MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
SHA3-384 hash: 71e4a801d56597a0ff2cc9e51956041f2b14a82091d82244ade99c3967cdfb88d2919165d9f89003ac81fb745dd49dfe
SHA1 hash: 06b0902a31ce2a1b1702e29e87f6d7c0205f9a32
MD5 hash: ef56ceeddf5ba59ac0fa0d5b195932f0
humanhash: football-diet-jupiter-grey
File name:anewwwchybike.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'140'224 bytes
First seen:2025-12-03 08:35:32 UTC
Last seen:2025-12-03 08:37:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:bPzNDTTHJGBp2jEjCAapOiSY7joYgd9E2Q62r:HBPHJGv2jEjupdSY7jVgp
Threatray 5 similar samples on MalwareBazaar
TLSH T10735F11A17D55FA0E0BE8B36E2B0405443F0BA1B8637E36E7E0852FD8E2179B55D2367
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
anewwwchybike.exe
Verdict:
Malicious activity
Analysis date:
2025-12-03 08:39:17 UTC
Tags:
netreactor stealer evasion auto-reg telegram
Link:
https://app.any.run/tasks/8e6e0d8e-0b23-4722-afdc-b85b56511fd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42239/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ff687264b106bd64650f5
Tags:
hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Setting a single autorun event
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt formbook obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/692ff6848e26c121ec95437c/reports/15caf806-37cf-4913-a215-973c328b8da9/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-02T16:07:00Z UTC
Last seen:
2025-12-05T05:11:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.InjectorNetT.gen VHO:Backdoor.Win32.Androm.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7842bde0-4414-4c80-821f-c2a5f2db7568
Result
Threat name:
DarkCloud, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1825189
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825189 Sample: anewwwchybike.exe Startdate: 03/12/2025 Architecture: WINDOWS Score: 100 30 showip.net 2->30 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 7 other signatures 2->40 7 firebird.exe 3 2->7         started        10 anewwwchybike.exe 3 2->10         started        13 firebird.exe 2 2->13         started        signatures3 process4 file5 42 Antivirus detection for dropped file 7->42 44 Multi AV Scanner detection for dropped file 7->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->46 15 firebird.exe 12 7->15         started        28 C:\Users\user\...\anewwwchybike.exe.log, ASCII 10->28 dropped 48 Injects a PE file into a foreign processes 10->48 18 anewwwchybike.exe 1 16 10->18         started        22 firebird.exe 13->22         started        24 firebird.exe 13->24         started        signatures6 process7 dnsIp8 50 Tries to harvest and steal browser information (history, passwords, etc) 15->50 32 showip.net 162.55.60.2, 49691, 49693, 80 ACPCA United States 18->32 26 C:\Users\user\AppData\...\firebird.exe, PE32 18->26 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->52 54 Tries to steal Mail credentials (via file / registry access) 18->54 56 Creates autostart registry keys with suspicious names 18->56 file9 signatures10
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133/
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Link:
https://tip.neiki.dev/file/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
Threat name:
ByteCode-MSIL.Trojan.DarkTortillla
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 01:16:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q77dez5wqnmqx7x6kbaygurtybmn7tdwjzbh6ia7uvim3cp3gezq._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
Similar samples:
426fd8cbda5097fbd159476c10aaea55508712928bfcc765fe6b423b57b545f6
DarkTortilla
a56e10d246a4738546db98052e93096eed2e6ccea1688e3976e8e053aaa0b3d0
DarkTortilla
error
DarkTortilla
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/251203-khqbksxlem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
DarkCloud
YARA:
n/a
Link:
https://app.threat.zone/submission/06f8ec9b-861b-4035-96eb-b894c92aca60
Unpacked files
SH256 hash:
87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
MD5 hash:
ef56ceeddf5ba59ac0fa0d5b195932f0
SHA1 hash:
06b0902a31ce2a1b1702e29e87f6d7c0205f9a32
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
f1e8fbd9f3dec37db06f5734566742c2e0e45e2fc3be719ae481f85216d689ad
MD5 hash:
ff09b029bc343c854a5bd1cd5201b25c
SHA1 hash:
88371b1df2dc449bdc8bb8e03d3b313dd13eeb02
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab
MD5 hash:
073a17b6cfb1112c6c838b2fba06a657
SHA1 hash:
a54bb22489eaa8c52eb3e512aee522320530b0be
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
1cc82ebbaabb21be0388a1c9e2519a7a94a5420334f4c0c55350dfd488e00ebe
MD5 hash:
9392f5a5f15c19270e050bba749f50d8
SHA1 hash:
1a4fb6703ae714240ccd05f02177ccf4a8e0cb32
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
23b5b9ed38314f86825470df6b0585190a276dba3b2bf08b352e2bde13eb6013
MD5 hash:
ad7e493f5df6a4f600e136ba4e7b4c29
SHA1 hash:
3733c6aa752fdf1074306b9407339100c0008daf
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
Parent samples :
426fd8cbda5097fbd159476c10aaea55508712928bfcc765fe6b423b57b545f6
73641a6dd5f95201524760fb4b5e951dba1fa239bce351d6e765021ab08de01f
87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133
c657660bce96a5fadf3390883849fc322b606f0a0c497fd639c7a49ecd920c15
929a6fecc6b43b14b92fb96ea538fc3b64f44a5224e47505bee802817d584e3e
a3f3c13022d181943668305aac375efbd5b336d5c2a350ddabc2186b97abbf0c
f2937a4c27177aade4d4df887e17ae115cc3ecb778bb03c6a6ae54b503a00f5b
2a084e79463e72c0933ec50e0b89aa2cdd5295584b6d6b211da98c5a3b4a8a8c
37435cb1937605bc54b865e27c56b97165e0eadd7c2eadcb1479d9ff83c6b117
738480ab58300675f57080ee683e73d854f5f3ed01cd846c2b0e98116a0d301f
84b6e7c39ea67509b28d31aa2544bab496562361af72e2ce5bb3e7158d90e746
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/f11a8c4f-7f5b-4764-a359-f8cc1db310fe/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/87fe3267b683/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe 87fe3267b683590bfefe5041835233c058dfcc764e427f201fa550cd89fb3133

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42239/

Comments