MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
SHA3-384 hash: afe9b9387480e4810adeb08e98dcc25d09bc5714712786aef9c3ac4137d31aa612ea133915f422c387c00a34a90352b7
SHA1 hash: 72adef6c43aee8fc9240ee2c8fa9464a124a5fa0
MD5 hash: 10430f4d8fa49751d7886583a39a1945
humanhash: potato-don-robert-nineteen
File name:Transferencia 5307590002018489.pdf(85KB).exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:646'656 bytes
First seen:2025-10-15 12:38:25 UTC
Last seen:2025-10-17 06:03:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:oaY03VXlyxjS/gpKEtnMt/5OGpo5hcFg6yoT3ni6:jF1icYGpoDcafs3n
TLSH T13DD45BE51EA43F51D17FFE354B76067067FFBC828E22CB89344726A66A2260588C07D7
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transferencia 5307590002018489.pdf(85KB).exe
Verdict:
Malicious activity
Analysis date:
2025-10-15 12:41:15 UTC
Tags:
loader auto-startup evasion stealer telegram
Link:
https://app.any.run/tasks/9fcc5b18-01ea-44af-a638-5567e376c145

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32927/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ef95cb97a16d00a8da3826
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/68ef960adf5cb32bf1ee7da9/reports/c0ae484d-f0f7-4b21-9774-6323e1eb4f82/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T16:37:00Z UTC
Last seen:
2025-10-17T10:06:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan.MSIL.Inject.b Trojan.MSIL.Crypt.sb VHO:Backdoor.Win32.Androm.gen Trojan.Win32.Mucc.sb Trojan.APosT.UDP.C&C HEUR:Trojan.MSIL.Crypt.gen Trojan.MSIL.Inject.c
Link:
https://opentip.kaspersky.com/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d0843e44-3b3e-4cd2-8a80-1f9160195007
Result
Threat name:
DarkCloud, DarkTortilla, Remcos, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1795747
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1795747 Sample: Transferencia 5307590002018... Startdate: 15/10/2025 Architecture: WINDOWS Score: 100 101 wqo9.firewall-gateway.de 2->101 103 igw.myfirewall.org 2->103 105 4 other IPs or domains 2->105 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 18 other signatures 2->125 12 Service.exe 3 2->12         started        15 Transferencia 5307590002018489.pdf(85KB).exe 3 2->15         started        signatures3 process4 file5 133 Multi AV Scanner detection for dropped file 12->133 135 Encrypted powershell cmdline option found 12->135 137 Tries to delay execution (extensive OutputDebugStringW loop) 12->137 139 Injects a PE file into a foreign processes 12->139 18 Service.exe 1 12->18         started        99 Transferencia 5307...9.pdf(85KB).exe.log, ASCII 15->99 dropped 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->141 21 cmd.exe 3 15->21         started        24 cmd.exe 1 15->24         started        signatures6 process7 file8 113 Encrypted powershell cmdline option found 18->113 26 powershell.exe 18->26         started        85 C:\Users\user\AppData\Roaming\Service.exe, PE32 21->85 dropped 87 C:\Users\user\...\Service.exe:Zone.Identifier, ASCII 21->87 dropped 115 Uses ping.exe to sleep 21->115 31 Service.exe 2 21->31         started        33 conhost.exe 21->33         started        35 PING.EXE 1 21->35         started        37 PING.EXE 1 21->37         started        117 Uses ping.exe to check the status of other devices and networks 24->117 39 PING.EXE 1 24->39         started        41 conhost.exe 24->41         started        43 reg.exe 1 1 24->43         started        signatures9 process10 dnsIp11 107 igw.myfirewall.org 158.94.209.34, 49693, 80 JANETJiscServicesLimitedGB United Kingdom 26->107 109 bmh-global.myfirewall.org 178.16.53.63, 49694, 80 DUSNET-ASDE Germany 26->109 91 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 26->91 dropped 93 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 26->93 dropped 95 C:\Users\user\AppData\Roaming95OTEPAD.exe, PE32 26->95 dropped 97 C:\Users\user\AppData\Local\...\DOCUMENT.exe, PE32 26->97 dropped 143 Potential dropper URLs found in powershell memory 26->143 145 Powershell drops PE file 26->145 45 POWERPOINT.exe 26->45         started        48 NOTEPAD.exe 26->48         started        50 WORDS.exe 26->50         started        54 2 other processes 26->54 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->147 149 Injects a PE file into a foreign processes 31->149 52 Service.exe 1 31->52         started        111 127.0.0.1 unknown unknown 39->111 file12 signatures13 process14 signatures15 151 Multi AV Scanner detection for dropped file 45->151 153 Tries to delay execution (extensive OutputDebugStringW loop) 45->153 155 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->155 56 POWERPOINT.exe 45->56         started        59 cmd.exe 48->59         started        62 cmd.exe 48->62         started        157 Injects a PE file into a foreign processes 50->157 64 WORDS.exe 50->64         started        159 Encrypted powershell cmdline option found 52->159 66 powershell.exe 52->66         started        process16 file17 89 C:\Users\user\AppData\...\WDUpdate2025.exe, PE32 56->89 dropped 131 Uses ping.exe to sleep 59->131 68 conhost.exe 59->68         started        70 PING.EXE 59->70         started        72 conhost.exe 62->72         started        74 POWERPOINT.exe 66->74         started        77 WORDS.exe 66->77         started        79 NOTEPAD.exe 66->79         started        81 2 other processes 66->81 signatures18 process19 signatures20 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 74->127 129 Injects a PE file into a foreign processes 74->129 83 POWERPOINT.exe 74->83         started        process21
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.85 Win 32 Exe x86
Link:
https://app.malva.re/file/10430f4d8fa49751d7886583a39a1945
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
Threat name:
ByteCode-MSIL.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 22:11:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=k25jbdbmtacpfw67p35ii3bxnnrfo4ktg27nr7nz7cvit3kgx7va._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud family:darktortilla family:remcos family:xworm botnet:es xworm collection crypter defense_evasion discovery loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251015-pvatwazxew/
Behaviour
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
DarkCloud
Darkcloud family
Darktortilla
Darktortilla family
Detect Xworm Payload
Detects Darktortilla crypter.
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
twart.myfirewall.org:59013
https://api.telegram.org/bot6274587098:AAEvD64fpPpZLNdkxKF7wS-y2GX94H3OkSM/sendMessage?chat_id=6265187542
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5bffbe56-b567-4d3b-9510-c6d469cb8471
Unpacked files
SH256 hash:
56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
MD5 hash:
10430f4d8fa49751d7886583a39a1945
SHA1 hash:
72adef6c43aee8fc9240ee2c8fa9464a124a5fa0
Link:
https://www.unpac.me/results/818fd954-273c-4aab-85d2-b9f5b1ee7fba/
SH256 hash:
1dc26304e1a1b15ebdcb865783a127d9593a73b1eeab6da3c5a0528cfbcc438d
MD5 hash:
f1d75f107e516135a2844ea2f1d3efbe
SHA1 hash:
0e5b3f15f6aca1bd0752a832c933699665afd827
Link:
https://www.unpac.me/results/818fd954-273c-4aab-85d2-b9f5b1ee7fba/
SH256 hash:
e102ca91c10740fd859c7cdff2ad3a59dc037217bac1849e7438ed1c40cc46b7
MD5 hash:
c6dd9ea4d2c92b977b13d6f6b8f384cb
SHA1 hash:
9096b58221836e31fd926b686f358c2eea5ecb96
Detections:
DotNetPSDownloader
Create hunting rule
Link:
https://www.unpac.me/results/818fd954-273c-4aab-85d2-b9f5b1ee7fba/
Parent samples :
829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/818fd954-273c-4aab-85d2-b9f5b1ee7fba/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/818fd954-273c-4aab-85d2-b9f5b1ee7fba/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/56ba908c2c98/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32927/

Comments