1a828c7d13de59f9db34489ba5407bf2201181280aa6c6af1e4241982b0d1925

Analysis

max time kernel
149s
max time network
145s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20250307-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
28/03/2025, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard
Size

5.6MB
MD5

57fa17ccaaa72158bf5bfeb7d4ef846b
SHA1

32f68dcc78c330d9074477d2044afaba400c53ff
SHA256

7338245005544a16d2c4df4f21b0cbb3ced06e8083d762bc68773378bbafd6a8
SHA512

cea7b63ce5379cee8fa7798ccfc55279482756fac8095f214c7c284f97cf1df3b65e239a7f25c9da985beeaec76d8833891c607024d9965abab42df8604c2b3d
SSDEEP

49152:lqxoq0FrEiEWD5FdoR6aZRzb4Bc/HlCpKBH2jHnJvLNURCmrDAtkvcNWaL1KFyyz:5HZEqLdQ6aHzbhQJmR0sImeq5jHt

Score

4^/10

discovery

Malware Config

Signatures

Changes its process name 7 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	QXcbEventQueue	2524	torguard
Changes the process name, possibly in an attempt to hide itself	Qt bearer thread	2526	torguard
Changes the process name, possibly in an attempt to hide itself	QDBusConnectionManager	2527	torguard
Changes the process name, possibly in an attempt to hide itself	QNetworkAccessManager thread	2531	torguard
Changes the process name, possibly in an attempt to hide itself	Thread (pooled)	2532	torguard
Changes the process name, possibly in an attempt to hide itself	QQmlThread	2538	torguard
Changes the process name, possibly in an attempt to hide itself	QQmlThread	2539	torguard

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	torguard

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/fd	torguard
File opened for reading	/proc/2522/cmdline	dbus-daemon
File opened for reading	/proc/sys/kernel/random/boot_id	torguard
File opened for reading	/proc/self/fd	dbus-launch
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/self/fd	dbus-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/2537/status	dbus-daemon
File opened for reading	/proc/2537/attr/apparmor/current	dbus-daemon

/tmp/torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard
/tmp/torguard-v4.8.29-build.286.1+g70e4e51-amd64-arch/opt/torguard/bin/torguard
1⤵
- Changes its process name
- Reads CPU attributes
- Reads runtime system information
PID:2522
- /usr/bin/uname
  /usr/bin/uname -srvmpio
  2⤵
  PID:2525
- /usr/bin/dbus-launch
  dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
  2⤵
  - Reads runtime system information
  PID:2533
- - /usr/bin/dbus-daemon
    /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2535

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.config/VPNetworkLLC/TorGuard.conf.lock

Filesize
115B

MD5
d73593c6f22df8b7f4724022a081204d

SHA1
90c4c94b54a0ceda26e7dbaddac1ab7f70ff13fb

SHA256
b0ec8a6d67b41e61aea14da572dae955870bb3b8505d60d1c14294b37c5d6f82

SHA512
e1d520aab009f3dd57e379cdbbf7c721093e1fd2985f2949155fac26854ece2b2abf48332193573b0074ab686fd1892d0db93a9b6f92da89501e88908a257720

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads