MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54a49d9771307f97f1cdcdb468e4a38adebe3f42678a3ad178feab614f2b5bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DarkTortilla


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash: 54a49d9771307f97f1cdcdb468e4a38adebe3f42678a3ad178feab614f2b5bee
SHA3-384 hash: 7db585b882dba150e3906d13468d59e14cb635931c2698dc5fa0b923b0a4c9913613b0afdac319db5f4a7157a4ac3cd6
SHA1 hash: 9cc8f27638469624545219535b75351e93cbec2c
MD5 hash: a3d3d4bf23539d99f124c2afc6484ad6
humanhash: georgia-timing-bulldog-nitrogen
File name:Dolphin 06_Q88 V6 (Oil and Chemical)_02Jul2026.exe
Download: download sample
Signature DarkTortilla
File size:1'106'432 bytes
First seen:2026-07-13 06:06:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'116 x AgentTesla, 20'118 x Formbook, 12'357 x SnakeKeylogger)
ssdeep 24576:hNwUS2UxAPqGcv/+Duyx46QoDPHD/Sfn:hN7+qPRcvEFQoDP8
Threatray 29 similar samples on MalwareBazaar
TLSH T16D35F0259DCB5A14CB3D4A78C1A6189823F0D613C32BE76F3EF9A1F48F96B856D17042
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
195
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Tags:
trojan micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated packed vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-13T02:29:00Z UTC
Last seen:
2026-07-15T04:38:00Z UTC
Hits:
~1000
Malware family:
Malicious Packer
Verdict:
Malicious
Result
Threat name:
DarkTortilla
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected MSIL Injector
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1941334 Sample: Dolphin 06_Q88 V6 (Oil and ... Startdate: 13/07/2026 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected MSIL Injector 2->42 44 Yara detected DarkTortilla Crypter 2->44 46 5 other signatures 2->46 7 Dolphin 06_Q88 V6 (Oil and Chemical)_02Jul2026.exe 3 2->7         started        process3 file4 32 Dolphin 06_Q88 V6 ...)_02Jul2026.exe.log, ASCII 7->32 dropped 10 cmd.exe 3 7->10         started        14 cmd.exe 1 7->14         started        process5 file6 34 C:\Users\user\AppData\Roaming\Pdf.exe, PE32 10->34 dropped 48 Uses ping.exe to sleep 10->48 16 Pdf.exe 2 10->16         started        19 conhost.exe 10->19         started        21 PING.EXE 1 10->21         started        23 PING.EXE 1 10->23         started        50 Uses ping.exe to check the status of other devices and networks 14->50 25 PING.EXE 1 14->25         started        28 conhost.exe 14->28         started        30 reg.exe 1 1 14->30         started        signatures7 process8 dnsIp9 38 Multi AV Scanner detection for dropped file 16->38 36 127.0.0.1 unknown unknown 25->36 signatures10
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Threat name:
Win32.Trojan.MsilHrcls
Status:
Malicious
First seen:
2026-07-13 05:26:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Unpacked files
SH256 hash:
54a49d9771307f97f1cdcdb468e4a38adebe3f42678a3ad178feab614f2b5bee
MD5 hash:
a3d3d4bf23539d99f124c2afc6484ad6
SHA1 hash:
9cc8f27638469624545219535b75351e93cbec2c
SH256 hash:
0560dc3341dfec3c62eb46b34f35a49aadefcf32c998278d5a30217ef3a0ea9b
MD5 hash:
54cc82f466f7bf3e13d5cc2921758beb
SHA1 hash:
579fbd3c06299322c8d54f79473230b684b123d8
SH256 hash:
0a17fd43cedc74a89d2ba5078cfa9bc8fe1c8557f49ef1e3415d68b57aaa5b59
MD5 hash:
03fe84c8fd2f0af1e75acc8ca52c2f86
SHA1 hash:
b162f1706513fd595585acebbee54321e8773333
SH256 hash:
961b103dab92ad48cd2cee250f89a57e7b3dbf202bd68049e2419f69ed8b8fdf
MD5 hash:
54e8511cc2054599b82ddd519e37a3c0
SHA1 hash:
25784b502faf98c49e9002d3f5d3c3db9f17d7f8
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 54a49d9771307f97f1cdcdb468e4a38adebe3f42678a3ad178feab614f2b5bee

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments