specs dash no specs dash no specs dash no specs basename no specs dash no specs dash no specs readlink no specs dash no specs grep no specs cut no specs dash no specs dash no specs dash no specs dash no specs dash no specs tr no specs dash no specs tr no specs dash no specs mawk no specs cut no specs dash no specs basename no specs dash no specs dash no specs readlink no specs grep no specs cut no specs dash no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs firefox no specs #PHISHING systemd-resolved firefox no specs firefox no specs firefox no specs firefox no specs

Process information

PID
CMD
Path
Indicators
Parent process
445/lib/systemd/systemd-resolved/usr/lib/systemd/systemd-resolved
systemd
User:
systemd-resolve
Integrity Level:
UNKNOWN
39488/bin/sh -c "DISPLAY=:0 sudo -iu user firefox https://url\.us\.m\.mimecastprotect\.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click\.securedvisit\.com "/usr/bin/dashany-guest-agent
User:
root
Integrity Level:
UNKNOWN
39489sudo -iu user firefox https://url.us.m.mimecastprotect.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click.securedvisit.com/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
39490/snap/firefox/3358/usr/lib/firefox/firefox https://url.us.m.mimecastprotect.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click.securedvisit.com/snap/firefox/3358/usr/lib/firefox/firefox
sudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39491/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkfirefox
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39502/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompfirefox
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39510/snap/snapd/20290/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox https://url.us.m.mimecastprotect.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click.securedvisit.com/snap/snapd/20290/usr/lib/snapd/snap-confinefirefox
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39511dumpe2fs -h /dev/sda3/usr/sbin/dumpe2fsudisksd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39512snap-update-ns --from-snap-confine firefox/snap/snapd/20290/usr/lib/snapd/snap-update-nsfirefox
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39518dumpe2fs -h /dev/sda3/usr/sbin/dumpe2fsudisksd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
93
DNS requests
115
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
39490
firefox
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
39490
firefox
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
39490
firefox
POST
200
2.17.190.73:80
http://ocsp.digicert.com/
unknown
whitelisted
39490
firefox
POST
200
2.17.190.73:80
http://ocsp.digicert.com/
unknown
whitelisted
39490
firefox
POST
200
23.32.238.82:80
http://r10.o.lencr.org/
unknown
whitelisted
39490
firefox
POST
200
216.58.212.131:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
39490
firefox
POST
200
216.58.212.131:80
http://o.pki.goog/we2
unknown
whitelisted
39490
firefox
POST
200
23.32.238.82:80
http://r10.o.lencr.org/
unknown
whitelisted
39490
firefox
POST
200
23.32.238.27:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
1178
snap-store
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
39490
firefox
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
39490
firefox
205.139.111.12:443
url.us.m.mimecastprotect.com
MIMECAST
US
whitelisted
39490
firefox
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted
39490
firefox
34.160.144.191:443
content-signature-2.cdn.mozilla.net
GOOGLE
US
whitelisted
39490
firefox
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.49
  • 2620:2d:4000:1::97
whitelisted
google.com
  • 142.250.184.238
  • 2a00:1450:4001:831::200e
whitelisted
odrs.gnome.org
  • 37.19.194.81
  • 2a02:6ea0:c700::11
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 2620:2d:4000:1010::42
whitelisted
url.us.m.mimecastprotect.com
  • 205.139.111.12
whitelisted
detectportal.firefox.com
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
example.org
  • 23.215.0.132
  • 2600:1406:bc00:17::6007:810d
whitelisted
ipv4only.arpa
  • 192.0.0.170
whitelisted

Threats

PID
Process
Class
Message
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
39490
firefox
Not Suspicious Traffic
INFO [ANY.RUN] Firebase Web App Development Platform (firebaseio .com)
445
systemd-resolved
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious redirect to Wikipedia (hrefwiki)
445
systemd-resolved
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspicious redirect to Wikipedia (hrefwiki)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://url.us.m.mimecastprotect.com/s/kHMoC827DYSP89wolInfxcy0DjM?domain=click.securedvisit.com