MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 16

Intelligence 16 IOCs YARA 5 File information Comments

SHA256 hash:	7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b
SHA3-384 hash:	e9d4178a16f216fbfa49fa3965402c35c3d5f6c78234a8c111d63332a0a2f49151c571f6b9edb00b5175fd5e1670971c
SHA1 hash:	e8e72b5f06f5f9794a163b3fe95269725383905d
MD5 hash:	2e5f94bd5dc6742857b0cfa7c527e1c8
humanhash:	minnesota-alabama-jig-angel
File name:	DebitTransactionCopyUSD16990.exe
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	5'848'064 bytes
First seen:	2025-08-09 01:50:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:MJmKB526pCSP7GImvSyrdD1nU9Q37PE4rm:MRLCSPKLKyrM9Ibr
Threatray	1'298 similar samples on MalwareBazaar
TLSH	T15A46D0343AEAA009F177BF759EE078869ABFBEA33F03905D145523850B13941EEE1539
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	aachum
Tags:	DarkTortilla exe QuasarRAT yuba-ydns-eu

iamaachum

Quasar C2: yuba.ydns.eu:6921

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9c016b900cb5fc4424d7c8883a59dbadbb530008b4946a44f079cd609f251e49.zip

Verdict:

Malicious activity

Analysis date:

2025-08-01 00:18:35 UTC

Tags:

arch-exec auto-reg

Link:

https://app.any.run/tasks/c4108537-ceeb-4768-8606-3e2b03764f72

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

QuasarStealer

Link:

https://www.capesandbox.com/analysis/19813/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688c07da0b4775fb2134543b

Tags:

micro sage remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 keylogger obfuscated obfuscated reconnaissance redcap snake vbnet

Link:

https://www.filescan.io/uploads/6896a971397fd3ce6fa2dfe2/reports/40b108c6-4d8f-4023-8470-dfa9a1ff118c/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/52472c91-4664-431d-8f5f-c90e852cabd1

Result

Threat name:

AsyncRAT, DarkTortilla, Quasar

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1753497

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large strings

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected DarkTortilla Crypter

Yara detected Quasar RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.46 Win 32 Exe x86

Link:

https://app.malva.re/file/2e5f94bd5dc6742857b0cfa7c527e1c8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b/

Threat name:

Win32.Backdoor.Quasar

Status:

Malicious

First seen:

2025-07-31 22:40:58 UTC

File Type:

PE (.Net Exe)

Extracted files:

289

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=occ6hkadzucp6q7xe3ahqfttj22pz6kjtnbs2z7dlqmtyzr43ynq._file

Verdict:

malicious

Label(s):

quasarrat

DarkTortilla

17abf2eb5bfc5f1be41bbba2e0b1cb59787e3879d152bf6ff9b4d91702a402c4

DarkTortilla

457e291dc62946ab2dc1cb558ffca2e90e5ebbd4a27013c5a23930339aedb978

DarkTortilla

468ba790ac48bf4dd494f11153ee26a5ea5a34da611a7f294f6917fa7ec107c4

DarkTortilla

4e6e48275b1f3412edc045e1a81d509ddcfe360c06bdd4483fcd5b4fc77b7ef3

DarkTortilla

5abb3690139201632ca77d335dc003268eaf58f2fa0736fb187d843e597a2c9b

DarkTortilla

64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af

DarkTortilla

+ 1'288 additional samples on MalwareBazaar

Result

Malware family:

quasar

Score:

10/10

Tags:

family:darktortilla family:quasar botnet:sim crypter discovery execution loader persistence spyware trojan

Link:

https://tria.ge/reports/250809-b9mkbs1tcz/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

Quasar RAT

Quasar family

Quasar payload

Malware Config

C2 Extraction:

yuba.ydns.eu:6921

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f6218de1-f7b2-4274-b34f-610b69385121

Unpacked files

SH256 hash:

7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b

MD5 hash:

2e5f94bd5dc6742857b0cfa7c527e1c8

SHA1 hash:

e8e72b5f06f5f9794a163b3fe95269725383905d

Link:

https://www.unpac.me/results/d8de97d2-f283-4a43-97c6-b0b9856fc010/

SH256 hash:

b93bebd7f42919ccf2f07d84da350fd77d111485ed44391cbca6af70b50036bf

MD5 hash:

f78e095892191a48f2848f8372f65a87

SHA1 hash:

0fbad02a10028e049498ba8b11f49ac82c4214ae

Link:

https://www.unpac.me/results/d8de97d2-f283-4a43-97c6-b0b9856fc010/

SH256 hash:

da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91

MD5 hash:

9a06e083cd0531927dcd616b9b601ffa

SHA1 hash:

9584f7e1c8ab7be5900762abcaedf20cb92e4ae7

Link:

https://www.unpac.me/results/d8de97d2-f283-4a43-97c6-b0b9856fc010/

SH256 hash:

2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a

MD5 hash:

4f5880d558000b383fbb6efb21100997

SHA1 hash:

d2ceb9140d797b0f4db46a0a02c274e4fe89f349

Link:

https://www.unpac.me/results/d8de97d2-f283-4a43-97c6-b0b9856fc010/

SH256 hash:

50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789

MD5 hash:

6a809860c4708c7c7aad2fa0b4a7eac1

SHA1 hash:

e751027a71698f11b13fc1bad46a87de0e96e0aa

Detections:

QuasarRAT

cn_utf8_windows_terminal

malware_windows_xrat_quasarrat

MAL_QuasarRAT_May19_1

win_quasarrat_j2

win_quasar_rat_client

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_QuasarStealer

Link:

https://www.unpac.me/results/d8de97d2-f283-4a43-97c6-b0b9856fc010/

Parent samples :

6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b
54e199788100b76b9d2344c39a0807146ed4d2346eab14f61707b7814b907d97
d25df8d5b45fe5cd79e2b45896459838b06ccc9abf6358d97232af011d273976
50a6915e6bc15f11b5f7a5ff8a6dc3dce2863baba6a64482dc2c477041479789

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

exe 7085e3a803cd04ff43f726c07816734eb4fcf9499b432d67e35c193c663cde1b

(this sample)

Link

https://tria.ge/250801-am3glaal2s/behavioral1

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/19813/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample