File name:

xmr_linux_amd64 (2)

Full analysis: https://app.any.run/tasks/9e9af702-9ee8-40be-b0c6-bab685cb3484
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: September 21, 2024, 19:27:48
OS: Ubuntu 22.04.2
Tags:
evasion
github
miner
Indicators:
MIME: application/x-executable
File info: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
MD5:

2352FD3E33ED079446CAD48EE044DF18

SHA1:

2C1802E6F3EB067984245B0C23D2F093A93A42CC

SHA256:

DBF22AADA7E9EFA11116411E1D6F18F6ECBB215D53E21D6F769E1869F4E8160B

SSDEEP:

98304:A9far34oOe/B9VHpBWV9aOhi92D61+p7Y0cUwH3Hi6KGEZsN69Uk4+hZSC7mYaLJ:z5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MINER has been detected (SURICATA)

      • xmrig (PID: 13921)

  • SUSPICIOUS

    • Checks DMI information (probably VM detection)

      • xmrig (PID: 13921)

    • Modifies file or directory owner

      • sudo (PID: 13904)

    • Potential Corporate Privacy Violation

      • xmrig (PID: 13921)

    • Reads /proc/mounts (likely used to find writable filesystems)

      • xmrig (PID: 13921)

    • Checks for external IP

      • systemd-resolved (PID: 425)
      • xmr_linux_amd64 (2).o (PID: 13910)

    • Crypto Currency Mining Activity Detected

      • systemd-resolved (PID: 425)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.o | ELF Executable and Linkable format (generic) (49.8)

EXIF

EXE

CPUArchitecture: 64 bit
CPUByteOrder: Little endian
ObjectFileType: Executable file
CPUType: AMD x86-64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
230
Monitored processes
14
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start sh no specs sudo no specs chown no specs chmod no specs sudo no specs systemctl no specs systemctl no specs xmr_linux_amd64 (2).o locale-check no specs sudo no specs true no specs sudo no specs #MINER xmrig systemd-resolved

Process information

PID
CMD
Path
Indicators
Parent process
425/lib/systemd/systemd-resolved/usr/lib/systemd/systemd-resolved
systemd
User:
systemd-resolve
Integrity Level:
UNKNOWN
13903/bin/sh -c "sudo chown user \"/tmp/xmr_linux_amd64 (2)\.o\" && chmod +x \"/tmp/xmr_linux_amd64 (2)\.o\" && DISPLAY=:0 sudo -iu user \"/tmp/xmr_linux_amd64 (2)\.o\" "/bin/shany-guest-agent
User:
root
Integrity Level:
UNKNOWN
13904sudo chown user "/tmp/xmr_linux_amd64 (2)\.o"/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13905chown user "/tmp/xmr_linux_amd64 (2)\.o"/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13906chmod +x "/tmp/xmr_linux_amd64 (2)\.o"/usr/bin/chmodsh
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13907sudo -iu user "/tmp/xmr_linux_amd64 (2)\.o"/usr/bin/sudosh
User:
root
Integrity Level:
UNKNOWN
13908systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13909systemctl --user --global is-enabled snap.snapd-desktop-integration.snapd-desktop-integration.service/usr/bin/systemctlsnapd
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
13910"/tmp/xmr_linux_amd64 (2)\.o"/tmp/xmr_linux_amd64 (2).o
sudo
User:
user
Integrity Level:
UNKNOWN
13911/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkxmr_linux_amd64 (2).o
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
13910xmr_linux_amd64 (2).o/tmp/xmrig/xmrig.tar.gzcompressed
MD5:
SHA256:
13910xmr_linux_amd64 (2).o/tmp/xmrig/xmrig-6.21.3/SHA256SUMStext
MD5:
SHA256:
13910xmr_linux_amd64 (2).o/tmp/xmrig/xmrig-6.21.3/xmrigbinary
MD5:
SHA256:
13910xmr_linux_amd64 (2).o/tmp/xmrig/xmrig-6.21.3/config.jsonbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
17
DNS requests
30
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.48:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
91.189.91.48:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
470
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
207.211.211.27:443
odrs.gnome.org
US
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.54:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
13910
xmr_linux_amd64 (2).o
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
13910
xmr_linux_amd64 (2).o
172.67.131.146:443
vmtracker.freechildporninthisserver.lol
CLOUDFLARENET
US
unknown
13910
xmr_linux_amd64 (2).o
140.82.121.4:443
github.com
GITHUB
US
shared

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 91.189.91.48
  • 185.125.190.98
  • 91.189.91.96
  • 185.125.190.97
  • 91.189.91.98
  • 185.125.190.49
  • 185.125.190.48
  • 91.189.91.97
  • 91.189.91.49
  • 185.125.190.18
  • 185.125.190.96
  • 185.125.190.17
  • 2620:2d:4000:1::23
  • 2001:67c:1562::23
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::98
  • 2001:67c:1562::24
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2b
whitelisted
google.com
  • 142.250.186.46
  • 2a00:1450:4001:81c::200e
whitelisted
odrs.gnome.org
  • 207.211.211.27
  • 195.181.170.19
  • 37.19.194.81
  • 169.150.255.184
  • 212.102.56.178
  • 169.150.255.181
  • 195.181.175.41
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::21
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.55
  • 185.125.188.54
  • 185.125.188.58
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
vmtracker.freechildporninthisserver.lol
  • 2606:4700:3037::6815:419
  • 2606:4700:3033::ac43:8392
  • 172.67.131.146
  • 104.21.4.25
unknown
236.100.168.192.in-addr.arpa
unknown
github.com
  • 140.82.121.4
shared
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.108.133
shared
raw.githubusercontent.com
  • 2606:50c0:8001::154
  • 2606:50c0:8003::154
  • 2606:50c0:8002::154
  • 2606:50c0:8000::154
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.111.133
shared

Threats

PID
Process
Class
Message
425
systemd-resolved
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
13910
xmr_linux_amd64 (2).o
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
425
systemd-resolved
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
425
systemd-resolved
Crypto Currency Mining Activity Detected
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)
425
systemd-resolved
Crypto Currency Mining Activity Detected
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)
425
systemd-resolved
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
425
systemd-resolved
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xmr_linux_amd64 (2)