MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068
SHA3-384 hash:	e87e554bb9cf6f5728b6dd8cae3a71bac5925111da451ceee0a052f41404dceff1b8f64239b3c697324658cc94da8a90
SHA1 hash:	b7cf8356908d2b810bc9fab4db66561fb9e0c5a9
MD5 hash:	5906aa141749598b45851583aaefa182
humanhash:	minnesota-october-pizza-quiet
File name:	DHL INVOICE-04885.exe
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	1'865'728 bytes
First seen:	2026-03-08 07:03:34 UTC
Last seen:	2026-03-08 07:49:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'843 x AgentTesla, 19'775 x Formbook, 12'297 x SnakeKeylogger)
ssdeep	24576:3ExD/kqGR8SlTxV0/eS9BrVXqI+6RO2XHyu:3Pvz9W/pVaInMs
Threatray	282 similar samples on MalwareBazaar
TLSH	T11785F00163D85F68F47F57349875086197F2BC03EE22DFCDB2895DAA2D31B81899A723
TrID	73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	DarkTortilla DHL exe

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

DHL INVOICE-04885.exe

Verdict:

No threats detected

Analysis date:

2026-03-08 07:08:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/49f7bf27-7d93-4568-ad70-a733126b244e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/56615/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.81675724.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69ad1f7de41a5a099930d3db

Tags:

dotnet virus smtp

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 crypt loki masquerade obfuscated obfuscated reconnaissance unsafe vbnet

Link:

https://www.filescan.io/uploads/69ad1f6f97feb4afd674373a/reports/8c1d495a-3703-460d-835d-7060d1282342/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068

Verdict:

Malicious

File Type:

exe x32

Link:

https://opentip.kaspersky.com/018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4cdb6add-9be7-446c-8901-d0ba9cbcee3d

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1880163

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected MSIL Injector

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/5906aa141749598b45851583aaefa182

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068/

Threat name:

Win32.Ransomware.Loki

Status:

Malicious

First seen:

2026-03-06 16:50:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aghyk6dohs7rlda2tvcmbwbl3wgynfmop6hlt2g4otrssp2cybua._file

Verdict:

malicious

Label(s):

purecrypter

phantomstealer

DarkTortilla

904a3d70be9fccbd1d04cdc90d20e430351f16696d3ba2e14400f31f2437c133

DarkTortilla

9cbffe3435e4218fbfebedbbc72a2e587098bdd9eb4a4b3014a38d1d9869817b

DarkTortilla

cfd11ba39c99b6dfa239f8ae1611f2300af5a6cb6ccc01bea56780a6664ed7d4

DarkTortilla

e29a7d60a1683cfbf810324b90d65edf87399f593b613a7edd933f574830d905

DarkTortilla

+ 272 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/260308-hv2t2aav7n/

Behaviour

System Location Discovery: System Language Discovery

.NET Reactor proctector

Unpacked files

SH256 hash:

018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068

MD5 hash:

5906aa141749598b45851583aaefa182

SHA1 hash:

b7cf8356908d2b810bc9fab4db66561fb9e0c5a9

Link:

https://www.unpac.me/results/86385c2d-a6ab-4c63-b7c1-9233801f7d28/

SH256 hash:

c47ada3392dd20199b6d259e6afa093674a2a829051ddf30b38dd34d1fcebd29

MD5 hash:

2c8ba1fe8e140fc5c280a79b47372139

SHA1 hash:

ed2d31b2b3bd622d3c3b65d4117007145a28d81d

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/86385c2d-a6ab-4c63-b7c1-9233801f7d28/

Parent samples :

1439e036d8b04775d5462e7dbbb6e0b90e7668545f7ca5dae2aac74e84b184aa
3fedec832e464055478f1f221aa42fe894b227f168c59bb5ba9e8f2eefdd53cb
238441c6a05dd55e6cee3b33c991a8d91302c9e687e4607f2b33ca74dc850ea5
9992e4177343a1227f6a60f77f6556f5df92b30ce35b5521ee4156bb4fabb844
95a769c7e3b0b372e3e4d9534127d61fdeef9186ccc99ed88cba00423178da29
3246fdc5c32e6b265880c004ebee3d7aa2d9bcb0c01874c03616e2b736f9e825
018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068
de4146aee4fd1bf6fc685015022b9931ca6eead9d42d440df166e15d521742ae

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/018f85786e3cbf158c1a9d44c0d82bdd8d86958e7f8eb9e8dc74e3293f42c068

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/56615/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample