File name:

Phish3Case1.eml

Full analysis: https://app.any.run/tasks/a37b3fb0-50fa-436c-a19e-94b594ddc3a6
Verdict: Malicious activity
Analysis date: April 26, 2025, 07:34:43
OS: Ubuntu 22.04.2
MIME: message/rfc822
File info: RFC 822 mail, ASCII text, with CRLF line terminators
MD5:

F146914471A98343106CE815DAD4C608

SHA1:

FFEC7C522A275B1E3D3FCD18D3D92D13904B90B9

SHA256:

3890CA772588B7B88B94CBE9A6BBB4147CEA9EF5FF054EB8086B4E88762E9DEB

SSDEEP:

384:FgD6w/iIdD61db2owYHzybyhbDnRAb2owYHzyvyVJ0PiJyJe2z/:Fg2p1zy/zyPPSip

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Check the Environment Variables Related to System Identification (os-release)

      • python3.10 (PID: 39519)
      • thunderbird (PID: 39493)

    • Reads profile file

      • thunderbird (PID: 39493)

    • Reads passwd file

      • thunderbird (PID: 39493)
      • glxtest (PID: 39501)

    • Executes commands using command-line interpreter

      • sudo (PID: 39492)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • thunderbird (PID: 39493)

  • INFO

    • Checks timezone

      • thunderbird (PID: 39493)
      • python3.10 (PID: 39519)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 5) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
231
Monitored processes
11
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs thunderbird locale-check no specs dash no specs thunderbird no specs glxtest no specs python3.10 no specs systemctl no specs systemctl no specs systemctl no specs

Process information

PID
CMD
Path
Indicators
Parent process
39491/bin/sh -c "DISPLAY=:0 sudo -iu user thunderbird /tmp/Phish3Case1\.eml "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39492sudo -iu user thunderbird /tmp/Phish3Case1.eml/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39493/usr/lib/thunderbird/thunderbird /tmp/Phish3Case1.eml/usr/lib/thunderbird/thunderbird
sudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39494/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39495/bin/sh /usr/bin/which /usr/bin/thunderbird/usr/bin/dashthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39496/usr/lib/thunderbird/thunderbird /tmp/Phish3Case1.eml/usr/lib/thunderbird/thunderbirdthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39501/usr/lib/thunderbird/glxtest -f 12/usr/lib/thunderbird/glxtestthunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39519/usr/bin/python3 -Es /usr/bin/lsb_release -idrc/usr/bin/python3.10thunderbird
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
39559systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
39560systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
2
Suspicious files
94
Text files
15
Unknown types
1

Dropped files

PID
Process
Filename
Type
39501glxtest/home/user/.cache/mesa_shader_cache/indexbinary
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/Crash Reports/InstallTime20231024181440text
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/y2tr9dtd.default-release/times.jsonbinary
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/6nxiehmk.default/times.jsonbinary
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/installs.initext
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/profiles.initext
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/y2tr9dtd.default-release/compatibility.initext
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/y2tr9dtd.default-release/cookies.sqlite-journal (deleted)binary
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/y2tr9dtd.default-release/pkcs11.txttext
MD5:
SHA256:
39493thunderbird/home/user/.thunderbird/y2tr9dtd.default-release/cert9.db-journal (deleted)binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
185.125.190.49:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.49:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
195.181.175.41:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
39493
thunderbird
3.167.227.56:443
services.addons.thunderbird.net
US
whitelisted
39493
thunderbird
104.26.2.27:443
thunderbird-settings.thunderbird.net
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.49
  • 185.125.190.48
  • 185.125.190.98
  • 185.125.190.97
  • 91.189.91.98
  • 91.189.91.97
  • 185.125.190.96
  • 91.189.91.48
  • 91.189.91.49
  • 185.125.190.17
  • 185.125.190.18
  • 91.189.91.96
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::96
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::22
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::196
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::197
whitelisted
google.com
  • 142.250.184.206
  • 2a00:1450:4001:830::200e
whitelisted
odrs.gnome.org
  • 195.181.175.41
  • 169.150.255.180
  • 212.102.56.179
  • 37.19.194.81
  • 207.211.211.26
  • 195.181.170.19
  • 169.150.255.184
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::19
whitelisted
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::6d
  • 2620:2d:4000:1010::42
whitelisted
services.addons.thunderbird.net
  • 3.167.227.56
  • 3.167.227.19
  • 3.167.227.14
  • 3.167.227.80
  • 2600:9000:27e6:9a00:c:19e4:9800:93a1
  • 2600:9000:27e6:2400:c:19e4:9800:93a1
  • 2600:9000:27e6:2200:c:19e4:9800:93a1
  • 2600:9000:27e6:f400:c:19e4:9800:93a1
  • 2600:9000:27e6:4000:c:19e4:9800:93a1
  • 2600:9000:27e6:ac00:c:19e4:9800:93a1
  • 2600:9000:27e6:d800:c:19e4:9800:93a1
  • 2600:9000:27e6:6a00:c:19e4:9800:93a1
whitelisted
7.100.168.192.in-addr.arpa
unknown
thunderbird-settings.thunderbird.net
  • 104.26.2.27
  • 104.26.3.27
  • 172.67.74.82
  • 2606:4700:20::681a:31b
  • 2606:4700:20::ac43:4a52
  • 2606:4700:20::681a:21b
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Phish3Case1.eml