MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e
SHA3-384 hash: 05c77ec9aa71bf5c2d195a61bbe908991352343d3b19967e69c2b19261b0b43eafcdadccff6bc7781f0450abfd67c97c
SHA1 hash: ed08e93433e5709948e9033702a7554028cc0023
MD5 hash: 4ab187f202c9e79336d403fcdb48f5e2
humanhash: moon-bluebird-august-pip
File name:gdting.bin
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'406'880 bytes
First seen:2023-07-11 03:03:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:qqcxedW6h0SnB+DH0drInCPnx2pGmMi3XTF3nvHvfK:W3EBU03Pnx2pXMi3XTF3Pvf
Threatray 271 similar samples on MalwareBazaar
TLSH T13355026A9B16FEDCE93E51BA40761AC4B3F88E7468939BCD1FD679D049832484F4B1C0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b030e0f4ecd4d4c8 (1 x DarkTortilla)
Reporter 1ZRR4H
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
384
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://80.66.75.37/gdting.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 18:51:16 UTC
Tags:
loader
Link:
https://app.any.run/tasks/7e47d154-2838-4b53-ac95-82a18a4b8b9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/414840/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61676221.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file
Running batch commands
Launching a process
Launching cmd.exe command interpreter
Adding an access-denied ACE
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated overlay packed
Link:
https://www.filescan.io/uploads/64acc6a26e9f7019de9f1424/reports/1c13348c-e0f3-461d-9209-0c4d3640e9b9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d181b7f-ebd5-4131-a05b-9f9d22ca7535
Result
Threat name:
DarkTortilla, Targeted Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270486
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Deletes shadow drive data (may be related to ransomware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected DarkTortilla Crypter
Yara detected RansomwareGeneric
Yara detected Targeted Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270486 Sample: gdting.bin.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 7 other signatures 2->41 8 gdting.bin.exe 5 2->8         started        process3 file4 33 C:\Users\user\AppData\...\gdting.bin.exe.log, ASCII 8->33 dropped 43 Writes to foreign memory regions 8->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->45 47 Injects a PE file into a foreign processes 8->47 12 cmd.exe 1 8->12         started        signatures5 process6 signatures7 49 Uses cmd line tools excessively to alter registry or file data 12->49 15 cacls.exe 1 12->15         started        17 cmd.exe 12->17         started        19 cmd.exe 12->19         started        21 69 other processes 12->21 process8 process9 23 Conhost.exe 15->23         started        25 Conhost.exe 17->25         started        27 Conhost.exe 19->27         started        29 Conhost.exe 21->29         started        31 Conhost.exe 21->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-17 20:57:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lckcivwybhwrdvspyfgnp6nnryevnbyshaprf4rdnr3lp6bdmspa._file
Verdict:
malicious
Similar samples:
1ee69c42df83049fca14e2560bacb7fef8e412f7da3cf2215c83e668b5673c4d
DarkTortilla
54b99d0a1903e907377aec6205c7bd6ecdd25312ad7d22756baee4e63281c6fd
DarkTortilla
75ae798473d4f1a4025f1a07e44fa307a0a317903a42b7e93a9a63b543efa255
DarkTortilla
7897cbf57b2a25446cedc1995c9950478a2c371c99ef87a0c82c7544742925f8
DarkTortilla
82e31b9bef8bdc34385c82db1239f570fccdb0b96a8f1ae0dcd4fa7abcc9ca25
DarkTortilla
a5283903f3dd9892458c6a2bf867b807275d96d15f760fd30f962aa6f8cd7b1b
DarkTortilla
acaa807a6fbac7521256116f532d057a15f0b71db869b235576ddf62724158e8
DarkTortilla
b5d4330129d989156cb6df8fc9a95e1a45c4d57b8852cf5f720c80a0a6a4935f
DarkTortilla
d53dd7d82baec5078999c4aa1d81e2cdb0f137f6950030070a99736ff757a7c0
DarkTortilla
+ 261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion ransomware
Link:
https://tria.ge/reports/230711-dkk2bafc9t/
Behaviour
Discovers systems in the same network
Enumerates processes with tasklist
Interacts with shadow copies
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Launches sc.exe
Looks up external IP address via web service
Checks computer location settings
Modifies file permissions
Modifies service settings
Stops running service(s)
Clears Windows event logs
Deletes shadow copies
Unpacked files
SH256 hash:
58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e
MD5 hash:
4ab187f202c9e79336d403fcdb48f5e2
SHA1 hash:
ed08e93433e5709948e9033702a7554028cc0023
Link:
https://www.unpac.me/results/e34a21e8-2755-4c28-921c-f462c8f2654a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/58942456d809/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/58942456d809ed11d64fc14cd7f9ad8e09568712381f12f2236c76b7f823649e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/414840/

Comments