MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
SHA3-384 hash: c4126dccbcbf5d584d9f3b5a15d625df084120ac8225400b009dd662df329c9a3eebcb51d844830a73a72dc19af564fb
SHA1 hash: 130bcf042861b41397d952367e6f767de1c933d7
MD5 hash: d2b9e982aa09dcfa239e5f268703ecd6
humanhash: aspen-sodium-bacon-king
File name:New Quote.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'254'400 bytes
First seen:2026-06-17 11:05:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'040 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:7Vlb0HsBsxpbrqKR1N9mnOTmmYMHKjaoXe:73ssBsTbFN9mnGmgUO
Threatray 15 similar samples on MalwareBazaar
TLSH T1FE45D02933D88688F4B9EB355A721B4407F2F987D961E70FBE4A30DC4869B579600B37
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd.exe
Verdict:
No threats detected
Analysis date:
2026-06-17 11:08:37 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/9532c27b-9c05-447c-9c60-a31eb15659cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71062/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.34951117.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a327fac1a97308eef89d638
Tags:
virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/6a327f919799578a6c3d04f7/reports/b51001aa-1353-4f44-9869-e1432e598ba9/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-15T11:44:00Z UTC
Last seen:
2026-06-19T09:16:00Z UTC
Hits:
~1000
Detections:
VHO:Trojan.Win32.Sdum.gen Trojan.MSIL.Inject.b Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C HEUR:Trojan-Spy.MSIL.Noon.gen
Link:
https://opentip.kaspersky.com/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8d54ca90-09cc-4057-b6cc-04e09fccd2f8
Result
Threat name:
DarkTortilla, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1929305
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929305 Sample: New Quote.exe Startdate: 17/06/2026 Architecture: WINDOWS Score: 100 34 www.comenty.ru 2->34 36 www.0a8b2y.asia 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 11 New Quote.exe 3 2->11         started        signatures3 process4 file5 32 C:\Users\user\AppData\...32ew Quote.exe.log, ASCII 11->32 dropped 58 Injects a PE file into a foreign processes 11->58 15 New Quote.exe 11->15         started        signatures6 process7 signatures8 60 Maps a DLL or memory area into another process 15->60 18 nqDUvMQcNf6q.exe 15->18 injected process9 process10 20 sdchange.exe 13 18->20         started        signatures11 50 Tries to steal Mail credentials (via file / registry access) 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 20->52 54 Modifies the context of a thread in another process (thread injection) 20->54 56 4 other signatures 20->56 23 xudNqD2L05.exe 20->23 injected 26 chrome.exe 20->26         started        28 firefox.exe 20->28         started        process12 dnsIp13 38 www.0a8b2y.asia 156.244.73.169, 49692, 80 HKIDC-AS-APLUOGELANGFRANCELIMITEDHK Hong Kong SAR China 23->38 40 www.comenty.ru 5.101.153.187, 49693, 49694, 80 BEGET-ASRU Russia 23->40 30 WerFault.exe 4 26->30         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-06-15 15:03:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3vlaxi6xavcsab5p2io6yjtuoy4xqz25md2xvac57bkfcbdthgq._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
1068b6049165dfad290648df7a0b36bbd110b98eed7f447a10fe7f62bd414ccc
DarkTortilla
14f62053739732d93f517339bc700faa7de9ced2050b9055d71c84108feb577a
DarkTortilla
60f29781b976a9e1d2638edb1f04333335712a572c0bcfb7d4c49eeab6dd2eb9
DarkTortilla
b064db45193ce571396ff195824ae113a33af2ad516bfe2322ea13c9cc1ce2c4
DarkTortilla
b4e7a3375a80a0da7b08f6caf8d83d795e01dd0693d9e76dd8f8ba6e8a03f1fd
DarkTortilla
d56bd06a68d33a1d07b75d1caec577a592dc7ea893d34153746b0d4cec21de58
DarkTortilla
error
DarkTortilla
+ 5 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260617-m7bktset4q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
MD5 hash:
d2b9e982aa09dcfa239e5f268703ecd6
SHA1 hash:
130bcf042861b41397d952367e6f767de1c933d7
Link:
https://www.unpac.me/results/644937ca-efa5-4b53-993c-9f6311e099ea/
SH256 hash:
cad6f02bdd6527c30442d766a69e826e9f5f36a3b8df7ef88d9076964411d87b
MD5 hash:
19c9cab32601134a7cc3ce7d0b25c34a
SHA1 hash:
017b7554650afcd6ea8aaffaafe5ce71762739ee
Link:
https://www.unpac.me/results/644937ca-efa5-4b53-993c-9f6311e099ea/
SH256 hash:
b9fbbc0882a9292051f67b55e19ce05642087cc0b28cfad9c4179ec83e10a260
MD5 hash:
e1bc2eed219732e90e59d2ca3556f7b9
SHA1 hash:
5ff3d4764df59d5c26bb66c0462e95c9ce5ef24f
Link:
https://www.unpac.me/results/644937ca-efa5-4b53-993c-9f6311e099ea/
SH256 hash:
8567bfcb4198ac228c8491c45fe1a3503b0ef512f3a4e4a60849e125d0c31e65
MD5 hash:
e22ae9aa18da51cee7d287944079191a
SHA1 hash:
6c3427d9bc91a03f613b0581c394deb57110b80b
Link:
https://www.unpac.me/results/644937ca-efa5-4b53-993c-9f6311e099ea/
SH256 hash:
2d471d877e164ca447e36f7b36dd5d86df9364e3d0fc2f9d325709ab0ce3f6c6
MD5 hash:
a0bfa16cdb3aee88d57d8b55bfe968a5
SHA1 hash:
f93bfee58b745d1afff0c439297db0a5e6c3361f
Link:
https://www.unpac.me/results/644937ca-efa5-4b53-993c-9f6311e099ea/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aeeab05d1eb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71062/

Comments