MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
SHA3-384 hash: b6ba7ac5d87abef1ba954168ed1753d814ea8a27c370221799a146354e94b76d3dfda9d6fe280f2677315d8501700748
SHA1 hash: b5da1a381afbeaf79e23be0d8d3197709b8030f0
MD5 hash: 9081449ed8ceb61a11020bed2b3bdeda
humanhash: april-march-twelve-echo
File name:202510793931-01-FA01-00019479.pdf(46KB).exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:889'344 bytes
First seen:2025-10-29 20:16:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:g7I61t5eNJ4hQO2RCqVl/iOcwraRFkbigmMUTTJEowUkNDIJFCssVUZ2C2MR:g7INGEVN+Tkb6MUvw1DLuhtR
TLSH T1DA157D8467D42B64E63E9B38A8315C804BF2FAE6CBF0EE696BD459474F7B34146112C3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
202510793931-01-FA01-00019479.pdf46KB.exe
Verdict:
Malicious activity
Analysis date:
2025-10-29 20:28:09 UTC
Tags:
netreactor loader crypto-regex auto-startup auto-reg stealer evasion telegram
Link:
https://app.any.run/tasks/f6070da9-7059-4c18-9649-2556b7b858be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34707/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690276349942f1282eca4121
Tags:
emotet trojan extens spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Restart of the analyzed sample
Creating a file
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/690277f221d55ed90d421f10/reports/6268d4a5-cb7d-471b-9905-80f6160c9c38/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-29T12:31:00Z UTC
Last seen:
2025-10-29T21:05:00Z UTC
Hits:
~1000
Detections:
Trojan.APosT.UDP.C&C VHO:Backdoor.Win32.Agent.gen Trojan-PSW.Win32.Pycoon.sb Trojan-Dropper.Win32.Injector.sb Trojan-Downloader.Win32.PsDownload.sb Backdoor.MSIL.Crysan.d Trojan-PSW.Win32.DarkCloud.sb Backdoor.Win32.Remcos.e Trojan.MSIL.Inject.c Trojan-Banker.MSIL.ClipBanker.sb PDM:Trojan.Win32.ScreenLocker.gen HEUR:Trojan.MSIL.Inject.gen Trojan-Dropper.Win32.Injector Backdoor.Win32.Remcos.f HEUR:Trojan.MSIL.APosT.gen PDM:Exploit.Win32.Generic Backdoor.Win32.Remcos.sb Trojan-PSW.Win32.Stealer.sb Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.a Backdoor.Agent.TCP.C&C HEUR:Trojan-PSW.MSIL.DarkCloud.gen Backdoor.Win32.Androm Trojan.MSIL.Inject.sb Trojan-PSW.MSIL.Agentb.sb Backdoor.MSIL.XWorm.b Trojan-PSW.Win32.Stelega.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Exploit.Win32.BypassUAC.sb Trojan.MSIL.Inject.b not-a-virus:PDM:AdWare.Win32.Vopak.a HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ed58293f-6b77-4dca-b463-a1cb485f3eeb
Result
Threat name:
AsyncRAT, DarkCloud, DarkTortilla, Quasa
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1804503
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected Remcos RAT
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1804503 Sample: 202510793931-01-FA01-000194... Startdate: 29/10/2025 Architecture: WINDOWS Score: 100 117 rency.ydns.eu 2->117 119 igw.myfirewall.org 2->119 121 4 other IPs or domains 2->121 137 Suricata IDS alerts for network traffic 2->137 139 Found malware configuration 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 21 other signatures 2->143 14 202510793931-01-FA01-00019479.pdf(46KB).exe 3 2->14         started        18 Excelbooks.exe 2->18         started        signatures3 process4 file5 115 202510793931-01-FA...9.pdf(46KB).exe.log, ASCII 14->115 dropped 181 Encrypted powershell cmdline option found 14->181 183 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->183 185 Injects a PE file into a foreign processes 14->185 20 202510793931-01-FA01-00019479.pdf(46KB).exe 1 14->20         started        23 Excelbooks.exe 18->23         started        25 Excelbooks.exe 18->25         started        27 Excelbooks.exe 18->27         started        29 Excelbooks.exe 18->29         started        signatures6 process7 signatures8 145 Encrypted powershell cmdline option found 20->145 31 powershell.exe 15 20 20->31         started        process9 dnsIp10 129 igw.myfirewall.org 91.92.242.237, 49720, 80 THEZONEBG Bulgaria 31->129 131 bmh-global.myfirewall.org 178.16.53.63, 49721, 80 DUSNET-ASDE Germany 31->131 97 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 31->97 dropped 99 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 31->99 dropped 101 C:\Users\user\AppData\Roaming101OTEPAD.exe, PE32 31->101 dropped 103 C:\Users\user\AppData\RoamingXCEL.exe, PE32 31->103 dropped 133 Potential dropper URLs found in powershell memory 31->133 135 Powershell drops PE file 31->135 36 POWERPOINT.exe 3 31->36         started        39 NOTEPAD.exe 3 31->39         started        41 EXCEL.exe 31->41         started        43 2 other processes 31->43 file11 signatures12 process13 signatures14 147 Antivirus detection for dropped file 36->147 149 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->149 45 cmd.exe 36->45         started        49 cmd.exe 36->49         started        51 cmd.exe 39->51         started        53 cmd.exe 39->53         started        151 Uses schtasks.exe or at.exe to add and modify task schedules 41->151 153 Document exploit detected (process start blacklist hit) 41->153 155 Injects a PE file into a foreign processes 41->155 55 EXCEL.exe 41->55         started        157 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->157 57 WORDS.exe 43->57         started        60 WORDS.exe 43->60         started        process15 dnsIp16 107 C:\Users\user\AppData\Roaming\iWORD.exe, PE32 45->107 dropped 167 Uses ping.exe to sleep 45->167 62 iWORD.exe 45->62         started        73 3 other processes 45->73 169 Uses cmd line tools excessively to alter registry or file data 49->169 171 Uses ping.exe to check the status of other devices and networks 49->171 65 reg.exe 49->65         started        75 2 other processes 49->75 109 C:\Users\user\AppData\Roaming\iNOTE.exe, PE32 51->109 dropped 67 iNOTE.exe 51->67         started        78 3 other processes 51->78 80 3 other processes 53->80 69 Excelbooks.exe 55->69         started        71 schtasks.exe 55->71         started        125 twart.myfirewall.org 91.92.241.145, 2404, 49724, 49726 THEZONEBG Bulgaria 57->125 111 C:\Users\user\AppData\...\WDUpdate2025.exe, PE32 57->111 dropped 113 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 57->113 dropped file17 signatures18 process19 dnsIp20 173 Antivirus detection for dropped file 62->173 175 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->175 177 Injects a PE file into a foreign processes 62->177 82 iWORD.exe 62->82         started        179 Creates an undocumented autostart registry key 65->179 87 iNOTE.exe 67->87         started        89 Excelbooks.exe 69->89         started        91 conhost.exe 71->91         started        127 127.0.0.1 unknown unknown 75->127 signatures21 process22 dnsIp23 123 showip.net 162.55.60.2, 49725, 80 ACPCA United States 82->123 105 C:\Users\user\AppData\...\boorishness.exe, PE32 82->105 dropped 159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 82->159 161 Tries to steal Mail credentials (via file / registry access) 82->161 163 Tries to harvest and steal browser information (history, passwords, etc) 82->163 165 Hides that the sample has been downloaded from the Internet (zone.identifier) 89->165 93 schtasks.exe 89->93         started        file24 signatures25 process26 process27 95 conhost.exe 93->95         started       
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/9081449ed8ceb61a11020bed2b3bdeda
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 16:04:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxqkibd2wgyza3mxrjctutx2hburumc7pwcgiyyqd2ktgyikf3ka._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud family:darktortilla family:quasar family:remcos family:xworm botnet:es xworm botnet:spain adware crypter defense_evasion discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251029-y2sspstkev/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Badlisted process makes network request
Downloads MZ/PE file
DarkCloud
Darkcloud family
Darktortilla
Darktortilla family
Detect Xworm Payload
Detects Darktortilla crypter.
Modifies WinLogon for persistence
Quasar RAT
Quasar family
Quasar payload
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
twart.myfirewall.org:59013
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
https://api.telegram.org/bot6274587098:AAEvD64fpPpZLNdkxKF7wS-y2GX94H3OkSM/sendMessage?chat_id=6265187542
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
Unpacked files
SH256 hash:
ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
MD5 hash:
9081449ed8ceb61a11020bed2b3bdeda
SHA1 hash:
b5da1a381afbeaf79e23be0d8d3197709b8030f0
Link:
https://www.unpac.me/results/1b67038c-84ff-49ba-94f0-a8eae5eac9d3/
SH256 hash:
9fb4506a7571af1630f055584ee41055f4edfb3ed2939990593e6a117c82f145
MD5 hash:
e1368e9929f8e77e9327274534ea57fd
SHA1 hash:
62ae4ab0a0570645506f2f442c087b04d585d4a6
Detections:
DotNetPSDownloader
Create hunting rule
Link:
https://www.unpac.me/results/1b67038c-84ff-49ba-94f0-a8eae5eac9d3/
Parent samples :
f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/1b67038c-84ff-49ba-94f0-a8eae5eac9d3/
SH256 hash:
e85a6b8eb1d98b78941197990aa61a9768e3c66c5c932fac71f3e9933a4dbe2a
MD5 hash:
e681645e011800fda1f7e13d33429160
SHA1 hash:
7549537f9215deb56b68e33fea2a2f142dee2dc3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/1b67038c-84ff-49ba-94f0-a8eae5eac9d3/
Parent samples :
cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7
7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b
6c22a1818f78be2dd32749140bfcaa6d930cf94984f1c58a8f21c1a2b0b27e35
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
898aedc9de508d5a88e225689c03908dbf7ae7f86067cb2930da7f53143e9b97
64c2eb337d6f52f74f77b541d8a915a90ae5bd2cbda6a9497d7a2f026a64f152
db9d3f10e7fe84323b9bfe6a3fd205b98c83625314422b0a8f3b66f424d3d244
7fc90f92f50d98b3bc737f0de1fd17c2f24ae9a72fa2ddbb67c55f8dd73d700d
f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
000d2ec0988cfef8ea5f0f7feb80f928c9f21109dcb8f95d5252584d821e402d
1f1e97a35caf2831608ec2e0c6ad91a22052f44c57de7d115754382bff3f3890
59636b7cbff5b2aabc062847722c9a98515ca99e50f4d8f8104f21225312bbdb
7f739a509c26046509a167ac582b9aae60c9ab7c27b23af2d7aaaa234a9507fd
ef0c66368c8fd108028508e8e23d36aa2b88dcc972fc5e068464c91fd452aa2e
d326d0395da36c738476b5349eb65d59166aa4547bd26f8543cfff26150e85a8
ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
b7b7861536992715f97316df0345c4da87001c4f2d48c8a5648e5445204a5cfa
2f18faa567de85a9af071bb6b52c9497d412f50179e0796e2cd8f4f4ecb098f2
6e4854a0a4a965d1ecb59cd4e664b6c5452e00873134bb32a3ef96333738b951
432393600780f23c5e93469a8725e0fc453404d06b3ac64e0d3c28ff7bb625d8
b3b29bb015dcf4d167651ac1da563b9c6cf9bdfdaf344d6a9a017907b5ac48d1
36c38c62e9276d44558f77044e996522eaf2b1c3f0e9783c1d0024ff98ff47ba
2d44efd28bad1cd2c8dfb6f21c89b2c105781b0aec01b0951a64d6f1deaef64e
383f8a1216ca0eef171c6aa72da84e540d5c0337e8e6e492c68496f89c4c28a1
d78d47fd0b46c35215d5d3a04a62ddeab1d37d4b7921ca491caa699c9b802f5c
94d4d79500c8e8e0191f9af6f4ca4408dee9a633f8325146b886ee101ee8a737
223850176955ed89a903fa81454768fa0fd69df46f9456ece918058417ffd217
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/1b67038c-84ff-49ba-94f0-a8eae5eac9d3/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ade0a4047ab1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34707/

Comments