MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
SHA3-384 hash: d2bf7d5aaa6adb669d83e51f8b64a379d300129a75281741842d9e64eea62b2c8f01d4b0202221f21e4bc36fb8a2ba6a
SHA1 hash: c865d8e2212b7f111d72f2b295061fe7f0a7baa3
MD5 hash: 9898b1c4dd84e3820c2a0dd239e204be
humanhash: burger-mountain-football-august
File name:Pedido 202510130ESPA.pdf.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:715'264 bytes
First seen:2025-10-13 10:57:29 UTC
Last seen:2025-11-06 10:20:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:2ArMDSNgFd/GxkAlJX5kcu+FdX1uxwWFEJqqvqHC54:lFgb/GiAljl1uxwWAqZw4
Threatray 22 similar samples on MalwareBazaar
TLSH T1ADE47B6123E85F18F5BFAB396570010147F6FC16DF22DB9D3E9468DA2831E80C962B63
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pedido202510130ESPA.pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-10-13 11:04:32 UTC
Tags:
httpdebugger tool evasion stealer telegram ims-api generic auto-startup
Link:
https://app.any.run/tasks/a1b0dbec-204e-477b-b24f-aa284e21e596

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32531/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ecdb4d777ae46bec423e79
Tags:
underscore apost
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Running batch commands
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a custom TCP request
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade obfuscated obfuscated obfuscated packed packed packer_detected tracker vbnet
Link:
https://www.filescan.io/uploads/68ecdb48fe81c560ba57ea00/reports/58794ff2-01b9-44c5-b10f-0d855e2c2a84/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-13T05:33:00Z UTC
Last seen:
2025-10-15T08:44:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Mucc.sb Trojan.Win32.Agent.sb Trojan.APosT.UDP.C&C PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic Trojan.MSIL.Inject.c VHO:Backdoor.Win32.Agent.gen HEUR:Trojan.MSIL.Crypt.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.b Trojan.MSIL.Crypt.sb HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bfe4d01d-6b52-4bee-9717-1792e8d26ab8
Result
Threat name:
DarkCloud, DarkTortilla, Remcos, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1793990
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1793990 Sample: Pedido 202510130ESPA.pdf.exe Startdate: 13/10/2025 Architecture: WINDOWS Score: 100 121 rency.ydns.eu 2->121 123 igw.myfirewall.org 2->123 125 3 other IPs or domains 2->125 143 Suricata IDS alerts for network traffic 2->143 145 Found malware configuration 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 21 other signatures 2->149 12 Pedido 202510130ESPA.pdf.exe 3 2->12         started        16 WindowsTime.exe 3 2->16         started        18 WindowsTime.exe 2 2->18         started        signatures3 process4 file5 119 C:\Users\...\Pedido 202510130ESPA.pdf.exe.log, ASCII 12->119 dropped 173 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->173 20 cmd.exe 3 12->20         started        24 cmd.exe 1 12->24         started        175 Multi AV Scanner detection for dropped file 16->175 177 Encrypted powershell cmdline option found 16->177 179 Tries to delay execution (extensive OutputDebugStringW loop) 16->179 26 WindowsTime.exe 1 16->26         started        28 WindowsTime.exe 16->28         started        181 Injects a PE file into a foreign processes 18->181 30 WindowsTime.exe 18->30         started        32 WindowsTime.exe 18->32         started        signatures6 process7 file8 111 C:\Users\user\AppData\...\WindowsTime.exe, PE32 20->111 dropped 113 C:\Users\...\WindowsTime.exe:Zone.Identifier, ASCII 20->113 dropped 151 Uses ping.exe to sleep 20->151 34 WindowsTime.exe 2 20->34         started        37 conhost.exe 20->37         started        39 PING.EXE 1 20->39         started        41 PING.EXE 1 20->41         started        153 Uses ping.exe to check the status of other devices and networks 24->153 43 PING.EXE 1 24->43         started        46 conhost.exe 24->46         started        48 reg.exe 1 1 24->48         started        155 Encrypted powershell cmdline option found 26->155 50 powershell.exe 26->50         started        53 powershell.exe 30->53         started        signatures9 process10 dnsIp11 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->135 137 Injects a PE file into a foreign processes 34->137 55 WindowsTime.exe 34->55         started        127 127.0.0.1 unknown unknown 43->127 129 igw.myfirewall.org 158.94.209.34, 49693, 49694, 49695 JANETJiscServicesLimitedGB United Kingdom 50->129 131 bmh-global.myfirewall.org 178.16.53.63, 49696, 49697, 80 DUSNET-ASDE Germany 50->131 105 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 50->105 dropped 107 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 50->107 dropped 109 C:\Users\user\AppData\Roaming109OTEPAD.exe, PE32 50->109 dropped 139 Potential dropper URLs found in powershell memory 50->139 141 Powershell drops PE file 50->141 58 WORDS.exe 50->58         started        60 POWERPOINT.exe 50->60         started        62 NOTEPAD.exe 50->62         started        64 conhost.exe 50->64         started        66 POWERPOINT.exe 53->66         started        68 WORDS.exe 53->68         started        70 NOTEPAD.exe 53->70         started        72 conhost.exe 53->72         started        file12 signatures13 process14 signatures15 157 Encrypted powershell cmdline option found 55->157 74 powershell.exe 55->74         started        77 WORDS.exe 58->77         started        80 POWERPOINT.exe 60->80         started        82 cmd.exe 62->82         started        159 Multi AV Scanner detection for dropped file 66->159 161 Tries to delay execution (extensive OutputDebugStringW loop) 66->161 163 Hides that the sample has been downloaded from the Internet (zone.identifier) 66->163 84 POWERPOINT.exe 66->84         started        165 Injects a PE file into a foreign processes 68->165 86 WORDS.exe 68->86         started        88 cmd.exe 70->88         started        process16 dnsIp17 115 C:\Users\user\AppData\Local\...\DOCUMENT.exe, PE32 74->115 dropped 90 POWERPOINT.exe 74->90         started        93 WORDS.exe 74->93         started        95 DOCUMENT.exe 74->95         started        99 2 other processes 74->99 133 rency.ydns.eu 91.92.241.145, 49698, 59013 THEZONEBG Bulgaria 77->133 117 C:\Users\user\AppData\...\WDUpdate2025.exe, PE32 77->117 dropped 97 conhost.exe 88->97         started        file18 process19 signatures20 167 Hides that the sample has been downloaded from the Internet (zone.identifier) 90->167 169 Injects a PE file into a foreign processes 90->169 101 POWERPOINT.exe 90->101         started        103 WORDS.exe 93->103         started        171 Multi AV Scanner detection for dropped file 95->171 process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/9898b1c4dd84e3820c2a0dd239e204be
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
Threat name:
ByteCode-MSIL.Backdoor.Quasar
Create hunting rule
Status:
Malicious
First seen:
2025-10-13 08:43:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkp22qj5kebyek6al6gl64tcapmkk67d3idx4dpkuouqdnv6d35a._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
119fc86e6162b86de92c1e1079a7542011f21ecca441cea21fd5989381412074
DarkTortilla
565391cd94982bdde52488c8fb064f56ab456e3093bc3c5e5de5f86379d35c47
DarkTortilla
829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
DarkTortilla
9635f1c3dd1d4f791134c029f65ee566482341dc16568c000072dc24314d7e88
DarkTortilla
bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436
DarkTortilla
ddc72caa3151b8ed4d54dae76f078dbe0c3d3de110ec9bee16c29c7f76b2720b
DarkTortilla
error
DarkTortilla
+ 12 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud family:darktortilla family:remcos family:xworm botnet:es xworm collection crypter defense_evasion discovery loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251013-m2wntaxxcw/
Behaviour
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
DarkCloud
Darkcloud family
Darktortilla
Darktortilla family
Detect Xworm Payload
Detects Darktortilla crypter.
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
twart.myfirewall.org:59013
https://api.telegram.org/bot6274587098:AAEvD64fpPpZLNdkxKF7wS-y2GX94H3OkSM/sendMessage?chat_id=6265187542
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7a03a08f-b8cb-4ceb-b6ab-8eb75040a58c
Unpacked files
SH256 hash:
829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
MD5 hash:
9898b1c4dd84e3820c2a0dd239e204be
SHA1 hash:
c865d8e2212b7f111d72f2b295061fe7f0a7baa3
Link:
https://www.unpac.me/results/2e6713bc-25ac-417d-a521-34c99a06d45c/
SH256 hash:
a341c8b43658a80d65dda8520bfeb7886d86d78be5b4eaf47ec921fe3f5701b8
MD5 hash:
9f26991fd8e650b259d6d5beac3e9748
SHA1 hash:
55f68e3eafbbba9e0dc5ea413eb1b4f734d43204
Link:
https://www.unpac.me/results/2e6713bc-25ac-417d-a521-34c99a06d45c/
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/2e6713bc-25ac-417d-a521-34c99a06d45c/
SH256 hash:
e102ca91c10740fd859c7cdff2ad3a59dc037217bac1849e7438ed1c40cc46b7
MD5 hash:
c6dd9ea4d2c92b977b13d6f6b8f384cb
SHA1 hash:
9096b58221836e31fd926b686f358c2eea5ecb96
Detections:
DotNetPSDownloader
Create hunting rule
Link:
https://www.unpac.me/results/2e6713bc-25ac-417d-a521-34c99a06d45c/
Parent samples :
829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa
56ba908c2c9804f2dbdf7efa846c376b6257715336bed8fdb9f8aa89ed46bfea
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/2e6713bc-25ac-417d-a521-34c99a06d45c/
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/829fad413d51/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 829fad413d5103822bc05f8cbf726203d8a57be3da077e0deaa3a901b6be1efa

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32531/

Comments