MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
SHA3-384 hash: a74c38320be1cab8cc77dfb3761cc941fc8afadb908aba58f6a53af715eb5bed5ae57a9672088774a60bc5a2366c7766
SHA1 hash: 4584c353187b691886181004a298d27f7cd2fd48
MD5 hash: f045f14774538a2c0685deab324116d4
humanhash: wisconsin-zulu-emma-washington
File name:doc.20251115095-NJHF ELECTRONICA.pdf(56KB).com
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:660'992 bytes
First seen:2025-11-25 00:49:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:pWZ0Lpr9YtQZZzdCJvkx4uDsBVzlaDSNd7GPbv1b9iTQgm2CayWnlRR7:9dZZzdCJvkYzllNkPbdb9tV2CUl
Threatray 57 similar samples on MalwareBazaar
TLSH T136E4AD2823E85A08F5FF5B39697415140BF1FC26DA32DA2E6E5650DE0EA5F80DD60733
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054.exe
Verdict:
Malicious activity
Analysis date:
2025-11-24 20:05:12 UTC
Tags:
netreactor loader
Link:
https://app.any.run/tasks/961aadc1-fde6-46f8-8149-1cd45dad75ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41398/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6924ba77587b4206e7f28f44
Tags:
micro virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Restart of the analyzed sample
Creating a file
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt masquerade obfuscated obfuscated packed unsafe vbnet
Link:
https://www.filescan.io/uploads/6924fd561b3279b9ed0cc0a3/reports/0d4588d9-7ebf-4df6-9e77-088e70f37d24/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-24T14:36:00Z UTC
Last seen:
2025-11-26T19:27:00Z UTC
Hits:
~10000
Detections:
Trojan.APosT.UDP.C&C PDM:Exploit.Win32.Generic HEUR:Trojan.MSIL.APosT.gen Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.c VHO:Trojan.MSIL.Crypt.gen Trojan-Downloader.Win32.PsDownload.sb PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.b HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054/results?tab=lookup
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2d28668b-07a2-4b12-af7e-0874e961afd1
Result
Threat name:
DarkCloud, DarkTortilla, Quasar, Remcos,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1820236
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Notepad Making Network Connection
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected Remcos RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1820236 Sample: doc.20251115095-NJHF ELECTR... Startdate: 25/11/2025 Architecture: WINDOWS Score: 100 101 rency.ydns.eu 2->101 103 code1.ydns.eu 2->103 105 5 other IPs or domains 2->105 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Malicious sample detected (through community Yara rule) 2->131 133 27 other signatures 2->133 14 doc.20251115095-NJHF ELECTRONICA.pdf(56KB).com.exe 3 2->14         started        18 fishwife.exe 2->18         started        20 Notepadbook.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 file5 99 doc.20251115095-NJ...f(56KB).com.exe.log, ASCII 14->99 dropped 169 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->169 171 Injects a PE file into a foreign processes 14->171 24 doc.20251115095-NJHF ELECTRONICA.pdf(56KB).com.exe 1 14->24         started        173 Multi AV Scanner detection for dropped file 18->173 27 fishwife.exe 18->27         started        29 Notepadbook.exe 20->29         started        31 System.exe 22->31         started        33 System.exe 22->33         started        signatures6 process7 signatures8 139 Encrypted powershell cmdline option found 24->139 35 powershell.exe 15 20 24->35         started        process9 dnsIp10 107 igw.myfirewall.org 91.92.242.93, 49720, 49721, 80 THEZONEBG Bulgaria 35->107 91 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 35->91 dropped 93 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 35->93 dropped 95 C:\Users\user\AppData\Roaming95OTEPAD.exe, PE32 35->95 dropped 97 C:\Users\user\AppData\RoamingXCEL.exe, PE32 35->97 dropped 135 Potential dropper URLs found in powershell memory 35->135 137 Powershell drops PE file 35->137 40 POWERPOINT.exe 3 35->40         started        43 WORDS.exe 3 35->43         started        45 NOTEPAD.exe 3 35->45         started        47 2 other processes 35->47 file11 signatures12 process13 signatures14 141 Multi AV Scanner detection for dropped file 40->141 143 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->143 145 Injects a PE file into a foreign processes 40->145 147 Unusual module load detection (module proxying) 40->147 49 POWERPOINT.exe 40->49         started        149 Uses schtasks.exe or at.exe to add and modify task schedules 43->149 53 WORDS.exe 43->53         started        55 NOTEPAD.exe 45->55         started        151 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 47->151 153 Office process drops PE file 47->153 58 EXCEL.exe 47->58         started        process15 dnsIp16 81 C:\Users\user\AppData\Roaming\...\System.exe, PE32 49->81 dropped 83 C:\Users\user\AppData\Local\...\install.vbs, data 49->83 dropped 115 Creates multiple autostart registry keys 49->115 60 wscript.exe 49->60         started        85 C:\Users\user\AppData\...85otepadbook.exe, PE32 53->85 dropped 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 53->117 63 Notepadbook.exe 53->63         started        65 schtasks.exe 53->65         started        109 showip.net 162.55.60.2, 49723, 80 ACPCA United States 55->109 87 C:\Users\user\AppData\...\fishwife.exe, PE32 55->87 dropped 119 System process connects to network (likely due to code injection or exploit) 55->119 121 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 55->121 123 Tries to steal Mail credentials (via file / registry access) 55->123 125 Tries to harvest and steal browser information (history, passwords, etc) 55->125 111 code1.ydns.eu 128.0.1.9, 59013 M247GB Romania 58->111 113 twart.myfirewall.org 91.92.241.145, 2404, 49726, 49727 THEZONEBG Bulgaria 58->113 89 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 58->89 dropped file17 signatures18 process19 signatures20 159 Windows Scripting host queries suspicious COM object (likely to drop second stage) 60->159 67 cmd.exe 60->67         started        161 Multi AV Scanner detection for dropped file 63->161 163 Hides that the sample has been downloaded from the Internet (zone.identifier) 63->163 165 Injects a PE file into a foreign processes 63->165 69 Notepadbook.exe 63->69         started        71 conhost.exe 65->71         started        process21 process22 73 System.exe 67->73         started        76 conhost.exe 67->76         started        signatures23 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 73->155 157 Injects a PE file into a foreign processes 73->157 78 System.exe 73->78         started        process24 signatures25 167 Installs a global keyboard hook 78->167
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/f045f14774538a2c0685deab324116d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:29:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjvq5mwn2a5dvmr5qn3ueitwsjc3fo7grg5cfblcop2puem3gbka._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
58c5dfa4020903964d305f0bd6caee651f3e29bc311f5191378641a66eaba4de
DarkTortilla
7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b
DarkTortilla
cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7
DarkTortilla
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
DarkTortilla
+ 47 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:remcos family:xworm botnet:exec botnet:spain2 collection defense_evasion discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251125-a669wsep5s/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
Detect Xworm Payload
Quasar RAT
Quasar family
Quasar payload
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
code1.ydns.eu:59013
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e6234989-b6de-4c49-ae4e-c5bb759de3ca
Unpacked files
SH256 hash:
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
MD5 hash:
f045f14774538a2c0685deab324116d4
SHA1 hash:
4584c353187b691886181004a298d27f7cd2fd48
Link:
https://www.unpac.me/results/4dc2c26c-e4f4-4cc1-ade3-16a0138af5d1/
SH256 hash:
7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a
MD5 hash:
8445f7f856e34e9303600d717579a6c6
SHA1 hash:
28a54b1d1f14812e3c5fe68cf779c9117c098091
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/4dc2c26c-e4f4-4cc1-ade3-16a0138af5d1/
Parent samples :
3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
SH256 hash:
70b91717938eb88deebc96929dde2c02527d62b0fc4aaa0e53e07deeb6f59cf5
MD5 hash:
00029a998e895a7c1a93b8119362c508
SHA1 hash:
5d268d619b7eed0b2cbbfe0d6e534d24454b8d02
Link:
https://www.unpac.me/results/4dc2c26c-e4f4-4cc1-ade3-16a0138af5d1/
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/4dc2c26c-e4f4-4cc1-ade3-16a0138af5d1/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/4dc2c26c-e4f4-4cc1-ade3-16a0138af5d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41398/

Comments