MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595
SHA3-384 hash: 22c4cc27469ed18d797a76b97c6134d9cd15c72713e0f6c47e12477ce35026c3a3d74aaaa08a61fc7b149d93ee8221ae
SHA1 hash: 93c8aeaddd6e3967e13946178c9a87b744a75739
MD5 hash: c486ca38226c94034e6f0f3381acc41c
humanhash: helium-oven-alabama-xray
File name:SecuriteInfo.com.Trojan.KeyloggerNET.52.123.3334
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:5'389'312 bytes
First seen:2025-05-29 17:19:35 UTC
Last seen:2025-05-29 18:26:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:HQeSXeR5d7nEUg0rYmt+NIUHRyXAcIvrLuFkMRGrT5U/:HQrcFnEVyYQ+XzdYGq/
TLSH T14046221823ED1A04F8BF5B3244791A2057B1FD479AB3D32E25DD45EE0F32382AA16763
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 631cf3c68b33e3e6 (2 x Rhadamanthys, 2 x DarkTortilla, 2 x LummaStealer)
Reporter SecuriteInfoCom
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
535
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.KeyloggerNET.52.123.3334
Verdict:
No threats detected
Analysis date:
2025-05-29 17:22:24 UTC
Tags:
httpdebugger tool
Link:
https://app.any.run/tasks/b398321d-7558-4a05-b7f2-1eab0f74e505

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6227/
Detection(s):
SecuriteInfo.com.Trojan.KeyloggerNET.52.123.3334.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683897d9acf88f5815e88abe
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/68389762fd02ed5e058eea1a/reports/e71dd9c6-b5c2-4dad-a55c-fc04c97010a5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9fbcd910-b53d-42ae-9f63-c6aa935759fd
Result
Threat name:
DarkTortilla, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1701691
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1701691 Sample: SecuriteInfo.com.Trojan.Key... Startdate: 29/05/2025 Architecture: WINDOWS Score: 100 89 xx.7.4t.com 2->89 91 t.me 2->91 107 Suricata IDS alerts for network traffic 2->107 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 10 other signatures 2->113 10 SecuriteInfo.com.Trojan.KeyloggerNET.52.123.3334.exe 3 2->10         started        signatures3 process4 file5 87 SecuriteInfo.com.T...52.123.3334.exe.log, ASCII 10->87 dropped 123 Writes to foreign memory regions 10->123 125 Tries to delay execution (extensive OutputDebugStringW loop) 10->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->127 129 3 other signatures 10->129 14 AddInProcess32.exe 33 10->14         started        18 AddInProcess32.exe 3 10->18         started        signatures6 process7 dnsIp8 103 xx.7.4t.com 78.46.235.75, 443, 49694, 49695 HETZNER-ASDE Germany 14->103 105 t.me 149.154.167.99, 443, 49693 TELEGRAMRU United Kingdom 14->105 131 Encrypted powershell cmdline option found 14->131 133 Tries to harvest and steal browser information (history, passwords, etc) 14->133 20 powershell.exe 14->20         started        24 powershell.exe 14->24         started        26 chrome.exe 14->26         started        31 23 other processes 14->31 135 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->135 137 Injects a PE file into a foreign processes 18->137 139 Uses threadpools to delay analysis 18->139 141 Switches to a custom stack to bypass stack traces 18->141 29 AddInProcess32.exe 18->29         started        signatures9 process10 dnsIp11 83 C:\Users\user\AppData\...\51frk2b5.cmdline, Unicode 20->83 dropped 115 Writes to foreign memory regions 20->115 117 Compiles code for process injection (via .Net compiler) 20->117 119 Creates a thread in another existing process (thread injection) 20->119 33 csc.exe 20->33         started        36 conhost.exe 20->36         started        85 C:\Users\user\AppData\Local\...\vqh2hysf.0.cs, Unicode 24->85 dropped 38 conhost.exe 24->38         started        99 192.168.2.6, 138, 443, 49687 unknown unknown 26->99 40 chrome.exe 26->40         started        101 77.110.125.28, 49728, 8118 STSSA Lebanon 29->101 121 Found direct / indirect Syscall (likely to bypass EDR) 29->121 43 csc.exe 31->43         started        45 csc.exe 31->45         started        47 csc.exe 31->47         started        49 19 other processes 31->49 file12 signatures13 process14 dnsIp15 67 C:\Users\user\AppData\Local\...\51frk2b5.dll, PE32 33->67 dropped 51 cvtres.exe 33->51         started        93 ogads-pa.clients6.google.com 142.250.113.95, 443, 49720, 49722 GOOGLEUS United States 40->93 95 plus.l.google.com 142.250.115.138, 443, 49721 GOOGLEUS United States 40->95 97 3 other IPs or domains 40->97 69 C:\Users\user\AppData\Local\...\42ttdvex.dll, PE32 43->69 dropped 53 cvtres.exe 43->53         started        71 C:\Users\user\AppData\Local\...\qc2shssa.dll, PE32 45->71 dropped 55 cvtres.exe 45->55         started        73 C:\Users\user\AppData\Local\...\lhuemnud.dll, PE32 47->73 dropped 57 cvtres.exe 47->57         started        75 C:\Users\user\AppData\Local\...\ud4qvqye.dll, PE32 49->75 dropped 77 C:\Users\user\AppData\Local\...\t51lwshg.dll, PE32 49->77 dropped 79 C:\Users\user\AppData\Local\...\p31fqyzh.dll, PE32 49->79 dropped 81 5 other files (none is malicious) 49->81 dropped 59 cvtres.exe 49->59         started        61 cvtres.exe 49->61         started        63 cvtres.exe 49->63         started        65 4 other processes 49->65 file16 process17
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-05-29 17:20:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
156
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6irnh4dgk2n5jngjflaj6x5wyzqy6npbrnzal56n2votmljewkq._file
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:vidar botnet:489c25ffabb35a36a7aac6fb3c16f04b credential_access crypter defense_evasion discovery loader spyware stealer
Link:
https://tria.ge/reports/250529-vwnp1svqv5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Unsecured Credentials: Credentials In Files
Uses browser remote debugging
Darktortilla
Darktortilla family
Detect Vidar Stealer
Detects Darktortilla crypter.
Vidar
Vidar family
Malware Config
C2 Extraction:
https://t.me/w0d0lm
https://steamcommunity.com/profiles/76561199860669882
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ebd542fb-defc-4045-ba97-16804ba14180
Unpacked files
SH256 hash:
9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595
MD5 hash:
c486ca38226c94034e6f0f3381acc41c
SHA1 hash:
93c8aeaddd6e3967e13946178c9a87b744a75739
Link:
https://www.unpac.me/results/51ae09ad-3595-4f3f-8563-203fd17231a2/
SH256 hash:
681ceca13121e08d21f13c77ce949995482fd2601203807a563a0ade66381d7f
MD5 hash:
130ff0d5e15b8afa8824c257a5f11f59
SHA1 hash:
59a6d9cd9893df9f19964450598ffb4669b4aa66
Link:
https://www.unpac.me/results/51ae09ad-3595-4f3f-8563-203fd17231a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f91169f8332/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe 9f91169f8332b4dea5a6495604fafdb6330c79af0c5b902fbe6eaae9b1692595

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/6227/
  
URLhaus
https://urlhaus.abuse.ch/url/3555181/
  
Delivery method
Distributed via web download

Comments