File name:

anydesk_6.3.0-1_amd64.deb

Full analysis: https://app.any.run/tasks/80b3f43d-73cc-4469-9447-42bcaf8291ba
Verdict: Malicious activity
Analysis date: February 08, 2024, 14:11:38
OS: Ubuntu 22.04.2
MIME: application/vnd.debian.binary-package
File info: Debian binary package (format 2.0), with control.tar.gz, data compression gz
MD5:

53E85FB2D683E03DC020EF230EEDA2C9

SHA1:

1A7EE551BDA6452B86DACCADE97471F842127450

SHA256:

30F6E44CEA28428D1CB645055FAE72CF166F63318E0C94F2C12D18A3614CE30C

SSDEEP:

98304:IOdG1/3D42QSQLTpHtjdckPQOL2e3fOld2cT89FnXXPUKjAxSWfkdkybeVh5xywT:b/qcKj/+X1m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads network configuration

      • anydesk (PID: 7520)
      • anydesk (PID: 7580)

    • Executes commands using command-line interpreter

      • anydesk (PID: 7523)
      • gnome-terminal-server (PID: 7551)
      • anydesk (PID: 7583)

    • Gets active network interfaces

      • anydesk (PID: 7520)
      • anydesk (PID: 7580)

    • Executes the "rm" command to delete files or directories

      • dpkg (PID: 7451)

    • Creates or rewrites file in the "bin" folder

      • dpkg (PID: 7451)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.deb | Debian Linux Package (77.4)
.ar | ar archive (22.5)

EXIF

EXE

CreateDate: 2023:08:03 14:29:28+02:00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
268
Monitored processes
48
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs sudo no specs locale-check no specs dpkg no specs dpkg-split no specs dpkg-deb no specs dpkg-deb no specs dpkg-deb no specs tar no specs preinst no specs bash no specs ls no specs awk no specs awk no specs systemctl no specs dpkg-deb no specs dpkg-deb no specs dpkg-deb no specs rm no specs hicolor-icon-theme.postinst no specs which no specs which no specs gtk-update-icon-cache no specs desktop-file-utils.postinst no specs update-desktop-database no specs anydesk no specs anydesk no specs anydesk no specs sh no specs lsb_release no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs anydesk no specs anydesk no specs anydesk no specs sh no specs lsb_release no specs anydesk no specs sh no specs run-parts no specs

Process information

PID
CMD
Path
Indicators
Parent process
7447/bin/sh -c "DISPLAY=:0 sudo -iu user sudo dpkg -i \"/tmp/anydesk_6\.3\.0-1_amd64\.deb\" " /bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
7451
7448sudo -iu user sudo dpkg -i /tmp/anydesk_6.3.0-1_amd64.deb /usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
Exit code:
209
7449sudo dpkg -i /tmp/anydesk_6.3.0-1_amd64.deb /usr/bin/sudosudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
7462
7450/usr/bin/locale-check C.UTF-8 /usr/bin/locale-checksudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
1214
7451dpkg -i /tmp/anydesk_6.3.0-1_amd64.deb /usr/bin/dpkgsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
7462
7452dpkg-split -Qao /var/lib/dpkg/reassemble.deb /tmp/anydesk_6.3.0-1_amd64.deb /usr/bin/dpkg-splitdpkg
User:
root
Integrity Level:
UNKNOWN
Exit code:
1214
7453dpkg-deb --control /tmp/anydesk_6.3.0-1_amd64.deb /var/lib/dpkg/tmp.ci /usr/bin/dpkg-debdpkg
User:
root
Integrity Level:
UNKNOWN
Exit code:
1214
7454dpkg-deb --control /tmp/anydesk_6.3.0-1_amd64.deb /var/lib/dpkg/tmp.ci /usr/bin/dpkg-debdpkg-deb
User:
root
Integrity Level:
UNKNOWN
Exit code:
1214
7455dpkg-deb --control /tmp/anydesk_6.3.0-1_amd64.deb /var/lib/dpkg/tmp.ci /usr/bin/dpkg-debdpkg-deb
User:
root
Integrity Level:
UNKNOWN
Exit code:
1214
7456tar -x -f - --warning=no-timestamp /usr/bin/tardpkg-deb
User:
root
Integrity Level:
UNKNOWN
Exit code:
1214
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7451dpkg/var/lib/dpkg/updates/tmp.i
MD5:
SHA256:
7451dpkg/var/lib/dpkg/triggers/Lock
MD5:
SHA256:
7451dpkg/var/log/dpkg.log
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/control
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/md5sums
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/prerm
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/postrm
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/preinst
MD5:
SHA256:
7456tar/var/lib/dpkg/tmp.ci/postinst
MD5:
SHA256:
7451dpkg/usr/share/pixmaps/anydesk.png.dpkg-new
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
75
DNS requests
17
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.17:80
http://connectivity-check.ubuntu.com/
unknown
unknown
GET
204
91.189.91.97:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.17:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
91.189.91.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
212.102.56.179:443
Datacamp Limited
DE
unknown
224.0.0.251:5353
unknown
156.146.33.141:443
Datacamp Limited
DE
unknown
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
239.255.102.18:50001
unknown
49.12.130.237:443
boot.net.anydesk.com
Hetzner Online GmbH
DE
unknown
239.255.102.18:50003
unknown

DNS requests

Domain
IP
Reputation
177.100.168.192.in-addr.arpa
unknown
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.55
  • 185.125.188.54
unknown
boot.net.anydesk.com
  • 49.12.130.237
unknown
relay-a94e7ea4.net.anydesk.com
  • 208.115.231.166
unknown
connectivity-check.ubuntu.com
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
  • 2001:67c:1562::24
  • 2001:67c:1562::23
  • 2620:2d:4000:1::98
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::2b
  • 91.189.91.97
  • 91.189.91.49
  • 185.125.190.98
  • 91.189.91.48
  • 185.125.190.48
  • 91.189.91.96
  • 185.125.190.96
  • 185.125.190.17
  • 91.189.91.98
  • 185.125.190.18
  • 185.125.190.49
  • 185.125.190.97
unknown

Threats

PID
Process
Class
Message
Misc activity
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anydesk_6.3.0-1_amd64.deb