Malware analysis GNBot Crack - Baseult - Kopie.zip Malicious activity

Add for printing

File name:	GNBot Crack - Baseult - Kopie.zip
Full analysis:	https://app.any.run/tasks/0cc80e1c-dd3a-43b4-97a5-827bebfeb8f3
Verdict:	Malicious activity
Analysis date:	May 26, 2024, 19:20:58
OS:	Ubuntu 22.04.2
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	32A9BC239201E46EB511799D103961AD
SHA1:	F6599CC36BA64C9FE5067E9AD98587682405322E
SHA256:	8AFDC1B6143369A53236873DBFE4234F797BC900054AF1EDB29CFEF984466C53
SSDEEP:	393216:QixDDJ4zV16PaanzoAAjIa5pWRNtL0b19zkP:VDqzV1Kaahb3Yb194P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Checks DMI information (probably VM detection)
  - systemd-hostnamed (PID: 6841)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2020:02:02 11:28:08
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	GNBot Crack - Baseult/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

498

Monitored processes

283

Malicious processes

0

Suspicious processes

0

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
6192	/bin/sh -c "DISPLAY=:0 sudo -iu user file-roller \"/home/user/Desktop/GNBot Crack - Baseult - Kopie\.zip\" "	/bin/sh	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 6644
6193	sudo -iu user file-roller "/home/user/Desktop/GNBot Crack - Baseult - Kopie\.zip"	/usr/bin/sudo	—	sh
User: root Integrity Level: UNKNOWN Exit code: 6647
6194	file-roller "/home/user/Desktop/GNBot Crack - Baseult - Kopie\.zip"	/usr/bin/file-roller	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 6644
6195	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 0
6209	/usr/lib/p7zip/7z l -slt -bd -y -- "/home/user/Desktop/GNBot Crack - Baseult - Kopie\.zip"	/usr/lib/p7zip/7z	—	file-roller
User: user Integrity Level: UNKNOWN Exit code: 482
6211	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482
6212	systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service	/usr/bin/systemctl	—	snapd
User: root Integrity Level: UNKNOWN Exit code: 482
6215	/snap/firefox/3358/usr/lib/firefox/firefox	/snap/firefox/3358/usr/lib/firefox/firefox		gnome-shell
User: user Integrity Level: UNKNOWN Exit code: 482
6227	/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info	/snap/snapd/20290/usr/lib/snapd/snap-seccomp	—	firefox
User: user Integrity Level: UNKNOWN Exit code: 482
6233	/snap/snapd/20290/usr/lib/snapd/snap-confine --base core22 snap.firefox.firefox /usr/lib/snapd/snap-exec firefox	/snap/snapd/20290/usr/lib/snapd/snap-confine	—	firefox
User: user Integrity Level: UNKNOWN

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

PID	Process	Filename		Type
6194	file-roller	/home/user/.local/share/recently-used.xbel.D2GHO2		—
		MD5:—	SHA256:—
6215	firefox	/run/snapd/lock/firefox.lock		—
		MD5:—	SHA256:—
6215	firefox	/sys/fs/bpf/snap/snap_firefox_firefox		—
		MD5:—	SHA256:—
6215	firefox	/run/snapd/ns/snap.firefox.fstab		—
		MD5:—	SHA256:—
6215	firefox	/README.md		—
		MD5:—	SHA256:—
6215	firefox	/copyright		—
		MD5:—	SHA256:—
6235	5	/ld-linux-x86-64.so.2		—
		MD5:—	SHA256:—
6235	5	/libBrokenLocale.so.1		—
		MD5:—	SHA256:—
6235	5	/libacl.so.1.1.2301		—
		MD5:—	SHA256:—
6235	5	/libanl.so.1		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

23

TCP/UDP connections

66

DNS requests

76

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.96:80	http://connectivity-check.ubuntu.com/	unknown	—	—	unknown
6215	firefox	POST	200	23.46.63.123:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6215	firefox	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	unknown
6215	firefox	POST	200	23.46.63.123:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6215	firefox	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	unknown	—	—	unknown
6215	firefox	POST	—	23.46.63.123:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6215	firefox	POST	—	23.46.63.131:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6215	firefox	POST	200	142.250.185.163:80	http://o.pki.goog/wr2	unknown	—	—	unknown
6215	firefox	POST	—	23.46.63.123:80	http://r3.o.lencr.org/	unknown	—	—	unknown
6215	firefox	POST	200	142.250.185.163:80	http://o.pki.goog/wr2	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.96:80	—	Canonical Group Limited	US	unknown
—	—	212.102.56.179:443	—	Datacamp Limited	DE	unknown
—	—	91.189.91.97:80	—	Canonical Group Limited	US	unknown
470	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	195.181.175.41:443	—	Datacamp Limited	DE	unknown
—	—	185.125.188.59:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	unknown
6215	firefox	142.250.186.138:443	safebrowsing.googleapis.com	—	—	whitelisted
6215	firefox	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
6215	firefox	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	unknown

DNS requests

Domain	IP	Reputation
141.100.168.192.in-addr.arpa	—	unknown
api.snapcraft.io	185.125.188.59 185.125.188.55 185.125.188.54 185.125.188.58	unknown
detectportal.firefox.com	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	shared
example.org	93.184.215.14 2606:2800:21f:cb07:6820:80da:af6b:8b2c	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
prod.ads.prod.webservices.mozgcp.net	—	unknown
r3.o.lencr.org	23.46.63.123 23.46.63.131 2a02:26f0:2100::215:6d20 2a02:26f0:2100::215:6d11	shared
www.youtube.com	142.250.185.142 172.217.23.110 216.58.206.46 142.250.186.110 142.250.186.174 142.250.184.206 142.250.185.110 216.58.212.142 142.250.185.78 142.250.74.206 142.250.186.142 142.250.185.174 172.217.16.206 172.217.18.14 216.58.206.78 216.58.212.174 2a00:1450:4001:803::200e 2a00:1450:4001:802::200e 2a00:1450:4001:830::200e 2a00:1450:4001:80b::200e	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

GNBot Crack - Baseult - Kopie.zip

32A9BC239201E46EB511799D103961AD

F6599CC36BA64C9FE5067E9AD98587682405322E

8AFDC1B6143369A53236873DBFE4234F797BC900054AF1EDB29CFEF984466C53

393216:QixDDJ4zV16PaanzoAAjIa5pWRNtL0b19zkP:VDqzV1Kaahb3Yb194P

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Checks DMI information (probably VM detection)

INFO

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings