MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e4e0247476003c3efef81eba6fdc6c98876d15ae4fd81994a2a58c598c2011d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DarkTortilla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash: 0e4e0247476003c3efef81eba6fdc6c98876d15ae4fd81994a2a58c598c2011d
SHA3-384 hash: c7ac55c7e4b56f3925c9b62d767e7ff9c86d32cd20b510ab253f5cb7f2b6b5c87c9008f6d044b070f7352c933fc1f5b9
SHA1 hash: c3c5f2b383a4b4a6ee335a3b5bb9de182cb3cc82
MD5 hash: d245eadb186f026bc1bc70fd0e2273ac
humanhash: twelve-emma-lactose-robin
File name:MV.CORNELIA.M_VESSEL_INFORMATION.exe
Download: download sample
Signature DarkTortilla
File size:1'213'440 bytes
First seen:2026-07-14 03:15:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 12288:qi2amT2CPpHAP/iGc1ZOM+FhWF2hekxpp4y98G1R12Vg5CkCThajRxBV:G/2UxAPqGcv/+Duyx4K0kYa9xB
Threatray 56 similar samples on MalwareBazaar
TLSH T14F45E12549466536DB3D0A74C2D6749C13F0FDF39292E71A2EE870FCDB727A4A9D2082
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 926d69b2696dd628 (3 x DarkTortilla)
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
150
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Tags:
trojan micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-13T23:32:00Z UTC
Last seen:
2026-07-16T01:23:00Z UTC
Hits:
~1000
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
DarkTortilla, FormBook
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
Yara detected MSIL Injector
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1941922 Sample: MV.CORNELIA.M_VESSEL_INFORM... Startdate: 14/07/2026 Architecture: WINDOWS Score: 100 32 casamigosescape.com 2->32 34 alb-1pfcgefh3w5c0845wfa8hll8s.cn-beijing.volcuseralb.com 2->34 36 4 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 10 MV.CORNELIA.M_VESSEL_INFORMATION.exe 2 2->10         started        signatures3 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Injects a PE file into a foreign processes 10->64 13 AddInProcess32.exe 10->13         started        16 WerFault.exe 22 16 10->16         started        process6 signatures7 66 Modifies the context of a thread in another process (thread injection) 13->66 68 Maps a DLL or memory area into another process 13->68 70 Queues an APC in another process (thread injection) 13->70 72 3 other signatures 13->72 18 GCiqSdQ4.exe 13->18 injected process8 signatures9 42 Binary is likely a compiled AutoIt script file 18->42 21 unregmp2.exe 13 18->21         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 21->52 54 Tries to harvest and steal browser information (history, passwords, etc) 21->54 56 Modifies the context of a thread in another process (thread injection) 21->56 58 3 other signatures 21->58 24 6z4lQP56AdT6L.exe 21->24 injected 28 firefox.exe 21->28         started        30 chrome.exe 21->30         started        process12 dnsIp13 38 alb-1pfcgefh3w5c0845wfa8hll8s.cn-beijing.volcuseralb.com 115.191.4.233, 49706, 49707, 49708 VOLCANO-ENGINEBeijingVolcanoEngineTechnologyCoLtdCN China 24->38 40 casamigosescape.com 15.197.225.128, 49710, 49712, 49713 AMAZON-02-AmazoncomIncUS Canada 24->40 60 Binary is likely a compiled AutoIt script file 24->60 signatures14
Verdict:
.NET Reflective Loader
YARA:
8 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor .NET Reflective Loader Crypter Executable Loader Malicious Managed .NET PDB Path PE (Portable Executable) PE File Layout Reflective Loader Payload SOS: 0.38 SOS: 0.85 Win 32 Exe x86
Threat name:
Win32.Backdoor.FormBook
Status:
Malicious
First seen:
2026-07-14 02:31:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
0e4e0247476003c3efef81eba6fdc6c98876d15ae4fd81994a2a58c598c2011d
MD5 hash:
d245eadb186f026bc1bc70fd0e2273ac
SHA1 hash:
c3c5f2b383a4b4a6ee335a3b5bb9de182cb3cc82
SH256 hash:
499970cacbd87446fe0de13a298d7d738865b719259e64b18a7d713454fc6ecc
MD5 hash:
95a58e6aebfe0399fef2f160037f7cbc
SHA1 hash:
207cb6d554db5f7c7e561703618c40019e8c05d3
SH256 hash:
0560dc3341dfec3c62eb46b34f35a49aadefcf32c998278d5a30217ef3a0ea9b
MD5 hash:
54cc82f466f7bf3e13d5cc2921758beb
SHA1 hash:
579fbd3c06299322c8d54f79473230b684b123d8
SH256 hash:
0a17fd43cedc74a89d2ba5078cfa9bc8fe1c8557f49ef1e3415d68b57aaa5b59
MD5 hash:
03fe84c8fd2f0af1e75acc8ca52c2f86
SHA1 hash:
b162f1706513fd595585acebbee54321e8773333
SH256 hash:
285aa3b8ef35e8950132aac993f39915a5fdb821fe70d9ab9ed2ddb8d730d0bf
MD5 hash:
da4e2c8378551fbacba852813c5a3cd4
SHA1 hash:
2ba8a60219860983b9b233f410639627785af5eb
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 0e4e0247476003c3efef81eba6fdc6c98876d15ae4fd81994a2a58c598c2011d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments