MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51e3e006da49bddcdfaeceb3ada3b0401abc6e1536098caf85d3897a9e3e48e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DarkTortilla


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash: 51e3e006da49bddcdfaeceb3ada3b0401abc6e1536098caf85d3897a9e3e48e4
SHA3-384 hash: 4d76cbab8f470ce95f5fa5449e88cad7b520dbfe995983b406d0bee226c0c16ddb6aaf6841a7abeda0c8569bd41fc31d
SHA1 hash: 11758c6808e531b111b91997c67cb15a1e443032
MD5 hash: e63bc44fbf3dd02c91262e309fb4d0eb
humanhash: oranges-west-september-oven
File name:INV_POSON896.exe
Download: download sample
Signature DarkTortilla
File size:1'026'048 bytes
First seen:2026-07-02 12:03:51 UTC
Last seen:2026-07-02 12:20:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'079 x AgentTesla, 20'051 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 12288:Bi1pq0ebB5kODVKaZuCgHebdfS+Rw5j1ypmr0WEErUPBO9l+mbA02:EjefksxDZsv1PrLEjPPmMl
TLSH T12B25F1216E873B46C52E4BB4C121488863F0CA435357EB9F3FFC10E56EA2FE9D912596
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
148
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_51e3e006da49bddcdfaeceb3ada3b0401abc6e1536098caf85d3897a9e3e48e4.exe
Verdict:
Malicious activity
Analysis date:
2026-07-02 12:08:17 UTC
Tags:
netreactor

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook obfuscated obfuscated vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-02T07:56:00Z UTC
Last seen:
2026-07-02T09:00:00Z UTC
Hits:
~100
Result
Threat name:
PureCrypter, DarkTortilla, ResolverRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected MSIL Injector
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.85 Win 32 Exe x86
Threat name:
Win32.Trojan.Sonbokli
Status:
Malicious
First seen:
2026-07-02 12:04:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Unpacked files
SH256 hash:
51e3e006da49bddcdfaeceb3ada3b0401abc6e1536098caf85d3897a9e3e48e4
MD5 hash:
e63bc44fbf3dd02c91262e309fb4d0eb
SHA1 hash:
11758c6808e531b111b91997c67cb15a1e443032
SH256 hash:
a61833673c20df4fdf93c39091fb162a14a21f629096e0e69e54ad97430a0d15
MD5 hash:
011b230b55c6289054e28c639b135e3c
SHA1 hash:
51a29da09f17b7c084b937b6a25d2be5fec1a427
SH256 hash:
03aa779297ddd61cd4257b708b7e3f7647a3390dc1e20543843ef65f00387aec
MD5 hash:
96cc846d0cc71d47a13130b75e526b10
SHA1 hash:
82c345b7bb4c6207b77f13f189ce6f2f21c83918
SH256 hash:
b2a66e9864f81c2800a5afef4bfd1faf7c910e5a43ea2eb9dbb15c8ab6ffc633
MD5 hash:
f0a13fb422cdb1f3ce667df897b5045b
SHA1 hash:
9b6566603e3a292482788924a83a1d94a9cd4627
SH256 hash:
d23b2d9f7ced2d68963549e761d9e9c1429edaa8b9731166bf327e7027d46fca
MD5 hash:
e5a58448249eac04228becb34e1b9f10
SHA1 hash:
acdd173e7748014a5de72fef722b176ef1917b2e
SH256 hash:
d3035b19288274b832c14fba8860b6fe7e57d98744281b0a6d4aeff8ca030ed9
MD5 hash:
1225230d88c7c943afbe5adee1124af1
SHA1 hash:
be3d0e5dc07255a48f6c1e99da19bf0a7ac138b7
SH256 hash:
a309017db41f600fad4bc20032d71acc33dddde5606caf23576d2cfa4a7740bf
MD5 hash:
35519d4da7ddcc4d53d06a043f8824ce
SHA1 hash:
d64aed63d381323d1e9d823495fc3a97c424613c
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 51e3e006da49bddcdfaeceb3ada3b0401abc6e1536098caf85d3897a9e3e48e4

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments