MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf
SHA3-384 hash:	3100bea4cdb5a8959bcfdbae3fbbf2a8b0643b0bac500ab138eed6c25c3bf8f951399fbefbf94d1a59c071cb88e6d506
SHA1 hash:	91f7ec07f77a08f4a68005eec41d9be71c2075bd
MD5 hash:	c3b4b99d56e31b6d1f2192a415a1c7de
humanhash:	colorado-harry-spaghetti-alabama
File name:	Cuenta por Pagar Cliente BBVA_______________________pdf.exe
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	1'608'192 bytes
First seen:	2025-09-27 13:16:31 UTC
Last seen:	2025-10-09 14:59:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:NUhHgw0AifmdMo8s74iDRo5UIe0b4KT4yHH67SM4XIuioH/:MHPieX8sESuBe0iSM4vD
Threatray	7 similar samples on MalwareBazaar
TLSH	T16B75643CEEC83236E5B7967AC9F505CABE517843366A5C0E449B03860D53F97BE8211E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	BBVA DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cuenta por Pagar Cliente BBVA_______________________pdf.exe

Verdict:

Suspicious activity

Analysis date:

2025-09-27 13:17:44 UTC

Tags:

netreactor auto-reg

Link:

https://app.any.run/tasks/d27b5a00-f759-4b52-a30e-acd90905a79a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/29270/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68d7e3c0fb8bc5050e4f1be0

Tags:

underscore micro shell spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 masquerade obfuscated obfuscated vbnet

Link:

https://www.filescan.io/uploads/68d7e3bfc564c8e81d08f6e6/reports/24af1165-5cf4-403f-a39b-69a12a47c346/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-25T14:09:00Z UTC

Last seen:

2025-09-25T14:09:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.Mucc.sb Trojan.MSIL.Inject.b Trojan.MSIL.Crypt.sb VHO:Trojan-PSW.MSIL.DarkCloud.gen PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Inject.gen Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Inject.c HEUR:Trojan.MSIL.Crypt.gen Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4c32d7ca-2e36-4e02-92a9-3a2ceaa84ae1

Result

Threat name:

DarkTortilla, XWorm

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1785209

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/c3b4b99d56e31b6d1f2192a415a1c7de

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf/

Verdict:

Malicious

Threat:

Family.DARKTORTILLA

Link:

https://tip.neiki.dev/file/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2025-09-25 18:13:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ggl3xs7vqvvomkm5r6t5utcdcplv6alrg444fze6v5ywg4xrp3pq._file

Verdict:

malicious

Label(s):

xworm

DarkTortilla

6f0918d85cc9f27d09b3100b357e115a4cd35a492cc901f95d9a9cd07e1d4f9f

DarkTortilla

8989c105f6a548982cbf744de60417d0d3137e2559335e43ba0ea1355b93b163

DarkTortilla

error

DarkTortilla

Result

Malware family:

darktortilla

Score:

10/10

Tags:

family:darktortilla crypter discovery loader persistence

Link:

https://tria.ge/reports/250927-qh5zxscq9t/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Adds Run key to start application

.NET Reactor proctector

Executes dropped EXE

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/736884d8-1480-47f0-be50-bb05304aeadd

Unpacked files

SH256 hash:

3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf

MD5 hash:

c3b4b99d56e31b6d1f2192a415a1c7de

SHA1 hash:

91f7ec07f77a08f4a68005eec41d9be71c2075bd

Link:

https://www.unpac.me/results/d7158705-d221-44a1-a4ed-c71554fe3c5e/

SH256 hash:

15b30c685ad4a24667cc2571b7ea1ba82bcacbba508cca1ae80fee1e88ebc0a7

MD5 hash:

09d093f888bad789c47bbe1aebf68213

SHA1 hash:

105721fd549aa4b557e4c887d238cdfd8836deae

Detections:

win_xworm_a0

win_xworm_w0

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/d7158705-d221-44a1-a4ed-c71554fe3c5e/

SH256 hash:

8e9a295434bf88eb2d537c44014c06bafcbf0a3d5043e5a6bb358b0bdced8af7

MD5 hash:

22ecaf55ed1e83953500c5406fbbd585

SHA1 hash:

5ff72e328bc76dbf3015d1d5665e93213c7aa3f2

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/d7158705-d221-44a1-a4ed-c71554fe3c5e/

Parent samples :

3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf
1c93aaea38aac617c9d793e3925d2c4ea2715efc8bdae12a1ad057814311d866
49a17b967390741280c340edab37bf1426dc96a72dcb8298deadfc850a3b394a

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3197bbcbf585/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3197bbcbf5856ae6299d8fa7da4c4313d75f01713739c2e49eaf716372f17edf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29270/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample