File name:

.redtail

Full analysis: https://app.any.run/tasks/6dcf570e-df95-4cf2-ab23-71bcfbab069e
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: June 29, 2024, 15:24:55
OS: Ubuntu 22.04.2
Tags:
miner
redtails
user
Indicators:
MIME: application/x-sharedlib
File info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), statically linked, no section header
MD5:

07DB7C34621453DB287722245085C5B4

SHA1:

9D4F2640B89C148E70953D49EB6D7D1867C182D2

SHA256:

AB897157FDEF11B267E986EF286FD44A699E3699A458D90994E020619653D2CD

SSDEEP:

49152:8rp/g+ezhxfndt+1H5PdNpwT9Z5BJqiSk/DHtPaqBBCMNGOfDX879DVxCT5SRMVh:OpY+khxf7cZFNW9BJqPk/7tyqBlNGOfJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MINER has been detected (SURICATA)

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)

    • Connects to the CnC server

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • systemd-hostnamed (PID: 12953)
      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13016)
      • udevadm (PID: 13026)

    • Executes commands using command-line interpreter

      • gnome-terminal-server (PID: 12971)
      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)
      • update-notifier (PID: 13054)
      • apt (PID: 13092)
      • dpkg-preconfigure (PID: 13149)
      • apt (PID: 13188)
      • cron (PID: 13268)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13016)
      • check-new-release-gtk (PID: 13056)

    • Manipulating modules (likely to execute programs on system boot)

      • modprobe (PID: 13025)

    • Connects to unusual port

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)

    • Modifies Cron jobs

      • sh (PID: 13019)

    • Potential Corporate Privacy Violation

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)

    • Creates or rewrites file in the "bin" folder

      • dpkg (PID: 13164)

    • Executes the "rm" command to delete files or directories

      • dpkg (PID: 13164)
      • update-motd-updates-available (PID: 13194)

    • Crypto Currency Mining Activity Detected

      • 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o (PID: 13017)

    • Changes time attribute to hide new files or make changes to the existing one

      • sh (PID: 13192)

    • Checks the user who created the process

      • cron (PID: 13268)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (100)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Shared object file
CPUType: AMD x86-64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
370
Monitored processes
154
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
sh no specs sudo no specs nautilus no specs locale-check no specs systemd-hostnamed no specs systemctl no specs systemctl no specs systemctl no specs systemctl no specs gnome-terminal no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs lesspipe no specs basename no specs dash no specs dircolors no specs dirname no specs systemctl no specs systemctl no specs bash no specs bash no specs ls no specs bash no specs bash no specs file no specs 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o no specs #MINER 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o sh no specs sh no specs crontab no specs dash no specs crontab no specs sh no specs modprobe no specs iptables no specs udevadm no specs sh no specs sh no specs sh no specs which no specs sh no specs which no specs 6dcf570e-df95-4cf2-ab23-71bcfbab069e.o no specs update-notifier no specs sh no specs check-new-release-gtk dpkg no specs dpkg no specs lsb_release no specs lsb_release no specs lsb_release no specs lsb_release no specs bash no specs command-not-found no specs snap no specs apt no specs dpkg no specs sudo no specs sudo no specs apt no specs dpkg no specs dpkg no specs sh no specs snap no specs http no specs sh no specs snap no specs sh no specs snap no specs http sh no specs dpkg-preconfigure no specs locale no specs sh no specs stty no specs sh no specs stty no specs sh no specs perl no specs whiptail no specs apt-extracttemplates no specs dpkg no specs dpkg no specs dpkg no specs dpkg no specs dpkg no specs dpkg no specs dpkg-split no specs dpkg-deb no specs dpkg-deb no specs dpkg-deb no specs tar no specs dpkg-deb no specs dpkg-deb no specs dpkg-deb no specs rm no specs dpkg no specs mailcap.postinst no specs update-mime no specs desktop-file-utils.postinst no specs update-desktop-database no specs hicolor-icon-theme.postinst no specs which no specs which no specs gtk-update-icon-cache no specs man-db.postinst no specs mandb no specs dpkg no specs dpkg no specs dpkg no specs apt no specs sh no specs test no specs echo no specs sh no specs touch no specs update-motd-updates-available no specs apt-config no specs dpkg no specs apt-config no specs dpkg no specs apt-config no specs dpkg no specs apt-config no specs dpkg no specs apt-config no specs dpkg no specs find no specs mktemp no specs apt-check no specs dirname no specs dpkg no specs dpkg no specs tracker-extract-3 no specs bash no specs lesspipe no specs basename no specs dash no specs dirname no specs dircolors no specs htop no specs dpkg no specs dpkg no specs dpkg no specs dpkg no specs dpkg no specs mv no specs chmod no specs rm no specs sh no specs snap no specs cron no specs sh no specs

Process information

PID
CMD
Path
Indicators
Parent process
12936/bin/sh -c "DISPLAY=:0 sudo -iu user nautilus /home/user/Desktop/6dcf570e-df95-4cf2-ab23-71bcfbab069e\.o "/bin/shany-guest-agent
User:
user
Integrity Level:
UNKNOWN
12937sudo -iu user nautilus /home/user/Desktop/6dcf570e-df95-4cf2-ab23-71bcfbab069e.o/usr/bin/sudosh
User:
user
Integrity Level:
UNKNOWN
12938nautilus /home/user/Desktop/6dcf570e-df95-4cf2-ab23-71bcfbab069e.o/usr/bin/nautilussudo
User:
user
Integrity Level:
UNKNOWN
12939/usr/bin/locale-check C.UTF-8/usr/bin/locale-checknautilus
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
12953/lib/systemd/systemd-hostnamed/lib/systemd/systemd-hostnamedsystemd
User:
root
Integrity Level:
UNKNOWN
Exit code:
1195
12959systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12960systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12962systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12963systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
482
12964/usr/bin/python3 /usr/bin/gnome-terminal/usr/bin/gnome-terminalgnome-shell
User:
user
Integrity Level:
UNKNOWN
Exit code:
213
Executable files
0
Suspicious files
35
Text files
74
Unknown types
0

Dropped files

PID
Process
Filename
Type
13149dpkg-preconfigure/var/cache/debconf/config.dattext
MD5:
SHA256:
13149dpkg-preconfigure/var/cache/debconf/templates.dattext
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029334 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029335 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029359 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029364 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029378 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/tmp/#6029379 (deleted)text
MD5:
SHA256:
13056check-new-release-gtk/home/user/.cache/update-manager-core/meta-release-ltstext
MD5:
SHA256:
13088apt/tmp/#6029334 (deleted)text
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
25
DNS requests
24
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
13147
http
GET
200
185.125.190.83:80
http://archive.ubuntu.com/ubuntu/pool/main/h/htop/htop_3.0.5-7build2_amd64.deb
unknown
unknown
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
unknown
473
NetworkManager
GET
204
91.189.91.98:80
http://connectivity-check.ubuntu.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
470
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
unknown
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
unknown
195.181.170.19:443
odrs.gnome.org
Datacamp Limited
DE
unknown
485
snapd
185.125.188.55:443
api.snapcraft.io
Canonical Group Limited
GB
malicious
485
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
485
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
95.215.19.53:853
ab stract
FI
unknown
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
1.1.1.1:853
CLOUDFLARENET
malicious
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
217.160.70.42:853
IONOS SE
DE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.18
  • 185.125.190.48
  • 185.125.190.49
  • 185.125.190.96
  • 185.125.190.97
  • 91.189.91.49
  • 91.189.91.48
  • 91.189.91.96
  • 185.125.190.17
  • 91.189.91.97
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4000:1::2a
  • 2001:67c:1562::24
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4002:1::198
  • 2620:2d:4002:1::197
unknown
odrs.gnome.org
  • 195.181.170.19
  • 156.146.33.15
  • 195.181.175.40
  • 212.102.56.179
  • 212.102.56.182
  • 156.146.33.140
  • 195.181.175.15
  • 156.146.33.138
  • 2a02:6ea0:c700::22
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::10
  • 2a02:6ea0:c700::17
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
unknown
api.snapcraft.io
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.59
  • 185.125.188.58
unknown
44.100.168.192.in-addr.arpa
unknown
proxies.internetshadow.org
  • 194.59.30.110
  • 92.118.39.120
  • 93.123.39.174
  • 164.215.103.47
unknown
changelogs.ubuntu.com
  • 91.189.91.48
  • 185.125.190.18
  • 185.125.190.17
  • 91.189.91.49
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::2a
unknown
_http._tcp.archive.ubuntu.com
unknown
archive.ubuntu.com
  • 185.125.190.83
  • 185.125.190.81
  • 91.189.91.81
  • 91.189.91.83
  • 91.189.91.82
  • 185.125.190.82
  • 2620:2d:4000:1::102
  • 2620:2d:4000:1::101
  • 2620:2d:4002:1::103
  • 2620:2d:4002:1::102
  • 2620:2d:4000:1::103
  • 2620:2d:4002:1::101
unknown

Threats

PID
Process
Class
Message
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Misc Attack
ET COMPROMISED Known Compromised or Hostile Host Traffic group 7
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Misc Attack
ET 3CORESec Poor Reputation IP group 6
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Crypto Currency Mining Activity Detected
MINER [ANY.RUN] CoinMiner Agent CnC Initial Connection
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Misc Attack
ET 3CORESec Poor Reputation IP group 12
13017
6dcf570e-df95-4cf2-ab23-71bcfbab069e.o
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
13147
http
Not Suspicious Traffic
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
.redtail