MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
SHA3-384 hash: 3c3fd3e800817ac78c703e4a4034c9405ded3508d6089c1d2513bebec0d22fa7e20d02d916a9e290e739919b03784c78
SHA1 hash: e808587a3ab86b0c8954d473dc5c94d440439a6f
MD5 hash: 21eb9600a3a6f166fec7f0ad6075318e
humanhash: purple-butter-leopard-zulu
File name:file
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'628'672 bytes
First seen:2025-12-24 02:48:19 UTC
Last seen:2025-12-24 04:17:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:YO5nKChjGa7Dck7K8O/5vJBeyy0WI8NM1xQZeXgrorB2qF:YmKSGWDB7aBZvYe1k3rorB2q
Threatray 7 similar samples on MalwareBazaar
TLSH T1C275E01533E85E18F5BE4B78D0B5052803F6BA0BFB3AEB1E7E4505EE1C12B509986763
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:DarkTortilla dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.55.189/files/454503574/jQnXJTS.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
146
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
redline
Create hunting rule
ID:
1
File name:
_6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e.exe
Verdict:
Malicious activity
Analysis date:
2025-12-24 02:50:09 UTC
Tags:
auto-startup evasion telegram auto-reg stealer redline netreactor xworm ims-api generic purehvnc
Link:
https://app.any.run/tasks/4c428585-047a-4b1c-89e8-ce5253b79f2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45966/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.38436554.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694b54ad01c7b4a8fe554688
Tags:
infosteal asyncrat redline autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/694b54aaa7163552ba046e1d/reports/4348748e-77a9-4c7d-8acf-c87fa69ae6c6/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
Result
Gathering data
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91d46246-4b4c-4cfd-8580-d566d8d65f16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/21eb9600a3a6f166fec7f0ad6075318e
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e/
Verdict:
Malicious
Threat:
Family.REDLINE
Link:
https://tip.neiki.dev/file/6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=np4buwhuocjxe7ufuulv2o3qii4ecwooocepvffui5v5ucpkiapa._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
xworm
Create hunting rule
sorano
Create hunting rule
redlinestealer
Create hunting rule
Similar samples:
1c0a6d90e8b34ef3b8406be47df82bccc16a1811ea3762cf5951b1a1f3ac02c3
DarkTortilla
5398dfa9b21d13c9881b8775353022160a05f203b981432c15d0d7ca17e2eb54
DarkTortilla
6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
DarkTortilla
error
DarkTortilla
Gathering data
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/fc155569-7c77-40db-8868-6d0f7988751c
Unpacked files
SH256 hash:
6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
MD5 hash:
21eb9600a3a6f166fec7f0ad6075318e
SHA1 hash:
e808587a3ab86b0c8954d473dc5c94d440439a6f
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
MD5 hash:
0e362e7005823d0bec3719b902ed6d62
SHA1 hash:
590d860b909804349e0cdc2f1662b37bd62f7463
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
eeb242fd62991b85e7af1227463a0278038bb439d0e94f853024871749507be9
MD5 hash:
688bcd71eaf42a435b9efc27d26184e0
SHA1 hash:
5cefd4e1323d8001000337bdab26890f7e1ac264
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
16510d640c641852752eb7f3eb7fea04470a10f3bbce274db9b3897493c103fc
MD5 hash:
7d161448c05787a27d3b3e15719c4add
SHA1 hash:
6576981d3155736f340a3c0bed1bf9c3e2a0b077
Detections:
RedLine_a
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
d1cf46d72ba82426cc92bc0be80220d462286fb5e1791fb04adaa8950c0bd238
MD5 hash:
a2b3f41d3eb6e5107015e1a7a36335ba
SHA1 hash:
6cd09f228e9c9ed161d89e0994e6ec6133cf6c0b
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
3de1e74ff44a95d86814e693004966aebcc841f31e5d99deb097d74167efc8da
MD5 hash:
7958d58f933d0060c5e18b670656655e
SHA1 hash:
b5f2d902328acea5b30e62ca516099065af39c3c
Detections:
win_xworm_a0
Create hunting rule
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_xworm_bytestring
Create hunting rule
win_xworm_simple_strings
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
SH256 hash:
07cefe40a185afd840d138acb90a344a477e21bc24dbf50ca1a11478d31a66b5
MD5 hash:
35790dc0f15a083a3e1b0d06e734b80a
SHA1 hash:
d03bfe9ae9f31061f5ade04f2fe15fd583cce655
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
Parent samples :
1c0a6d90e8b34ef3b8406be47df82bccc16a1811ea3762cf5951b1a1f3ac02c3
6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e
SH256 hash:
c9513eedd8b42bbf936d2adb7cdd650931f396397b28062367f9d243a8bb0f99
MD5 hash:
8838075e614835dc2cb137c04e1c0b71
SHA1 hash:
365af1f835e5e36571daa8e6478e074a236da45b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/a70a0666-c546-4bf1-8002-b3b584011452/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bf81a58f470/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 6bf81a58f47093727e85a5175d3b7042384159ce7088fa94b4476bda09ea401e

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3741812/
Cape
Cape
https://www.capesandbox.com/analysis/45966/

Comments