MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
SHA3-384 hash: d802e4e2f677648775757077d852185fcdd3528e956150bd59c34f3ee740041b829cd7b16075b1185b371ff7931a2d5c
SHA1 hash: bc1a40df5d28d274bd6d1dfaf1dacea5391ef0c2
MD5 hash: 19125edc1d7688ba984abfeccf34b93e
humanhash: fruit-oscar-avocado-oklahoma
File name:SecuriteInfo.com.BackDoor.DarkTortillaNET.1.9751.32573
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'357'312 bytes
First seen:2025-10-16 06:41:39 UTC
Last seen:2025-10-16 07:53:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:INF1icYGpoDcMCnRveYepqMKDmfC4KOSSn2c6G:OF181DgRveYkqM3fC41p2e
TLSH T11455BFE51EE43B51D17EFF314B7A0A7063FD79578E21CB89304723E69E2270698806E6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Transferencia 5307590002018489.pdf(85KB).exe
Verdict:
Malicious activity
Analysis date:
2025-10-15 12:41:15 UTC
Tags:
loader auto-startup evasion stealer telegram
Link:
https://app.any.run/tasks/9fcc5b18-01ea-44af-a638-5567e376c145

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33007/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68efa3cb04e22ce9acda6a22
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/68f093fd057c46a471cebf7e/reports/d786e7b4-1867-4551-97ac-280b80c3d650/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T16:40:00Z UTC
Last seen:
2025-10-16T23:52:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b Trojan.MSIL.Crypt.sb VHO:Trojan-Dropper.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/34298445-18e6-4110-b5a3-4cb5f95dfe23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/19125edc1d7688ba984abfeccf34b93e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-10-15 00:17:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
50
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nemttbb75ob4xpvwqax4zogxvshgzpl7prtw4wu6wvetknur3oea._file
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:remcos botnet:es xworm crypter discovery loader persistence rat
Link:
https://tria.ge/reports/251016-hg2bcadj3t/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
Remcos
Remcos family
Malware Config
C2 Extraction:
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d7e7a82f-8cab-4c3f-9fd9-c1cb788374c5
Unpacked files
SH256 hash:
691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
MD5 hash:
19125edc1d7688ba984abfeccf34b93e
SHA1 hash:
bc1a40df5d28d274bd6d1dfaf1dacea5391ef0c2
Link:
https://www.unpac.me/results/50ae2a49-e059-446e-80c6-feb49578af4d/
SH256 hash:
7261c0fad4ce09ba27a4568ac38e444546b1ccc6b2da2a357685121340fe696f
MD5 hash:
341757da693d0cdb6cde0c7b369c692a
SHA1 hash:
1328c51614c2e64bce78403d90c2500b9c5d983a
Link:
https://www.unpac.me/results/50ae2a49-e059-446e-80c6-feb49578af4d/
SH256 hash:
75917b0456a3c713deff75fb211e6f15e7630eeb5e6968fa9babe15262d90090
MD5 hash:
77191b60fa513daa7c7b63681f766bd1
SHA1 hash:
5392aa0b1e242134106774f2df8d0ff5749421cb
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
win_remcos_rat_unpacked
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/50ae2a49-e059-446e-80c6-feb49578af4d/
Parent samples :
691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88
6c22a1818f78be2dd32749140bfcaa6d930cf94984f1c58a8f21c1a2b0b27e35
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/691939843feb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 691939843feb83cbbeb6802fccb8d7ac8e6cbd7f7c676e5a9eb549353691db88

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/33007/
  
URLhaus
https://urlhaus.abuse.ch/url/3679158/
  
Delivery method
Distributed via web download

Comments