MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895
SHA3-384 hash: 1e4110333b4646bb0446108e3d334a8f5d7c1c78fd8f2a12cb8ebc0c3c603cda09197d2d8b223c5e32f60d067064ba28
SHA1 hash: 19e2d487d28d6c8b2f1c01e7950fa028e1864f1e
MD5 hash: 3e1addce70b29934018089965733a491
humanhash: hamper-alabama-snake-arkansas
File name:3e1addce70b29934018089965733a491
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:552'448 bytes
First seen:2023-09-02 02:00:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbUNaKgb5Og8y2FVfMui8c:U2G/nvxW3Ww0tUsKg0pFzij
Threatray 2'571 similar samples on MalwareBazaar
TLSH T16EC4E101BEC195B2D6711D325A29AB20283D7D301F24DFDF63E45A6E9A311C0EB35BA7
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
350
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3e1addce70b29934018089965733a491
Verdict:
Malicious activity
Analysis date:
2023-09-02 02:03:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0731417f-cafe-46d1-b0b6-1571344a111f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445721/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin lolbin netsh overlay packed packed powershell replace setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/64f2975f4578d9c35eff29c9/reports/50c32b23-9762-4711-9c1f-a6b9660332a7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/285263a3-d9a3-4b92-b6eb-89fc393a25e9
Result
Threat name:
DarkTortilla, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302017
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302017 Sample: 07Jbs6nzVb.exe Startdate: 02/09/2023 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic 2->96 98 Found malware configuration 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 9 other signatures 2->102 11 07Jbs6nzVb.exe 12 2->11         started        15 Tel.exe 2->15         started        process3 dnsIp4 70 C:\Users\user\AppData\Local\Temp\U&U.exe, PE32 11->70 dropped 72 C:\Users\user\AppData\Local\Temp\UuU.bat, DOS 11->72 dropped 136 Uses cmd line tools excessively to alter registry or file data 11->136 18 cmd.exe 3 2 11->18         started        21 reg.exe 11->21         started        23 conhost.exe 11->23         started        84 www.logpasta.com 15->84 86 logpasta.com 15->86 138 Writes to foreign memory regions 15->138 140 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->140 142 Injects a PE file into a foreign processes 15->142 25 InstallUtil.exe 15->25         started        file5 signatures6 process7 signatures8 104 Suspicious powershell command line found 18->104 106 Wscript starts Powershell (via cmd or directly) 18->106 108 Uses cmd line tools excessively to alter registry or file data 18->108 110 Adds a directory exclusion to Windows Defender 18->110 27 wscript.exe 1 18->27         started        30 conhost.exe 18->30         started        112 Creates an undocumented autostart registry key 21->112 114 Tries to harvest and steal browser information (history, passwords, etc) 25->114 116 Tries to steal Crypto Currency Wallets 25->116 process9 signatures10 132 Wscript starts Powershell (via cmd or directly) 27->132 134 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->134 32 cmd.exe 1 27->32         started        process11 signatures12 88 Suspicious powershell command line found 32->88 90 Wscript starts Powershell (via cmd or directly) 32->90 92 Uses cmd line tools excessively to alter registry or file data 32->92 94 Adds a directory exclusion to Windows Defender 32->94 35 U&U.exe 32->35         started        40 powershell.exe 7 32->40         started        42 powershell.exe 18 32->42         started        44 4 other processes 32->44 process13 dnsIp14 74 logpasta.com 188.166.57.133, 443, 49702, 49717 DIGITALOCEAN-ASNUS Netherlands 35->74 76 www.logpasta.com 35->76 68 C:\Users\user\AppData\Roaming\...\Tel.exe, PE32 35->68 dropped 118 Multi AV Scanner detection for dropped file 35->118 120 Drops PE files to the startup folder 35->120 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->122 46 Tel.exe 35->46         started        50 cmd.exe 35->50         started        124 Uses cmd line tools excessively to alter registry or file data 40->124 126 Uses netsh to modify the Windows network and firewall settings 40->126 128 Modifies the windows firewall 40->128 130 Found many strings related to Crypto-Wallets (likely being stolen) 42->130 52 cmd.exe 1 42->52         started        54 cmd.exe 42->54         started        56 netsh.exe 3 42->56         started        58 2 other processes 42->58 file15 signatures16 process17 dnsIp18 80 www.logpasta.com 46->80 82 logpasta.com 46->82 152 Writes to foreign memory regions 46->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->154 156 Injects a PE file into a foreign processes 46->156 60 InstallUtil.exe 46->60         started        158 Uses cmd line tools excessively to alter registry or file data 50->158 64 WMIC.exe 1 52->64         started        66 WMIC.exe 54->66         started        signatures19 process20 dnsIp21 78 80.92.205.102, 11542, 49743, 49744 HELIOSNET-ASRU Russian Federation 60->78 144 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 60->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 60->146 148 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 60->148 150 Tries to steal Crypto Currency Wallets 60->150 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2023-08-30 19:57:38 UTC
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgdqylw56yr4zaj4bxaqhnlhufy3v2bluewds5zmu4dezujuxckq._file
Verdict:
malicious
Similar samples:
23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205
DarkTortilla
2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b
DarkTortilla
59e478ee01656fef4ad1d331fd2f5c793a8e9b0052eb8251b551956a6ac85096
DarkTortilla
714c5eb4cd05c58cc1f3f3e542a74e5f34c6e563973ca88b849ff068a6fbd5c4
DarkTortilla
74e0489792824c57aadf42a39d8dcd098dd84635982cadd1bf60b4d0dcfabd64
DarkTortilla
8169cd35ac84069d5e1e101dc22a6e9cb2fcaffa0c357972ad5fbbd5c3d7c8e0
DarkTortilla
a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484
DarkTortilla
cd349d60bec07656d19b9c1c515ea91bf0b8479119efee85b695003e41016cb0
DarkTortilla
d7d04993065997840875f4a00e43a1eb2fd0b5dd84a0dd3497e6c967f87c4007
DarkTortilla
+ 2'561 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline botnet:vnesh evasion infostealer persistence spyware
Link:
https://tria.ge/reports/230902-cfjr1saf41/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Modifies WinLogon for persistence
RedLine
Malware Config
C2 Extraction:
80.92.205.102:11542
Unpacked files
SH256 hash:
39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895
MD5 hash:
3e1addce70b29934018089965733a491
SHA1 hash:
19e2d487d28d6c8b2f1c01e7950fa028e1864f1e
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/b0a80b36-c866-44e3-ba9f-bab3ba5d7162/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39870c2eddf6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2708914/
Cape
Cape
https://www.capesandbox.com/analysis/445721/

Comments


Avatar
zbet commented on 2023-09-02 02:00:45 UTC

url : hxxp://193.233.255.9/lend/Clic.exe