File name:

Security alert_ new or unusual X login.eml

Full analysis: https://app.any.run/tasks/18ee7209-716f-4079-8d2d-e8e517be37c1
Verdict: Malicious activity
Analysis date: April 09, 2024, 13:11:46
OS: Ubuntu 22.04.2
Tags:
spam
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

DCCBE40B2CA745045A0D8458D10788FB

SHA1:

328726D030A7B077D84CA6AC0BBA38E1B1B5C8C4

SHA256:

18AED834DFAAF50ED61F5693927E3D899411602593C433B3D63023837847ACEE

SSDEEP:

768:ll/vRsIAq1vHfzX9LhpulAwKCfCXHCCsJrs3:llR33ZElAwKBXHsJrs3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads /proc/mounts (likely used to find writable filesystems)

      • thunderbird (PID: 9295)

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 9286)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
391
Monitored processes
169
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs nautilus no specs thunderbird no specs which no specs thunderbird no specs glxtest no specs lsb_release no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs gvfsd-http no specs thunderbird no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome no specs nacl_helper no specs chrome no specs chrome no specs nacl_helper no specs chrome no specs exe no specs chrome no specs chrome no specs chrome no specs xdg-settings no specs dbus-send no specs which no specs dash no specs basename no specs dash no specs which no specs readlink no specs dash no specs grep no specs cut no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs which no specs readlink no specs grep no specs cut no specs dash no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs chrome no specs dash no specs grep no specs cut no specs dash no specs which no specs readlink no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs thunderbird no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs nacl_helper no specs nacl_helper no specs chrome no specs chrome no specs chrome no specs exe no specs chrome no specs chrome no specs chrome no specs xdg-settings no specs dbus-send no specs which no specs dash no specs basename no specs dash no specs which no specs readlink no specs grep no specs cut no specs dash no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs which no specs readlink no specs dash no specs grep no specs cut no specs dash no specs xdg-mime no specs dbus-send no specs which no specs dash no specs dash no specs awk no specs cut no specs basename no specs dash no specs grep no specs cut no specs dash no specs which no specs readlink no specs chrome no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs

Process information

PID
CMD
Path
Indicators
Parent process
9267/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/tmp/Security alert_ new or unusual X login\.eml\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
9268sudo -iu user nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
9269nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
9270/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9286/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
9428
9294nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/nautilusnautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9295/usr/lib/thunderbird/thunderbird "/tmp/Security alert_ new or unusual X login\.eml"/usr/lib/thunderbird/thunderbirdnautilus
User:
user
Integrity Level:
UNKNOWN
9297/bin/sh /usr/bin/which /usr/bin/thunderbird/usr/bin/whichthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9298/usr/lib/thunderbird/thunderbird "/tmp/Security alert_ new or unusual X login\.eml"/usr/lib/thunderbird/thunderbirdthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9303/usr/lib/thunderbird/glxtest -f 12/usr/lib/thunderbird/glxtestthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9269nautilus/home/user/.local/share/nautilus/tags/meta.db-wal
MD5:
SHA256:
9269nautilus/home/user/.local/share/nautilus/tags/meta.db-shm
MD5:
SHA256:
9269nautilus/home/user/.local/share/nautilus/tags/.meta.isrunning
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/Crash Reports/InstallTime20231024181440
MD5:
SHA256:
9295thunderbird/tmp/thunderbird/.parentlock
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/wc8fiu1l.default-release/times.json
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/41vhp3kl.default/times.json
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/installs.ini
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/profiles.ini
MD5:
SHA256:
9295thunderbird/home/user/.thunderbird/wc8fiu1l.default-release/.parentlock
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
29
DNS requests
41
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
212.102.56.179:443
Datacamp Limited
DE
unknown
224.0.0.251:5353
unknown
156.146.33.141:443
Datacamp Limited
DE
unknown
108.138.36.76:443
services.addons.thunderbird.net
AMAZON-02
US
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
239.255.255.250:1900
unknown
172.217.18.3:443
clientservices.googleapis.com
GOOGLE
US
unknown
74.125.71.84:443
accounts.google.com
GOOGLE
US
unknown

DNS requests

Domain
IP
Reputation
238.100.168.192.in-addr.arpa
unknown
services.addons.thunderbird.net
  • 108.138.36.76
  • 108.138.36.129
  • 108.138.36.6
  • 108.138.36.25
  • 2600:9000:237d:5400:c:19e4:9800:93a1
  • 2600:9000:237d:5e00:c:19e4:9800:93a1
  • 2600:9000:237d:7000:c:19e4:9800:93a1
  • 2600:9000:237d:3400:c:19e4:9800:93a1
  • 2600:9000:237d:ea00:c:19e4:9800:93a1
  • 2600:9000:237d:200:c:19e4:9800:93a1
  • 2600:9000:237d:1a00:c:19e4:9800:93a1
  • 2600:9000:237d:8e00:c:19e4:9800:93a1
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
unknown
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 74.125.71.84
shared
gcc02.safelinks.protection.outlook.com
  • 104.47.65.28
  • 104.47.64.28
whitelisted
twitter.com
  • 104.244.42.129
whitelisted
abs-0.twimg.com
  • 104.244.43.131
whitelisted
abs.twimg.com
  • 152.199.21.141
whitelisted
abs-zero.twimg.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Security alert_ new or unusual X login.eml