MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
SHA3-384 hash: 46f7ddf6d8aeade3453fce8369efe404eeb392cb93ca4b78a9de189c47f5603af76e6307991275584b00b6ba85a05ef1
SHA1 hash: 6f6914770748ad148154e1576d9c6fe6887f2290
MD5 hash: f5b93d3369d1ae23d6e150e75d2b6a80
humanhash: fillet-cold-lamp-aspen
File name:file
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:964'096 bytes
First seen:2024-08-09 08:46:55 UTC
Last seen:2025-03-05 08:29:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:pX8RkdnkRZOwECM98hfcunLIYCx28xur5GbYkpMalQBEnxSSraaoKZ2A:SRPRAqM98qCRCxnx7YpauBML
Threatray 146 similar samples on MalwareBazaar
TLSH T19C25120FADCB40F6C18B8B36C7B0159887B563B73171B3B646C822E09D726EF554A4E6
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter Bitsight
Tags:185-215-113-209 DarkTortilla exe


Avatar
Bitsight
url: http://185.215.113.16/inc/armadegon.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
396
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://shurll.com/2sHSc8
Verdict:
Malicious activity
Analysis date:
2024-08-09 01:40:14 UTC
Tags:
evasion privateloader stealer discord loader risepro stealc amadey botnet python metastealer mpress miner darktortilla vidar themida
Link:
https://app.any.run/tasks/25cd36e8-3d85-4e43-bef2-d9d1ce244fdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.26827.29836.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b5d788b35234d5cc65c000
Tags:
Generic Stealth Trojan Heur
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated vbnet
Link:
https://www.filescan.io/uploads/66b5d78e9d37dfa04d268124/reports/eba6f48b-f9ec-4e7e-a1b5-f09257c754e4/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea990543-6da7-41f2-80fa-4137ec6648aa
Result
Threat name:
Amadey, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490494
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Yara detected Amadey
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490494 Sample: file.exe Startdate: 09/08/2024 Architecture: WINDOWS Score: 100 44 api.garageserviceoperation.com 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected Amadey 2->50 52 8 other signatures 2->52 9 file.exe 3 2->9         started        13 ednfosi.exe 2 2->13         started        15 ednfosi.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->40 dropped 54 Contains functionality to inject code into remote processes 9->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->56 58 Injects a PE file into a foreign processes 9->58 19 file.exe 5 9->19         started        22 ednfosi.exe 13->22         started        24 ednfosi.exe 15->24         started        26 ednfosi.exe 17->26         started        28 ednfosi.exe 17->28         started        signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\ednfosi.exe, PE32 19->36 dropped 38 C:\Users\user\...\ednfosi.exe:Zone.Identifier, ASCII 19->38 dropped 30 ednfosi.exe 3 19->30         started        process9 signatures10 60 Multi AV Scanner detection for dropped file 30->60 62 Machine Learning detection for dropped file 30->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->64 66 Injects a PE file into a foreign processes 30->66 33 ednfosi.exe 12 30->33         started        process11 dnsIp12 42 api.garageserviceoperation.com 185.208.158.115, 49717, 49718, 49719 SIMPLECARRER2IT Switzerland 33->42
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-08-09 04:54:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gq7kkz2gw3yiy7wmx65z7ynfisksvgutgfamm5yxt5hyy65wboaq._file
Verdict:
malicious
Similar samples:
1526d5952d7956238a435ebb8737abdd40736309ffd533cdd21105ae9fd1ceef
DarkTortilla
343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
DarkTortilla
3bb992b1519a83ed99725ee87607f874c7554303b9979f5e91651a1f3788e91b
DarkTortilla
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77
DarkTortilla
a67f6fa1fa32b492f08ae46e187a143d8b107863df119cdb0759b39446827a68
DarkTortilla
b1d5b1e480a5731caacc65609eaf069622f1129965819079aa09bc9d96dadde5
DarkTortilla
ea777a734ec0ae9add5cd13a2b7a4377e2338126bc0ab1689ebd9b4da11e615f
DarkTortilla
+ 136 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:stealc botnet:2da029 botnet:default botnet:fed3aa botnet:livetraffic credential_access defense_evasion discovery evasion execution infostealer spyware stealer trojan
Link:
https://tria.ge/reports/240809-k5dw3ayfpn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Indirect Command Execution
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
RedLine
RedLine payload
Stealc
Malware Config
C2 Extraction:
http://api.garageserviceoperation.com
http://185.215.113.16
185.215.113.67:21405
http://185.215.113.17
20.52.165.210:39030
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bc2e21ec-c230-4b9d-b4cd-0f32f6e9a3c2
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/d06db8e6-b5ba-4a70-a1ab-c3de0e680853/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/d06db8e6-b5ba-4a70-a1ab-c3de0e680853/
SH256 hash:
2db82e9b91b1ccb1957b4e06ec49bfb0096e973213fc1786de1bbe3162f5df5a
MD5 hash:
27dea42a70bd7e948f1171ce873878a1
SHA1 hash:
b87051d51479c093cdf3e721acea4fd8b940b1e5
Link:
https://www.unpac.me/results/d06db8e6-b5ba-4a70-a1ab-c3de0e680853/
SH256 hash:
bdffc671d5d8bd4aa077bb205cd6adc906dfc9d044616b7de7d8cb77bd1e9590
MD5 hash:
0aefa458447fc76e7b5883574c7c151b
SHA1 hash:
6df9787ae33bd9e8e3d8d76386fde151e49d54a0
Detections:
win_amadey_auto
Create hunting rule
win_amadey
Create hunting rule
Link:
https://www.unpac.me/results/d06db8e6-b5ba-4a70-a1ab-c3de0e680853/
SH256 hash:
343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
MD5 hash:
f5b93d3369d1ae23d6e150e75d2b6a80
SHA1 hash:
6f6914770748ad148154e1576d9c6fe6887f2290
Link:
https://www.unpac.me/results/d06db8e6-b5ba-4a70-a1ab-c3de0e680853/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/343ea56746b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3097297/
  
URLhaus
https://urlhaus.abuse.ch/url/3097301/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments