MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
SHA3-384 hash: 6db7154448d97cb8d61885a930aedbee491ca50d2bb144c025d1efbe10b7cbdb6a496054e33c9eec98d15be3c84a2c31
SHA1 hash: b48b58269e743b7d9ce1b66ee6c55ee18da7beb8
MD5 hash: c157b825a19e77893b8ebe6d43e1165d
humanhash: sink-black-nine-two
File name:DHL INVOICE.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'024'000 bytes
First seen:2025-12-11 16:08:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:snOl0VmLLdufPNxPb+cUxifkn69DF2CyM:gLmEdxPhX8sJ
Threatray 14 similar samples on MalwareBazaar
TLSH T1C325BE011BE94F98F1BF8734A935051447F6FC03CE36DB9E299868ED2972B91AA51333
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:DarkTortilla DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
DHL INVOICE.exe
Verdict:
No threats detected
Analysis date:
2025-12-11 16:14:55 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/863ed6a3-deaa-4060-afe5-c533fdb941e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44319/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693aeca8bde6a3e5971056e2
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 masquerade obfuscated obfuscated redcap vbnet
Link:
https://www.filescan.io/uploads/693aeca71eac7b9b76a60e87/reports/799ecbfc-c600-4cfb-8d09-e615615e19c0/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-10T14:10:00Z UTC
Last seen:
2025-12-12T09:35:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Trojan.MSIL.Inject.gen Trojan.MSIL.Inject.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b
Link:
https://opentip.kaspersky.com/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/34a06801-21ff-451e-987c-8ffb1a55f2c1
Result
Threat name:
DarkTortilla, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1831052
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1831052 Sample: DHL INVOICE.exe Startdate: 11/12/2025 Architecture: WINDOWS Score: 100 36 www.tubodega.xyz 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 48 8 other signatures 2->48 11 DHL INVOICE.exe 3 2->11         started        signatures3 46 Performs DNS queries to domains with low reputation 36->46 process4 file5 34 C:\Users\user\AppData\...\DHL INVOICE.exe.log, ASCII 11->34 dropped 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->58 60 Injects a PE file into a foreign processes 11->60 15 DHL INVOICE.exe 11->15         started        18 DHL INVOICE.exe 11->18         started        signatures6 process7 signatures8 62 Maps a DLL or memory area into another process 15->62 20 cp3TYwecSu.exe 15->20 injected process9 process10 22 iexpress.exe 13 20->22         started        signatures11 50 Tries to steal Mail credentials (via file / registry access) 22->50 52 Tries to harvest and steal browser information (history, passwords, etc) 22->52 54 Modifies the context of a thread in another process (thread injection) 22->54 56 4 other signatures 22->56 25 awDQjrvYkR.exe 22->25 injected 28 chrome.exe 22->28         started        30 firefox.exe 22->30         started        process12 dnsIp13 38 www.tubodega.xyz 76.223.54.146, 49693, 80 AMAZON-02US United States 25->38 32 WerFault.exe 4 28->32         started        process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/c157b825a19e77893b8ebe6d43e1165d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f/
Verdict:
Malicious
Threat:
Trojan.MSIL.Inject
Link:
https://tip.neiki.dev/file/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
Threat name:
Win32.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 19:43:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oocibk2ygadhl5lqqdxgqptt3bkpl47nahgyi3blb2mbc2qngapq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2a084e79463e72c0933ec50e0b89aa2cdd5295584b6d6b211da98c5a3b4a8a8c
DarkTortilla
37435cb1937605bc54b865e27c56b97165e0eadd7c2eadcb1479d9ff83c6b117
DarkTortilla
426fd8cbda5097fbd159476c10aaea55508712928bfcc765fe6b423b57b545f6
DarkTortilla
87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
DarkTortilla
error
DarkTortilla
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251211-tls2bad17g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/69c947e8-80d9-4b4f-9ec0-33dad766bef3
Unpacked files
SH256 hash:
738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
MD5 hash:
c157b825a19e77893b8ebe6d43e1165d
SHA1 hash:
b48b58269e743b7d9ce1b66ee6c55ee18da7beb8
Link:
https://www.unpac.me/results/10742bfd-84af-47d1-9ce5-807fb69d703b/
SH256 hash:
23b5b9ed38314f86825470df6b0585190a276dba3b2bf08b352e2bde13eb6013
MD5 hash:
ad7e493f5df6a4f600e136ba4e7b4c29
SHA1 hash:
3733c6aa752fdf1074306b9407339100c0008daf
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/10742bfd-84af-47d1-9ce5-807fb69d703b/
Parent samples :
426fd8cbda5097fbd159476c10aaea55508712928bfcc765fe6b423b57b545f6
73641a6dd5f95201524760fb4b5e951dba1fa239bce351d6e765021ab08de01f
87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
c657660bce96a5fadf3390883849fc322b606f0a0c497fd639c7a49ecd920c15
929a6fecc6b43b14b92fb96ea538fc3b64f44a5224e47505bee802817d584e3e
a3f3c13022d181943668305aac375efbd5b336d5c2a350ddabc2186b97abbf0c
f2937a4c27177aade4d4df887e17ae115cc3ecb778bb03c6a6ae54b503a00f5b
2a084e79463e72c0933ec50e0b89aa2cdd5295584b6d6b211da98c5a3b4a8a8c
37435cb1937605bc54b865e27c56b97165e0eadd7c2eadcb1479d9ff83c6b117
738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
84b6e7c39ea67509b28d31aa2544bab496562361af72e2ce5bb3e7158d90e746
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/10742bfd-84af-47d1-9ce5-807fb69d703b/
SH256 hash:
e50549d0abd1fa2f9875b6fc9fcd16dc717aba9a43431c17439ffb75d116c779
MD5 hash:
a215d88c6f3519666d17676dcc5a84ff
SHA1 hash:
b55b353404d1bc420224ee140fe7ca2f52f27434
Link:
https://www.unpac.me/results/10742bfd-84af-47d1-9ce5-807fb69d703b/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/10742bfd-84af-47d1-9ce5-807fb69d703b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/738480ab5830/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/44319/

Comments