File name:

RV_ ACCIÓN DE TUTELA N° 50.001.40.88.002.2024.00002 00.eml

Full analysis: https://app.any.run/tasks/bcaabadc-43cb-4799-a348-c93a057b5607
Verdict: Malicious activity
Analysis date: July 25, 2024, 14:52:41
OS: Ubuntu 22.04.2
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with very long lines (857), with CRLF line terminators
MD5:

603D7CE480F561146FC46FA513323845

SHA1:

3FC52CC87BAC9E2575361CD9C8609EAA3BD98BBE

SHA256:

108B6135A5385A2DA973147C3796502738B155908E18F908ADAB8C3CC70C7514

SSDEEP:

49152:/DZZhz0G4EZYYvJpIb07ATxGjqL5c6WwxSqp3y6DWOYP5xjnA/PMgJW:r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 13438)

    • Executes commands using command-line interpreter

      • thunderbird (PID: 13341)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • thunderbird (PID: 12930)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
360
Monitored processes
147
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
sh no specs file no specs sh no specs sudo no specs thunderbird locale-check no specs which no specs thunderbird no specs glxtest no specs lsb_release no specs gvfsd-http no specs thunderbird no specs chrome readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs chrome chrome no specs chrome no specs chrome no specs xdg-settings no specs dbus-send no specs which no specs dash no specs basename no specs dash no specs grep no specs cut no specs dash no specs which no specs readlink no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs which no specs readlink no specs dash no specs grep no specs cut no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs awk no specs cut no specs dash no specs basename no specs dash no specs grep no specs cut no specs dash no specs which no specs readlink no specs thunderbird no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs systemctl no specs systemctl no specs tracker-extract-3 no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs thunderbird no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome_crashpad_handler no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs chrome no specs tracker-extract-3 no specs xdg-open no specs dbus-send no specs which no specs gio no specs gio no specs gio no specs file-roller no specs gvfsd-network no specs systemd-hostnamed no specs gvfsd-smb-browse gvfsd-dnssd no specs tracker-extract-3 no specs

Process information

PID
CMD
Path
Indicators
Parent process
12926sh -c "file --mime-type \"/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml\""/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12927file --mime-type "/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml"/usr/bin/filesh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
12928/bin/sh -c "DISPLAY=:0 sudo -iu user thunderbird \"/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
12929sudo -iu user thunderbird "/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml"/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
12930/usr/lib/thunderbird/thunderbird "/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml"/usr/lib/thunderbird/thunderbird
sudo
User:
user
Integrity Level:
UNKNOWN
12931/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12932/bin/sh /usr/bin/which /usr/bin/thunderbird/usr/bin/whichthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12933/usr/lib/thunderbird/thunderbird "/tmp/RV_ ACCIÓN DE TUTELA N° 50\.001\.40\.88\.002\.2024\.00002 00\.eml"/usr/lib/thunderbird/thunderbirdthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12938/usr/lib/thunderbird/glxtest -f 12/usr/lib/thunderbird/glxtestthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
12956/usr/bin/python3 -Es /usr/bin/lsb_release -idrc/usr/bin/lsb_releasethunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
482
Executable files
1
Suspicious files
139
Text files
21
Unknown types
15

Dropped files

PID
Process
Filename
Type
13045chrome/home/user/.config/google-chrome/ShaderCache/data_3vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/ShaderCache/data_2vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/ShaderCache/data_0vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/GPUCache/data_3vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/GPUCache/data_2vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/GPUCache/data_0vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/DawnCache/data_3vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/DawnCache/data_2vxd
MD5:
SHA256:
13045chrome/home/user/.config/google-chrome/Default/DawnCache/data_0vxd
MD5:
SHA256:
12938glxtest/home/user/.cache/mesa_shader_cache/indexkoa
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
41
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
156.146.33.138:443
odrs.gnome.org
Datacamp Limited
DE
unknown
12930
thunderbird
13.224.189.75:443
services.addons.thunderbird.net
AMAZON-02
US
unknown
13089
chrome
142.250.186.163:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
13089
chrome
64.233.166.84:443
accounts.google.com
GOOGLE
US
unknown
13089
chrome
142.250.74.206:443
docs.google.com
whitelisted
13045
chrome
239.255.255.250:1900
whitelisted
13089
chrome
216.58.206.74:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.49
  • 91.189.91.97
  • 91.189.91.98
  • 185.125.190.97
  • 91.189.91.49
  • 185.125.190.18
  • 185.125.190.48
  • 185.125.190.96
  • 185.125.190.17
  • 91.189.91.96
  • 91.189.91.48
  • 185.125.190.98
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
whitelisted
google.com
  • 142.250.186.78
  • 2a00:1450:4001:82b::200e
whitelisted
odrs.gnome.org
  • 156.146.33.138
  • 195.181.175.16
  • 156.146.33.14
  • 156.146.33.140
  • 212.102.56.179
  • 195.181.170.19
  • 212.102.56.181
  • 195.181.175.40
  • 2a02:6ea0:c700::22
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::21
  • 195.181.170.18
  • 156.146.33.137
  • 156.146.33.15
whitelisted
47.100.168.192.in-addr.arpa
unknown
services.addons.thunderbird.net
  • 13.224.189.75
  • 13.224.189.117
  • 13.224.189.48
  • 13.224.189.107
  • 2600:9000:20eb:ce00:c:19e4:9800:93a1
  • 2600:9000:20eb:2a00:c:19e4:9800:93a1
  • 2600:9000:20eb:5800:c:19e4:9800:93a1
  • 2600:9000:20eb:f200:c:19e4:9800:93a1
  • 2600:9000:20eb:6200:c:19e4:9800:93a1
  • 2600:9000:20eb:3e00:c:19e4:9800:93a1
  • 2600:9000:20eb:a600:c:19e4:9800:93a1
  • 2600:9000:20eb:cc00:c:19e4:9800:93a1
whitelisted
clientservices.googleapis.com
  • 142.250.186.163
whitelisted
accounts.google.com
  • 64.233.166.84
whitelisted
docs.google.com
  • 142.250.74.206
shared
safebrowsingohttpgateway.googleapis.com
  • 216.58.206.74
  • 142.250.186.74
  • 142.250.186.106
  • 142.250.184.202
  • 142.250.181.234
  • 142.250.184.234
  • 142.250.185.234
  • 142.250.74.202
  • 142.250.186.42
  • 142.250.186.138
  • 172.217.16.202
  • 142.250.185.202
  • 142.250.185.138
  • 172.217.18.10
  • 142.250.186.170
  • 216.58.212.170
whitelisted
drive.usercontent.google.com
  • 142.250.185.65
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RV_ ACCIÓN DE TUTELA N° 50.001.40.88.002.2024.00002 00.eml