Overview
overview
4Static
static
1torguard-v...onnect
ubuntu-22.04-amd64
1torguard-v...penvpn
ubuntu-24.04-amd64
1torguard-v...-local
ubuntu-24.04-amd64
1torguard-v...l_5_42
ubuntu-22.04-amd64
1torguard-v...l_5_57
ubuntu-22.04-amd64
1torguard-v...rguard
ubuntu-24.04-amd64
4torguard-v...rapper
ubuntu-18.04-amd64
1torguard-v...rapper
debian-9-armhf
1torguard-v...rapper
debian-9-mips
1torguard-v...rapper
debian-9-mipsel
1torguard-v...script
ubuntu-18.04-amd64
3torguard-v...script
debian-9-armhf
3torguard-v...script
debian-9-mips
3torguard-v...script
debian-9-mipsel
3torguard-v...-amd64
ubuntu-22.04-amd64
3torguard-v...g.html
windows7-x64
3torguard-v...g.html
windows10-2004-x64
4torguard-v...e.so.5
ubuntu-22.04-amd64
1torguard-v...s.so.5
ubuntu-20.04-amd64
1torguard-v...i.so.5
ubuntu-24.04-amd64
1torguard-v...k.so.5
ubuntu-22.04-amd64
1torguard-v...l.so.5
ubuntu-24.04-amd64
1torguard-v...k.so.5
ubuntu-22.04-amd64
1torguard-v...2.so.5
ubuntu-24.04-amd64
1torguard-v...2.so.5
ubuntu-24.04-amd64
1torguard-v...g.so.5
ubuntu-22.04-amd64
1torguard-v...s.so.5
ubuntu-24.04-amd64
1torguard-v...s.so.5
ubuntu-22.04-amd64
1torguard-v...a.so.5
ubuntu-20.04-amd64
1torguard-v...o.so.1
ubuntu-24.04-amd64
1torguard-v...l.so.1
ubuntu-22.04-amd64
1torguard-v...d.so.8
ubuntu-22.04-amd64
1Analysis
-
max time kernel
122s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/openconnect
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral2
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/openvpn
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral3
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/ss-local
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral4
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/stunnel_5_42
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral5
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/stunnel_5_57
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral6
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral7
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard-wrapper
Resource
ubuntu1804-amd64-20240729-en
ubuntu-18.04-amd64
Behavioral task
behavioral8
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard-wrapper
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral9
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard-wrapper
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral10
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard-wrapper
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
Behavioral task
behavioral11
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/vpnc-script
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral12
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/vpnc-script
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral13
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/vpnc-script
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral14
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/vpnc-script
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
Behavioral task
behavioral15
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/wstunnel-7_9_2-linux-amd64
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral16
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/doc/offline_warning.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/doc/offline_warning.html
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Core.so.5
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral19
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5DBus.so.5
Resource
ubuntu2004-amd64-20240508-en
ubuntu-20.04-amd64
Behavioral task
behavioral20
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Gui.so.5
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral21
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Network.so.5
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral22
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Qml.so.5
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral23
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Quick.so.5
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral24
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5QuickControls2.so.5
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral25
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5QuickTemplates2.so.5
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral26
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Svg.so.5
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral27
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5WebSockets.so.5
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral28
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5Widgets.so.5
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral29
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libQt5XcbQpa.so.5
Resource
ubuntu2004-amd64-20240729-en
ubuntu-20.04-amd64
Behavioral task
behavioral30
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libcrypto.so.1
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral31
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libssl.so.1
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral32
Sample
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/lib/libunbound.so.8
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
General
-
Target
torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/doc/offline_warning.html
-
Size
924B
-
MD5
3e72c14436d399576bfb253eabb7ca90
-
SHA1
35eadbe2008a7b754b85dfad7e791c9d698caede
-
SHA256
84256a738a5e2e7d60b9275a2981c491ded1921e2fee329156393d162cd1b34b
-
SHA512
ca2bdaf7e9a4f473744116171042428d70a45824af213edc7aa6a8d4714dcf9ebc9d7cfc450b64d215d9d0326c331b849bc3abf0b92050db11f34949a302a42e
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{727E90F1-0BDB-11F0-969B-D60C98DC526F} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f272fc549f3433449e3ab3fa85fd3792000000000200000000001066000000010000200000000101b026d8a1881a3e87929d0e637878aea76b8d476da938ca98933725c6b424000000000e8000000002000020000000807ff9c25999e382e793ff3c8e29ed884c7ccdbcebb527e5f8d49520e2ea14839000000095a597b0a8fa36a487630af9e4ad2ad9641aa5ecfc616bf2a13b7695f0fe321132a720a20971ec61e95cf3cd0dfa937dc88e9c0073b38b6649312942a59849a4667cf97d7aa37b57da5e461c3730797f7562ea0a54cb3f4132fc4240fa8402a4f27d2e154179ee20566a1f9373f0f2c7b65a3d1a16bee59ad692e7f62bad9c11642926340a5c028a0f3a89a91bb90072400000004df51aa04d4c26b0e0812cca61155068173f5f146fa5749ff8ecbfb410a289dd7d2e827d6b6bb55d5643a655350f73cb2f8ddfd7fa241689062fb80f28d25b01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e30747e89fdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449331647" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f272fc549f3433449e3ab3fa85fd3792000000000200000000001066000000010000200000003c0feeacdba1979cf0effb465ff1aa8a3ddf5fdd8f6ffbf80e8802fbfcd04d69000000000e80000000020000200000009a168764da50d933e92f922e5104e55d2b391cdbdaf514eff928b5b434dba32720000000775e8bb76bed07d3d32d0305e3d39141370126fdc627cb8992002049e5dc4e1840000000dec0ca6fb2a4e8ab268ca0f6f17fed1d83fc37761a20e06171577419c2863a809ea1a57854afee54ecb9d2cd80467c5209a8e826a1facd1820a5affd434b8c04 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2184 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2184 iexplore.exe 2184 iexplore.exe 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE 2828 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2828 2184 iexplore.exe 30 PID 2184 wrote to memory of 2828 2184 iexplore.exe 30 PID 2184 wrote to memory of 2828 2184 iexplore.exe 30 PID 2184 wrote to memory of 2828 2184 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch\opt\torguard\doc\offline_warning.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2184 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5215584a190e1c24ff87edff64c9c581c
SHA1503ee285ef6d2ac91350a6efbbe055e5ebdc75fd
SHA256a24207eb6ddd0340f11e00056d0343da2bd7adb421b9fdbecadf3a934aff1372
SHA512f1e98eb6b4e9fc770df8bfeec7460c8e1039458d92fabf6f2acd5fda42def1117d7555e04b1b0ed1e4efbbab3c3ddb6f20946f90574b97bd6cfa6b260971cfe2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54c88f875f99588c9f149096a28de530d
SHA109d77b6c09ed3cf95e8fbafb9c47a571feb6e96b
SHA25604dc74323c8d52da76d4d58f9c1eb170850b05937473f717a338d5115c040e5c
SHA5121b3cf2356b9333cb2430e05aae640711965a447d928ba6dbfabb837d9915d21d77dd85ea2795162a9b377aad9e5ccc8ad8ae68c1f74338c31be7c75a085ef104
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc