suspicious user account and file in my system

pra838 — Thu, 27 Oct 2022 04:18:09 GMT

Is this BOT or not ?

# cat /etc/passwd | grep trapsanalyzer1
trapsanalyzer1:x:993:990::/home/trapsanalyzer1:/usr/sbin/nologin

# chage -l trapsanalyzer1
Last password change                                    : Jul 13, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : -1
Maximum number of days between password change          : -1
Number of days of warning before password expires       : -1

# userdel -r trapsanalyzer1
userdel: user trapsanalyzer1 is currently used by process 1137

]# ps -ef | grep 1137
trapsan+ 1137   744 0 Sep25 ?        00:00:00 /opt/traps/analyzerd/analyzerd 17 19 21
root     26328 25808 0 22:20 pts/0    00:00:00 grep --color=auto 1137

File :analyzerd

# cd /opt/traps/analyzerd/
# ll
total 1972
-r-xr-xr-x. 1 root root 2018616 Jul 13 2020 analyzerd

# stat analyzerd
File: ‘analyzerd’
Size: 2018616         Blocks: 3944       IO Block: 4096   regular file
Device: fd01h/64769d    Inode: 509439873   Links: 1
Access: (0555/-r-xr-xr-x) Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-10-19 22:10:58.555360195 +0530
Modify: 2020-07-13 10:38:39.431252769 +0530
Change: 2020-07-13 10:39:04.990251201 +0530
Birth: -

So , This is virustotal hash of analyzd file.

0f762101141fae2791a810d99e69ec28358acef9c6491f79e9d13941c22ac4de

https://www.virustotal.com/graph/embed/g341095e131824f508d1d0cb150bc7da3ebddab77a09a46f98c5221ac813b602b

Is this is not a BOT and no need to take action to remove this?

Re: suspicious user account and file in my system

kiwi — Thu, 27 Oct 2022 08:06:24 GMT

Hi @pra838 ,

I believe a user trapsanalyzer1 is normal and created by Cortex XDR endpoint protection (or previously traps).

When a file needs to be analyzed it will give the task to "analyzerd". The job of it is to analyze the file and return a verdict.

Hope this helps,

-Kiwi.

Re: suspicious user account and file in my system

pra838 — Thu, 27 Oct 2022 15:05:38 GMT

Thank You So much ...!💪

But what is the connection established to UK IPs.

And what is about Virustotal and VTGraphs.

Do you have any idea about it?

0f762101141fae2791a810d99e69ec28358acef9c6491f79e9d13941c22ac4de

https://www.virustotal.com/graph/embed/g341095e131824f508d1d0cb150bc7da3ebddab77a09a46f98c5221ac813b...

topic Re: suspicious user account and file in my system in General Topics

suspicious user account and file in my system

Re: suspicious user account and file in my system

Re: suspicious user account and file in my system