MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292
SHA3-384 hash: f9b8cb3644928b3a980c562000e76cd1c6a212f6bca85d0e26d479b7379c9edc1f8c004fc0f64f28aedfa898be1e6c71
SHA1 hash: c8f375832a3235c8b17e3c66c630865a5bea2bf3
MD5 hash: bec54fbde0ce9e70a29f1c7ba1c65891
humanhash: fanta-coffee-april-cardinal
File name:SecuriteInfo.com.Trojan.DownLoaderNET.786.29532.16195
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:950'272 bytes
First seen:2024-08-11 09:19:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:fY6PNJxVfWw/qTfScYp6wbZssG/NDA/3FBl0LyNhTJPsRhObcsQwi6PFdLT:BPNJxVfWwI260asG/lAdBSObm2FN
TLSH T14C15CEA523A92D80E17D2B74563731A0C3F175CAFC75830CAA84B7EE2B72740AF94759
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter SecuriteInfoCom
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://github.com/evan9908/Setup/raw/main/file000.exe
Verdict:
Malicious activity
Analysis date:
2024-08-10 13:35:38 UTC
Tags:
pastebin discord github stealer adware neoreklami
Link:
https://app.any.run/tasks/6e544b3f-e84b-4cb5-8563-aefbbd2e54ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.786.29532.16195.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b88208b35234d5cc65ccb1
Tags:
Network Static Stealth
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed shell32 vbnet
Link:
https://www.filescan.io/uploads/66b882084cea245ec5b15815/reports/fbcc513d-9526-4775-a7e5-9c86d0d69d67/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/675cf570-8080-4fcd-91c4-2a62375c0830
Result
Threat name:
DarkTortilla, Neoreklami
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1491225
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Drops script or batch files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Generic Downloader
Yara detected Neoreklami
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1491225 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 11/08/2024 Architecture: WINDOWS Score: 100 142 Antivirus detection for URL or domain 2->142 144 Antivirus / Scanner detection for submitted sample 2->144 146 Multi AV Scanner detection for submitted file 2->146 148 10 other signatures 2->148 14 SecuriteInfo.com.Trojan.DownLoaderNET.786.29532.16195.exe 3 2->14         started        process3 file4 134 SecuriteInfo.com.T...29532.16195.exe.log, ASCII 14->134 dropped 178 Writes to foreign memory regions 14->178 180 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->180 182 Injects a PE file into a foreign processes 14->182 184 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->184 18 InstallUtil.exe 15 84 14->18         started        signatures5 process6 dnsIp7 136 140.82.121.3 GITHUBUS United States 18->136 138 140.82.121.4 GITHUBUS United States 18->138 140 17 other IPs or domains 18->140 114 C:\Users\...\yLc8AkV32liL6x1OXZhF9a0A.exe, PE32 18->114 dropped 116 C:\Users\...\sLUXD5YShLCku8X6s1Fm2u6C.exe, PE32 18->116 dropped 118 C:\Users\...\poeOBLuPqUFQXDiqzgY1eHfK.exe, PE32 18->118 dropped 120 78 other files (73 malicious) 18->120 dropped 150 Drops script or batch files to the startup folder 18->150 152 Uses cmd line tools excessively to alter registry or file data 18->152 154 Writes many files with high entropy 18->154 23 BgiMmo3yN8HGWIjkoSV42TQH.exe 7 18->23         started        27 cfRzfuQEF0oG6oI7AQBnQhpD.exe 18->27         started        29 MVJNpZpkWUYLUYbaGmOlUjZ9.exe 18->29         started        31 3 other processes 18->31 file8 signatures9 process10 file11 122 C:\Users\user\AppData\Local\...\Install.exe, PE32 23->122 dropped 124 C:\Users\user\AppData\Local\...\config.txt, data 23->124 dropped 168 Writes many files with high entropy 23->168 33 Install.exe 4 23->33         started        126 C:\Users\user\AppData\Local\...\Install.exe, PE32 27->126 dropped 128 C:\Users\user\AppData\Local\...\config.txt, data 27->128 dropped 36 Install.exe 27->36         started        130 C:\Users\user\AppData\Local\...\Install.exe, PE32 29->130 dropped 132 C:\Users\user\AppData\Local\...\config.txt, data 29->132 dropped 170 Contains functionality to detect sleep reduction / modifications 31->170 signatures12 process13 file14 110 C:\Users\user\AppData\Local\...\Install.exe, PE32 33->110 dropped 38 Install.exe 1 33->38         started        112 C:\Users\user\AppData\Local\...\Install.exe, PE32 36->112 dropped 41 Install.exe 36->41         started        process15 signatures16 160 Multi AV Scanner detection for dropped file 38->160 162 Modifies Windows Defender protection settings 38->162 43 cmd.exe 38->43         started        46 forfiles.exe 38->46         started        48 Conhost.exe 38->48         started        50 cmd.exe 41->50         started        process17 signatures18 172 Suspicious powershell command line found 43->172 174 Uses cmd line tools excessively to alter registry or file data 43->174 176 Modifies Windows Defender protection settings 43->176 52 forfiles.exe 43->52         started        55 forfiles.exe 43->55         started        57 forfiles.exe 43->57         started        65 3 other processes 43->65 67 2 other processes 46->67 59 forfiles.exe 50->59         started        61 forfiles.exe 50->61         started        63 forfiles.exe 50->63         started        69 3 other processes 50->69 process19 signatures20 71 cmd.exe 52->71         started        74 cmd.exe 55->74         started        76 cmd.exe 57->76         started        156 Modifies Windows Defender protection settings 59->156 78 cmd.exe 59->78         started        80 cmd.exe 61->80         started        82 cmd.exe 63->82         started        86 2 other processes 65->86 158 Suspicious powershell command line found 67->158 84 powershell.exe 67->84         started        88 2 other processes 69->88 process21 signatures22 90 reg.exe 71->90         started        92 reg.exe 74->92         started        94 reg.exe 76->94         started        164 Uses cmd line tools excessively to alter registry or file data 78->164 96 reg.exe 78->96         started        98 reg.exe 80->98         started        100 reg.exe 82->100         started        102 WMIC.exe 84->102         started        104 2 other processes 86->104 166 Suspicious powershell command line found 88->166 106 2 other processes 88->106 process23 process24 108 gpupdate.exe 104->108         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-08-10 20:45:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltrcrjx4xywr3xgfb4ht4e3tmcicjp67lnh5af7vdkgihjfuikja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery evasion execution spyware stealer trojan
Link:
https://tria.ge/reports/240811-k96smsxerf/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Indirect Command Execution
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Defender Real-time Protection settings
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/404dccd2-a9ec-474e-9ea0-00ecb614e454
Unpacked files
SH256 hash:
56aaa2b9e53d69dd75c8d1247220d8ea97b1b7705796b2e2ddff34c7eea8adee
MD5 hash:
50f28d178452b2db4e1f466904e55c78
SHA1 hash:
d9a3246a570715d756a6c653b6818afb99ae39ec
Link:
https://www.unpac.me/results/6233ead3-167b-4ca3-ab91-b6eb6266aa09/
SH256 hash:
0781f74db6c9ff7aa0c1e76dd0ebc4a9575fba6caca9aac9fb0131c5a73c84be
MD5 hash:
2c064163cda2f093cf6d20302481dff7
SHA1 hash:
cf948b10d999c369ef51972f86278a4f536d400d
Link:
https://www.unpac.me/results/6233ead3-167b-4ca3-ab91-b6eb6266aa09/
SH256 hash:
9dac8e0c184f46c9a246a11fa95c2284003e7f0355061b92303d31f5c20c6d84
MD5 hash:
f0104eb57763672dbaf72b04351c3307
SHA1 hash:
b19b30093b6bf0dd739fde922b7de753919b86ac
Link:
https://www.unpac.me/results/6233ead3-167b-4ca3-ab91-b6eb6266aa09/
SH256 hash:
30161ac316fe6aa9e732e2ad2604c65ba3fcf8fa8b335dbc0f031dc5d1bfeee9
MD5 hash:
c9a2eb014be7c1af619ba3077be56783
SHA1 hash:
9a3758db43b27d1147ef8a95bdd3fd1bb8ea922c
Link:
https://www.unpac.me/results/6233ead3-167b-4ca3-ab91-b6eb6266aa09/
SH256 hash:
5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292
MD5 hash:
bec54fbde0ce9e70a29f1c7ba1c65891
SHA1 hash:
c8f375832a3235c8b17e3c66c630865a5bea2bf3
Link:
https://www.unpac.me/results/6233ead3-167b-4ca3-ab91-b6eb6266aa09/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ce228a6fcbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 5ce228a6fcbe2d1ddcc50f0f3e1373609024bfdf5b4fd017f51a8c83a4b44292

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3101094/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments