MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946
SHA3-384 hash: 4bfe7b7d66d0fca6d237f5cc2c0a84b7f38d0eda551985dd45015a796a7d82d1e98e2c4fcb34a547371ac14bb9b5a1ae
SHA1 hash: 0995fe48edeb7f615aa3261b8879ac242ec52c2b
MD5 hash: f5422e01952798c9f1a984e7b5c00658
humanhash: mango-ack-two-juliet
File name:RFQ_With Payment Details -ULTRA CARE.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:706'048 bytes
First seen:2023-04-28 14:54:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:M9Jg8ZbVIAWrUuKiG1BWjZ1Yen/XYPKPN4JwtRKcyZULFfEgaokVqxX:M/H6+oDjn/XYPqBYmxKVqx
TLSH T1AEE4D01B26C5E4ACF73DD17282747D4823BDDBE6375207966E22B6E01D232C4AF4A1D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_With Payment Details -ULTRA CARE.exe
Verdict:
Malicious activity
Analysis date:
2023-04-28 14:57:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/561f5405-79dc-4c65-aba5-39578f13fa47

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/385477/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66633869.14636.25509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Running batch commands
Launching a process
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/644bde491facab193c66a000/reports/ee5a14bd-c6b8-464f-b091-dbc1eaa87366/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9693c913-b7a3-4561-a574-822df1a4724d
Result
Threat name:
AgentTesla, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1223109
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AgentTesla
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 856058 Sample: RFQ_With_Payment_Details_-U... Startdate: 28/04/2023 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 7 RFQ_With_Payment_Details_-ULTRA_CARE.exe 3 2->7         started        process3 dnsIp4 40 192.168.2.1 unknown unknown 7->40 32 RFQ_With_Payment_D...-ULTRA_CARE.exe.log, ASCII 7->32 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->52 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        file5 signatures6 process7 file8 54 Uses ping.exe to sleep 12->54 56 Uses ping.exe to check the status of other devices and networks 12->56 18 reg.exe 1 1 12->18         started        21 PING.EXE 1 12->21         started        24 conhost.exe 12->24         started        34 C:\Users\user\AppData\Local\34435jj.exe, PE32 15->34 dropped 36 C:\Users\user\...\34435jj.exe:Zone.Identifier, ASCII 15->36 dropped 26 conhost.exe 15->26         started        28 PING.EXE 1 15->28         started        30 PING.EXE 1 15->30         started        signatures9 process10 dnsIp11 50 Creates an undocumented autostart registry key 18->50 38 127.0.0.1 unknown unknown 21->38 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2023-04-24 23:44:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
24 of 37 (64.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bg2g5zo7452pqt7wubleihy2bzlzujexbzpgdk2hwhuyqvkrxfda._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/230428-saffeaeg56/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
1cf929a43f087d6fb9cbfdced5b368ce7436e3c8cdacb9c34a3aea5a6893c35e
MD5 hash:
b8ec056c97756691579be4d5b60dc908
SHA1 hash:
e865e4de5238a9db9ce0a3b5a367916dbfa05987
Link:
https://www.unpac.me/results/5b9a95ef-94a3-43fa-8527-037c7e042066/
SH256 hash:
6d32c3566a8799637f4260dd3968a64e043bce3216d495a5352d48e0b93e3c1c
MD5 hash:
6d07ab69052754cc4b3f386d5bfdcf7f
SHA1 hash:
640abd76ffe7a37c0be8a9a24b38b6942525795a
Detections:
AgentTeslaXorStringsNet
Create hunting rule
Link:
https://www.unpac.me/results/5b9a95ef-94a3-43fa-8527-037c7e042066/
Parent samples :
09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946
9f20125e93f217448a2a774a8470196dc28c401fdb2a2efb77455b392483eb9e
8782056d9091e507124a6a17d8b3063f8f5d9dee912c70bbaf3f7b62783d388d
e1096e70a136c8e8b4a1a54512f69abc0e0f042aacf5aa023a8f4b17ca8c8a6f
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33
SH256 hash:
09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946
MD5 hash:
f5422e01952798c9f1a984e7b5c00658
SHA1 hash:
0995fe48edeb7f615aa3261b8879ac242ec52c2b
Link:
https://www.unpac.me/results/5b9a95ef-94a3-43fa-8527-037c7e042066/
Malware family:
AgentTesla.v4
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09b46ee5dfe7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 09b46ee5dfe774f84ff6a056441f1a0e579a24970e5e61ab47b1e9885551b946

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385477/

Comments