MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986
SHA3-384 hash:	a34256d9e0ad5ee1774a78024b978c97647ad1659dd50792d5872fca81f9c328c53b16f73703659da742bf055d2afbe4
SHA1 hash:	0aa76d21d40fce7bb63b81bd0ee625b2b3975089
MD5 hash:	a8b82290c3eba757986095a3e989f588
humanhash:	oxygen-washington-island-comet
File name:	90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	2'155'520 bytes
First seen:	2025-07-07 14:32:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	49152:ikF4owW4/unxIIxsKF3kfzxxOCdR55G7ROjXgQhIU/Md:jBwjGnmIGoOx30OjCU
Threatray	1 similar samples on MalwareBazaar
TLSH	T126A5129877E9AD54E4BD5FB05932A00097F2B2D2D53AD70D5988B2CD2B337802E417BE
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	adrian__luca
Tags:	DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12943/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686bdad3900df8e7f86845bf

Tags:

virus smtp msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Connection attempt

Sending an HTTP GET request

Creating a window

Running batch commands

Launching a process

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2590f5b4-564c-440e-98df-0834a5dfb338

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable PE (Portable Executable) SOS: 0.25 Win 32 Exe x86

Link:

https://app.malva.re/file/a8b82290c3eba757986095a3e989f588

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986/

Threat name:

ByteCode-MSIL.Backdoor.njRAT

Status:

Malicious

First seen:

2025-06-21 09:08:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=scvrqe5d7z5l3mpkybl6jihos63thz2b2vxdvrcx2yzisu55pgda._file

Verdict:

malicious

Label(s):

novastealer

DarkTortilla

Result

Malware family:

darktortilla

Score:

10/10

Tags:

family:darktortilla crypter discovery loader persistence

Link:

https://tria.ge/reports/250707-rw7akswsds/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Adds Run key to start application

Executes dropped EXE

Darktortilla

Darktortilla family

Detects Darktortilla crypter.

Verdict:

Malicious

Tags:

Web_Client_Attacks

YARA:

n/a

Link:

https://app.threat.zone/submission/01cb7f9b-dad7-4db3-a407-37dd22d97201

Unpacked files

SH256 hash:

90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986

MD5 hash:

a8b82290c3eba757986095a3e989f588

SHA1 hash:

0aa76d21d40fce7bb63b81bd0ee625b2b3975089

Link:

https://www.unpac.me/results/db5dbfbc-ab2f-4160-a0fe-b23c24f7fad1/

SH256 hash:

1b3a1615d856ffbf62eb484b781f502b575cf2720ae95ec3f8fb5ed38e4aec5b

MD5 hash:

ae0977a0e79ecf9b084657feb68b4a20

SHA1 hash:

3e5e7bf1d18b696b501ccf4f8dba2a199fc83792

Link:

https://www.unpac.me/results/db5dbfbc-ab2f-4160-a0fe-b23c24f7fad1/

SH256 hash:

22181978bf7f9a2d939ac74bacb2bb0652d0387a7ea4073d250577a084feb8d4

MD5 hash:

f0bfe0ab98769644ce0ea21f4922f241

SHA1 hash:

f9ec5eeda8df471cf9d3987976f1b3c707cc4761

Detections:

win_404keylogger_g1

win_masslogger_w0

MAL_Envrial_Jan18_1

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Link:

https://www.unpac.me/results/db5dbfbc-ab2f-4160-a0fe-b23c24f7fad1/

Parent samples :

90fc5b8abe7025184179b0ecce4948baed241898ae625f3710ccc1cd92bcdc00
90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.93

Link:

https://yomi.yoroi.company/submissions/90ab1813a3fe7abdb1eac057e4a0ee97b733e741d56e3ac457d6328953bd7986

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12943/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample