MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
SHA3-384 hash: 21755592ade808d3d6278c0c5bd320dc2043ba50e0b77860425458a208d0b8c691cf413e801f88b7e49e75c7e4ca14c3
SHA1 hash: 657a32d18c39ad8beea3042d4cd5dd366bb91f2f
MD5 hash: ce33b626852ee1a8dde6a664f21f98e8
humanhash: oklahoma-ink-yellow-montana
File name:ORDEN ALN 00956093400_de Adobe 06-oct.pdf (78KB).exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:528'384 bytes
First seen:2025-10-06 14:47:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:OJE0lHJ2LM03sCP2J6O0IkTstNIYgav6a3iVY09smjEl/bj7Ab9S5nJnF:CeMcLPIDZtNItbVY09djuj0MTnF
TLSH T147B48D1623EC6B54F1BEAB39943010044BF5F953E732DA9E3E6558EE1861F80DE62723
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDEN ALN 00956093400_de Adobe 06-oct.pdf (78KB).exe
Verdict:
Malicious activity
Analysis date:
2025-10-06 14:48:16 UTC
Tags:
susp-powershell httpdebugger tool
Link:
https://app.any.run/tasks/519a1894-265b-41e1-b017-dd80ae47d925

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30826/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e3d6c8277c2bd8bc5ce5f6
Tags:
infosteal emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/68e3d6c9d4a0085473c1a03d/reports/95d9a839-8f79-4838-97db-1c2f5d096df3/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-06T09:18:00Z UTC
Last seen:
2025-10-08T13:23:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5df043c7-d363-4ea3-821f-bc6e45959cfb
Result
Threat name:
DarkTortilla, Remcos
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1789876
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1789876 Sample: ORDEN ALN 00956093400_de Ad... Startdate: 06/10/2025 Architecture: WINDOWS Score: 100 79 cbzr-98pq1.ydns.eu 2->79 81 bmh-global.myfirewall.org 2->81 93 Suricata IDS alerts for network traffic 2->93 95 Found malware configuration 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 19 other signatures 2->99 15 ORDEN ALN 00956093400_de Adobe 06-oct.pdf (78KB).exe 3 2->15         started        19 MS Host.exe 2->19         started        21 MS Host.exe 2->21         started        23 MS Host.exe 2->23         started        signatures3 process4 file5 77 ORDEN ALN 00956093....pdf (78KB).exe.log, ASCII 15->77 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->85 87 Injects a PE file into a foreign processes 15->87 25 ORDEN ALN 00956093400_de Adobe 06-oct.pdf (78KB).exe 1 15->25         started        28 MS Host.exe 19->28         started        30 MS Host.exe 19->30         started        32 MS Host.exe 21->32         started        34 MS Host.exe 23->34         started        signatures6 process7 signatures8 107 Encrypted powershell cmdline option found 25->107 36 powershell.exe 15 19 25->36         started        process9 dnsIp10 83 cbzr-98pq1.ydns.eu 178.16.52.243, 2404, 49692, 49694 DUSNET-ASDE Germany 36->83 75 C:\Users\user\AppData\Roaming\PDF.exe, PE32 36->75 dropped 103 Powershell drops PE file 36->103 41 PDF.exe 3 36->41         started        44 powershell.exe 15 36->44         started        46 conhost.exe 36->46         started        file11 signatures12 process13 signatures14 109 Tries to delay execution (extensive OutputDebugStringW loop) 41->109 111 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->111 113 Injects a PE file into a foreign processes 41->113 48 PDF.exe 5 4 41->48         started        51 PDF.exe 41->51         started        53 conhost.exe 44->53         started        process15 file16 71 C:\Users\user\AppData\Roaming\...\MS Host.exe, PE32 48->71 dropped 73 C:\Users\user\AppData\Local\...\install.vbs, data 48->73 dropped 55 wscript.exe 1 48->55         started        process17 signatures18 105 Windows Scripting host queries suspicious COM object (likely to drop second stage) 55->105 58 cmd.exe 55->58         started        process19 process20 60 MS Host.exe 58->60         started        63 conhost.exe 58->63         started        signatures21 115 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->115 117 Injects a PE file into a foreign processes 60->117 65 MS Host.exe 60->65         started        process22 signatures23 89 Maps a DLL or memory area into another process 65->89 91 Installs a global keyboard hook 65->91 68 MS Host.exe 65->68         started        process24 signatures25 101 Tries to harvest and steal browser information (history, passwords, etc) 68->101
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/ce33b626852ee1a8dde6a664f21f98e8
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47/
Verdict:
Malicious
Threat:
Family.DARKTORTILLA
Link:
https://tip.neiki.dev/file/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
Threat name:
ByteCode-MSIL.Downloader.Clipper
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 14:48:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
27 of 38 (71.05%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzjzdtmutav53zjerdepwbspk2vuk3rqso6dyxs54x4gg6otlrdq._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:remcos botnet:c b r collection crypter defense_evasion discovery loader persistence rat spyware stealer
Link:
https://tria.ge/reports/251006-r6rb4scm8x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
Accesses Microsoft Outlook accounts
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
Remcos
Remcos family
Malware Config
C2 Extraction:
cbzr-98pq1.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f091af9-5da5-4734-9c6f-bc50b29fca2e
Unpacked files
SH256 hash:
565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
MD5 hash:
ce33b626852ee1a8dde6a664f21f98e8
SHA1 hash:
657a32d18c39ad8beea3042d4cd5dd366bb91f2f
Link:
https://www.unpac.me/results/536e613a-a97f-4f06-af8c-eaed1f5bdc64/
SH256 hash:
a341c8b43658a80d65dda8520bfeb7886d86d78be5b4eaf47ec921fe3f5701b8
MD5 hash:
9f26991fd8e650b259d6d5beac3e9748
SHA1 hash:
55f68e3eafbbba9e0dc5ea413eb1b4f734d43204
Link:
https://www.unpac.me/results/536e613a-a97f-4f06-af8c-eaed1f5bdc64/
SH256 hash:
7e2b5be3fec94d474609067262853258c3c2bb9a7ae033d60f6d3334d0012aa8
MD5 hash:
3337bbb9fbe1a9abf01d58137c984855
SHA1 hash:
59d4ee86f0b6a652956d9afc6269ff2343715730
Detections:
DotNetPSDownloader
Create hunting rule
Link:
https://www.unpac.me/results/536e613a-a97f-4f06-af8c-eaed1f5bdc64/
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/536e613a-a97f-4f06-af8c-eaed1f5bdc64/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/536e613a-a97f-4f06-af8c-eaed1f5bdc64/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/565391cd9498/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30826/

Comments