MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca
SHA3-384 hash: 76fd0973cc81a57f21132b7ac657536c90b3f2a73d904ce61c902693fb651751446ad5834c4be9bbdc0d162f1bf3fba7
SHA1 hash: 285a4bd81a95bb641084b1e9888bb7f16f444cc2
MD5 hash: 8476f2c69f95f8e487288da4e56bcb64
humanhash: ink-north-hotel-angel
File name:file
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:2'881'536 bytes
First seen:2025-06-04 17:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:E2gwWmIUw3R04pimqhxcGAdRIre7IiD7cBA/RBdYrx4DLw9tat+Uj:1S04pim2A7Ire7HhDSrx0o3
TLSH T10DD5129527DD3480D0BE6F31AAB420509BB0F5A79932D7BE408094FD6FA1791ECA17E3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter jstrosch
Tags:.NET DarkTortilla exe MSIL


Avatar
jstrosch
Found at hxxp://209.54.101[.]170/scan/adobe.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2025-06-04 17:37:46 UTC
Tags:
httpdebugger tool auto-reg
Link:
https://app.any.run/tasks/5d4f9711-20e5-42a2-b4c0-4bae129a5e50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/7332/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68407f1507b5e8c1cfe4b66f
Tags:
micro shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Running batch commands
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm explorer fingerprint lolbin obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68407e52fd02ed5e05983943/reports/a5d37c49-ee4f-4d1f-9846-c58c5bd2524a/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e8beca1-7817-494e-ae17-ddc2b4515408
Result
Threat name:
Remcos, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1706273
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected Remcos RAT
Drops executable to a common third party application directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses threadpools to delay analysis
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1706273 Sample: file.exe Startdate: 04/06/2025 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 7 file.exe 4 2->7         started        process3 file4 33 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->33 dropped 57 Detected Remcos RAT 7->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->61 63 2 other signatures 7->63 11 cmd.exe 3 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 file7 35 C:\Users\user\adobe\adobe.exe, PE32 11->35 dropped 37 C:\Users\user\...\adobe.exe:Zone.Identifier, ASCII 11->37 dropped 65 Uses ping.exe to sleep 11->65 67 Drops executable to a common third party application directory 11->67 17 adobe.exe 2 11->17         started        20 conhost.exe 11->20         started        22 PING.EXE 1 11->22         started        24 PING.EXE 1 11->24         started        69 Uses ping.exe to check the status of other devices and networks 15->69 26 PING.EXE 1 15->26         started        29 conhost.exe 15->29         started        31 reg.exe 1 1 15->31         started        signatures8 process9 dnsIp10 41 Multi AV Scanner detection for dropped file 17->41 43 Detected Remcos RAT 17->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->45 47 Uses threadpools to delay analysis 17->47 39 127.0.0.1 unknown unknown 26->39 signatures11
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Suspicious
First seen:
2025-06-04 17:12:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2nawr6v6mydhivzbxvf2vosxdkm5rl2cbw42sqonvetvokkftfa._file
Result
Malware family:
darktortilla
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla crypter discovery loader persistence
Link:
https://tria.ge/reports/250604-vqgphsaj3w/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Executes dropped EXE
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6d4fe637-a2da-4532-99d0-eca72883a3c3
Unpacked files
SH256 hash:
969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca
MD5 hash:
8476f2c69f95f8e487288da4e56bcb64
SHA1 hash:
285a4bd81a95bb641084b1e9888bb7f16f444cc2
Link:
https://www.unpac.me/results/d62f03b1-7a33-494f-a6db-7b9b4afc309f/
SH256 hash:
abe40246d5da836f649be8e27323fe4119e200cb85da0e48eeaf9ce2e6d0aa71
MD5 hash:
dde8fe4d47d2f6ff6ae3fc0a5022b12f
SHA1 hash:
1a56e379d661e6062f6ee863b33de3ffc5d1036b
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Remcos
Create hunting rule
malware_windows_remcos_rat
Create hunting rule
Remcos
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Link:
https://www.unpac.me/results/d62f03b1-7a33-494f-a6db-7b9b4afc309f/
SH256 hash:
38a740a1a4694752c92ce1b6771d26f2a805a50f651c2dcc40298cc2f1f316de
MD5 hash:
fc28bcf710ce538519063b7c781fd5cd
SHA1 hash:
baa2cd409270274d5111fe237bfa111f706dde67
Link:
https://www.unpac.me/results/d62f03b1-7a33-494f-a6db-7b9b4afc309f/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/969a0b47d5f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 969a0b47d5f33033a2b90dea5d55d2b8d4cec57a106dcd4a0e6d493ab94a2cca

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7332/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments