File name:

Security alert_ new or unusual X login.eml

Full analysis: https://app.any.run/tasks/8b1cb7aa-3c63-4ac8-bbc3-d10f35a621e4
Verdict: Malicious activity
Analysis date: April 09, 2024, 13:28:23
OS: Ubuntu 22.04.2
Tags:
spam
Indicators:
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

DCCBE40B2CA745045A0D8458D10788FB

SHA1:

328726D030A7B077D84CA6AC0BBA38E1B1B5C8C4

SHA256:

18AED834DFAAF50ED61F5693927E3D899411602593C433B3D63023837847ACEE

SSDEEP:

768:ll/vRsIAq1vHfzX9LhpulAwKCfCXHCCsJrs3:llR33ZElAwKBXHsJrs3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 9331)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
233
Monitored processes
11
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs nautilus no specs thunderbird no specs which no specs thunderbird no specs glxtest no specs lsb_release no specs

Process information

PID
CMD
Path
Indicators
Parent process
9307/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus \"/tmp/Security alert_ new or unusual X login\.eml\" "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
9308sudo -iu user nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
9309nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
9310/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
9331/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
9338nautilus "/tmp/Security alert_ new or unusual X login\.eml"/usr/bin/nautilusnautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9339/usr/lib/thunderbird/thunderbird "/tmp/Security alert_ new or unusual X login\.eml"/usr/lib/thunderbird/thunderbirdnautilus
User:
user
Integrity Level:
UNKNOWN
9341/bin/sh /usr/bin/which /usr/bin/thunderbird/usr/bin/whichthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9342/usr/lib/thunderbird/thunderbird "/tmp/Security alert_ new or unusual X login\.eml"/usr/lib/thunderbird/thunderbirdthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
9347/usr/lib/thunderbird/glxtest -f 12/usr/lib/thunderbird/glxtestthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
496
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
9309nautilus/home/user/.local/share/nautilus/tags/meta.db-wal
MD5:
SHA256:
9309nautilus/home/user/.local/share/nautilus/tags/meta.db-shm
MD5:
SHA256:
9309nautilus/home/user/.local/share/nautilus/tags/.meta.isrunning
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/Crash Reports/InstallTime20231024181440
MD5:
SHA256:
9339thunderbird/tmp/thunderbird/.parentlock
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/s8bbvwlb.default-release/times.json
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/hvu18slo.default/times.json
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/installs.ini
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/profiles.ini
MD5:
SHA256:
9339thunderbird/home/user/.thunderbird/s8bbvwlb.default-release/.parentlock
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
212.102.56.178:443
Datacamp Limited
DE
unknown
224.0.0.251:5353
unknown
212.102.56.181:443
Datacamp Limited
DE
unknown
13.224.189.48:443
services.addons.thunderbird.net
AMAZON-02
US
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::23
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::196
unknown
83.100.168.192.in-addr.arpa
unknown
services.addons.thunderbird.net
  • 13.224.189.48
  • 13.224.189.107
  • 13.224.189.75
  • 13.224.189.117
  • 2600:9000:20eb:3400:c:19e4:9800:93a1
  • 2600:9000:20eb:9e00:c:19e4:9800:93a1
  • 2600:9000:20eb:8200:c:19e4:9800:93a1
  • 2600:9000:20eb:a000:c:19e4:9800:93a1
  • 2600:9000:20eb:7c00:c:19e4:9800:93a1
  • 2600:9000:20eb:a600:c:19e4:9800:93a1
  • 2600:9000:20eb:b800:c:19e4:9800:93a1
  • 2600:9000:20eb:c400:c:19e4:9800:93a1
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.55
  • 185.125.188.58
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Security alert_ new or unusual X login.eml