MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 18

Intelligence 18 IOCs YARA 4 File information Comments

SHA256 hash:	425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de
SHA3-384 hash:	73d41128dddf92d8ecb296eaad0a73a11888779e7ba494833560024f3119abf7291cf5b6dfb9182a90de5b115cddc49d
SHA1 hash:	c99d22d9d6fb3fd4f02e286fdb25115f37833150
MD5 hash:	ced3a2114df1ff503e14cbc0a2eacb13
humanhash:	coffee-neptune-enemy-two
File name:	425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	1'119'232 bytes
First seen:	2025-10-14 14:48:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'859 x AgentTesla, 19'786 x Formbook, 12'305 x SnakeKeylogger)
ssdeep	12288:bQqZBJ5nnpLBBJyMGQYMdH6oxpRAWFo6OBmBaWh2MUNoZVr6crHO2LQweMLA/YVj:bQYyMXYoa0boF+5ZhpIyCv9QT
Threatray	848 similar samples on MalwareBazaar
TLSH	T18F35B6342AEAA109F17BBF745BE074969ABFBEA33F03905D145423C64723940DEE153A
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	23-95-62-27 DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

Verdict:

Suspicious activity

Analysis date:

2025-10-14 14:55:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2852bf9b-f75c-44cf-9305-afb2a23a6574

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32750/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee62dc97a16d00a8d9e42f

Tags:

virus shell msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Running batch commands

Launching a process

Creating a file

Creating a file in the %AppData% directory

Creating a process from a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger lolbin obfuscated obfuscated obfuscated remote snake vbnet

Link:

https://www.filescan.io/uploads/68ee63184f3013c55e4d7df3/reports/917b2f1f-3637-4735-ad79-372d359c2d53/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-01T07:36:00Z UTC

Last seen:

2025-10-14T12:26:00Z UTC

Hits:

~100

Detections:

PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.BPLogger.gen

Link:

https://opentip.kaspersky.com/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1112a1d5-9913-43eb-bb48-984469aa12be

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86

Link:

https://app.malva.re/file/ced3a2114df1ff503e14cbc0a2eacb13

Detection:

avemaria

Link:

https://mwdb.cert.pl/sample/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de/

Verdict:

Malicious

Threat:

Family.DARKTORTILLA

Link:

https://tip.neiki.dev/file/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

Threat name:

Win32.Backdoor.Warzone

Status:

Malicious

First seen:

2025-08-01 13:20:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 36 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ijn5zluget6rhssnoxxlkv7hqg5znuzjqvwv2xokco3bs5ljkdpa._file

Verdict:

malicious

Label(s):

avemaria

DarkTortilla

4c0f9f12462d7e4296e0d590eb153f39bf83795c4ca805924b9d690cfb51fead

DarkTortilla

4c3b6893fa601ddbd5c625e1841582c57bc4a1273993c43472d9a9b45b218c19

DarkTortilla

5b91df85affd5ae567a565e3dca83bc8a014acddcf7bd743782b7b6cb2f93754

DarkTortilla

74e572bc38bba5ae10cb950fb8002199c50479a1e7ad3e5f7f8b8507eb506c8d

DarkTortilla

90c579c57ac202ad7230581299a82c3aba896fc61673efdb0e64fbd719a237f8

DarkTortilla

98f2b2581ee9388560dbedfbea2822f51ff98db2a7d180dc170326a755c8bffd

DarkTortilla

ca434fc22c9d646c7553432c66382e194c4eaeb09ee1015244eae33f176f1ca0

DarkTortilla

error

DarkTortilla

+ 838 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:darktortilla family:warzonerat crypter discovery infostealer loader persistence rat

Link:

https://tria.ge/reports/251014-r69hpahs2f/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Warzone RAT payload

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

WarzoneRat, AveMaria

Warzonerat family

Malware Config

C2 Extraction:

23.95.62.27:5050

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0b490865-df8f-4840-bb84-c00be270dddc

Unpacked files

SH256 hash:

425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

MD5 hash:

ced3a2114df1ff503e14cbc0a2eacb13

SHA1 hash:

c99d22d9d6fb3fd4f02e286fdb25115f37833150

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

cc84d00146e74fdb25e4981e44565564d3a8d326a8bba0bb5d0083bd918e15ac

MD5 hash:

3471b38c7f0af0a8fe69b99cd13e3bb2

SHA1 hash:

040a96c1a80aae94154834a544e3b64a234f5fb0

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36

MD5 hash:

6c72218c48cd68cbcb654675053a0abb

SHA1 hash:

12207fa32070f99683648d87b44410e5d3cdf2de

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52

MD5 hash:

16a9ddc4b32981114fe4f069a4353105

SHA1 hash:

bf73849f57c150f9e2199c61427f631be2dfa595

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

b93bebd7f42919ccf2f07d84da350fd77d111485ed44391cbca6af70b50036bf

MD5 hash:

f78e095892191a48f2848f8372f65a87

SHA1 hash:

0fbad02a10028e049498ba8b11f49ac82c4214ae

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd

MD5 hash:

0cf8f0d2b27b39862abdc2d13a915da0

SHA1 hash:

5bdd5759bc35c2b6526553993d0826ae990e4062

Detections:

win_ave_maria_g0

win_ave_maria_auto

Warzone

potential_termserv_dll_replacement

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

MALWARE_Win_AveMaria

MALWARE_Win_WarzoneRAT

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

Parent samples :

f55ca5741d27cb3afeafab713e5b7a774b09564c5eab8a8f7ba7a163dde03efd
425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

SH256 hash:

da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91

MD5 hash:

9a06e083cd0531927dcd616b9b601ffa

SHA1 hash:

9584f7e1c8ab7be5900762abcaedf20cb92e4ae7

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

SH256 hash:

2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a

MD5 hash:

4f5880d558000b383fbb6efb21100997

SHA1 hash:

d2ceb9140d797b0f4db46a0a02c274e4fe89f349

Link:

https://www.unpac.me/results/2f0a05db-a96e-495f-a593-fd471cf1763c/

Malware family:

Warzone

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/425bdcae8624/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/425bdcae8624fd13ca4d75eeb557e781bb96d329856d5d5dca13b619756950de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32750/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample