Malware analysis Urget Contract Action.eml Malicious activity

Add for printing

File name:	Urget Contract Action.eml
Full analysis:	https://app.any.run/tasks/97534982-3c7f-4a47-93d0-bd3d8b53e219
Verdict:	Malicious activity
Analysis date:	April 14, 2025, 01:16:42
OS:	Ubuntu 22.04.2
Tags:	susp-attachments attachments attc-exe
MIME:	message/rfc822
File info:	SMTP mail, ASCII text, with CRLF line terminators
MD5:	048C02E929690BCB0A537D08E71F6B50
SHA1:	E35F34239708F1D2AC63DC88366DCB3686D0D1EB
SHA256:	C5FE32E5DE97A1C0FF01C7BCBC99D7086A485B6DF9AC7CDB37E906F6E1D01DA3
SSDEEP:	12288:G35ETPjPNu1JoTIIu4Q3H3KNgrYq/6lm2pNRs/P7IunP9m4QSmWveSI:PPDkreIItQqev/Qmofs/TdnPvPpeB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads profile file
  - thunderbird (PID: 40658)
- Reads passwd file
  - thunderbird (PID: 40658)
  - glxtest (PID: 40666)
- Check the Environment Variables Related to System Identification (os-release)
  - python3.10 (PID: 40684)
  - thunderbird (PID: 40658)
- Reads /proc/mounts (likely used to find writable filesystems)
  - thunderbird (PID: 40658)
- Executes commands using command-line interpreter
  - sudo (PID: 40657)
INFO
- Checks timezone
  - thunderbird (PID: 40658)
  - python3.10 (PID: 40684)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.eml	\|	E-Mail message (Var. 7) (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

233

Monitored processes

11

Malicious processes

0

Suspicious processes

1

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
40656	/bin/sh -c "DISPLAY=:0 sudo -iu user thunderbird \"/tmp/Urget Contract Action\.eml\" "	/usr/bin/dash	—	any-guest-agent
User: user Integrity Level: UNKNOWN
40657	sudo -iu user thunderbird "/tmp/Urget Contract Action\.eml"	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN
40658	/usr/lib/thunderbird/thunderbird "/tmp/Urget Contract Action\.eml"	/usr/lib/thunderbird/thunderbird		sudo
User: user Integrity Level: UNKNOWN
40659	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	thunderbird
User: user Integrity Level: UNKNOWN Exit code: 0
40660	/bin/sh /usr/bin/which /usr/bin/thunderbird	/usr/bin/dash	—	thunderbird
User: user Integrity Level: UNKNOWN Exit code: 0
40661	/usr/lib/thunderbird/thunderbird "/tmp/Urget Contract Action\.eml"	/usr/lib/thunderbird/thunderbird	—	thunderbird
User: user Integrity Level: UNKNOWN Exit code: 0
40666	/usr/lib/thunderbird/glxtest -f 12	/usr/lib/thunderbird/glxtest	—	thunderbird
User: user Integrity Level: UNKNOWN Exit code: 0
40684	/usr/bin/python3 -Es /usr/bin/lsb_release -idrc	/usr/bin/python3.10	—	thunderbird
User: user Integrity Level: UNKNOWN Exit code: 0
40774	/usr/sbin/cron -f -P	/usr/sbin/cron	—	cron
User: root Integrity Level: UNKNOWN Exit code: 0
40775	/bin/sh -c " cd / && run-parts --report /etc/cron\.hourly"	/usr/bin/dash	—	cron
User: root Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

2

Suspicious files

76

Text files

12

Unknown types

0

Dropped files

PID	Process	Filename		Type
40666	glxtest	/home/user/.cache/mesa_shader_cache/index		binary
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/Crash Reports/InstallTime20231024181440		text
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/4bjtc2yp.default-release/times.json		binary
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/boiwima2.default/times.json		binary
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/installs.ini		text
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/profiles.ini		text
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/4bjtc2yp.default-release/compatibility.ini		text
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/4bjtc2yp.default-release/cookies.sqlite-journal (deleted)		binary
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/4bjtc2yp.default-release/pkcs11.txt		text
		MD5:—	SHA256:—
40658	thunderbird	/home/user/.thunderbird/4bjtc2yp.default-release/cert9.db-journal (deleted)		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

1

TCP/UDP connections

12

DNS requests

11

Threats

0

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	185.125.190.17:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	185.125.190.96:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
—	—	185.125.190.17:80	connectivity-check.ubuntu.com	Canonical Group Limited	GB	whitelisted
40658	thunderbird	3.167.227.80:443	services.addons.thunderbird.net	—	US	whitelisted
40658	thunderbird	104.26.3.27:443	thunderbird-settings.thunderbird.net	—	—	whitelisted

DNS requests

Domain	IP	Reputation
connectivity-check.ubuntu.com	185.125.190.96 185.125.190.48 185.125.190.18 91.189.91.96 91.189.91.48 185.125.190.49 91.189.91.98 91.189.91.97 185.125.190.98 185.125.190.97 91.189.91.49 185.125.190.17 2620:2d:4000:1::97 2620:2d:4000:1::96 2620:2d:4002:1::196 2620:2d:4000:1::2a 2620:2d:4000:1::2b 2001:67c:1562::24 2620:2d:4000:1::23 2620:2d:4002:1::197 2001:67c:1562::23 2620:2d:4002:1::198 2620:2d:4000:1::22 2620:2d:4000:1::98	whitelisted
google.com	142.250.186.174 2a00:1450:4001:806::200e	whitelisted
services.addons.thunderbird.net	3.167.227.80 3.167.227.19 3.167.227.14 3.167.227.56 2600:9000:27e6:400:c:19e4:9800:93a1 2600:9000:27e6:a600:c:19e4:9800:93a1 2600:9000:27e6:7a00:c:19e4:9800:93a1 2600:9000:27e6:ca00:c:19e4:9800:93a1 2600:9000:27e6:8c00:c:19e4:9800:93a1 2600:9000:27e6:7800:c:19e4:9800:93a1 2600:9000:27e6:2e00:c:19e4:9800:93a1 2600:9000:27e6:3000:c:19e4:9800:93a1	whitelisted
14.100.168.192.in-addr.arpa	—	unknown
thunderbird-settings.thunderbird.net	104.26.3.27 104.26.2.27 172.67.74.82 2606:4700:20::681a:21b 2606:4700:20::681a:31b 2606:4700:20::ac43:4a52	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Urget Contract Action.eml

048C02E929690BCB0A537D08E71F6B50

E35F34239708F1D2AC63DC88366DCB3686D0D1EB

C5FE32E5DE97A1C0FF01C7BCBC99D7086A485B6DF9AC7CDB37E906F6E1D01DA3

12288:G35ETPjPNu1JoTIIu4Q3H3KNgrYq/6lm2pNRs/P7IunP9m4QSmWveSI:PPDkreIItQqev/Qmofs/TdnPvPpeB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Reads profile file

Reads passwd file

Check the Environment Variables Related to System Identification (os-release)

Reads /proc/mounts (likely used to find writable filesystems)

Executes commands using command-line interpreter

INFO

Checks timezone

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings