MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920
SHA3-384 hash: cad97866cafd4ea5b136d9555f976ef7c395c0f9040076c47ac4587620aabf461551fa4d2b249e5a53f4002cdba2df3c
SHA1 hash: 15cbed03d85d3f975abef5d2a3babf6d2772c26f
MD5 hash: b33f727e8e014964d296d911348e7bf8
humanhash: maine-earth-cup-mobile
File name:Quotation.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'014'272 bytes
First seen:2026-05-10 01:10:42 UTC
Last seen:2026-05-11 06:44:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'919 x AgentTesla, 19'821 x Formbook, 12'309 x SnakeKeylogger)
ssdeep 24576:8or8r76t4CllVkoav+HJ/oyfJuz0zy+3xVks:G6t4Cn2+VoycSyH
TLSH T1D825F0119E8B6B98E53B0FB8C093004473F0D547D3A6D7AF6FED14FA29A2B48D923561
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/000bad29-bb25-429f-aeda-9a4d9d704e9d/
Malware family:
n/a
ID:
1
File name:
_b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920.exe
Verdict:
Suspicious activity
Analysis date:
2026-05-10 01:13:03 UTC
Tags:
netreactor auto-reg
Link:
https://app.any.run/tasks/a38fe3c3-7bdd-4b9b-aa9b-7cf538180b48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65515/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3236.9678.22027.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a01da84832827cdb620c900
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt explorer formbook lolbin macros-on-open obfuscated obfuscated packed unsafe vbnet
Link:
https://www.filescan.io/uploads/69ffdb3ddf14f1cb2aced8b3/reports/f5902f44-98bd-4ed3-9332-cd6296b7ba54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-09T07:30:00Z UTC
Last seen:
2026-05-11T23:36:00Z UTC
Hits:
~10000
Detections:
VHO:Trojan-PSW.MSIL.Convagent.gen VHO:Backdoor.Win32.Androm.gen Trojan.Win32.Mucc.sb Trojan.MSIL.Inject.b Trojan.MSIL.Dnoper.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen HEUR:Trojan-PSW.MSIL.Convagent.gen
Link:
https://opentip.kaspersky.com/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f836ac87-7e1b-4be2-9ae6-6d3930982356
Result
Threat name:
DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1911202
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1911202 Sample: Quotation.exe Startdate: 10/05/2026 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected MSIL Injector 2->40 42 6 other signatures 2->42 7 Quotation.exe 3 2->7         started        process3 file4 30 C:\Users\user\AppData\...\Quotation.exe.log, ASCII 7->30 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->44 11 cmd.exe 1 7->11         started        14 cmd.exe 3 7->14         started        signatures5 process6 file7 46 Uses ping.exe to sleep 11->46 48 Uses ping.exe to check the status of other devices and networks 11->48 17 PING.EXE 1 11->17         started        20 conhost.exe 11->20         started        22 reg.exe 1 1 11->22         started        32 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 14->32 dropped 24 conhost.exe 14->24         started        26 PING.EXE 1 14->26         started        28 PING.EXE 1 14->28         started        signatures8 process9 dnsIp10 34 127.0.0.1 unknown unknown 17->34
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/b33f727e8e014964d296d911348e7bf8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920/
Verdict:
Malicious
Threat:
VHO:Backdoor.Win32.Androm
Link:
https://tip.neiki.dev/file/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920
Threat name:
ByteCode-MSIL.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-09 17:41:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdkcx5s6jagsgl5gbvmni7xkvp33lj6vrsdjdbittima6xfu3eqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/260510-bjszesax3n/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Unpacked files
SH256 hash:
b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920
MD5 hash:
b33f727e8e014964d296d911348e7bf8
SHA1 hash:
15cbed03d85d3f975abef5d2a3babf6d2772c26f
Link:
https://www.unpac.me/results/83826b6c-3395-4929-9759-31f1820c339b/
SH256 hash:
7fd74295e95ddbae4b01b8fab40da7821952fc12fc707429ba500e8048089ad2
MD5 hash:
c854e8bfbb8299bc08429b09367dc463
SHA1 hash:
6f07b0f83f02b8e92ce5c1655528cfaa85a97bfe
Link:
https://www.unpac.me/results/83826b6c-3395-4929-9759-31f1820c339b/
SH256 hash:
2d471d877e164ca447e36f7b36dd5d86df9364e3d0fc2f9d325709ab0ce3f6c6
MD5 hash:
a0bfa16cdb3aee88d57d8b55bfe968a5
SHA1 hash:
f93bfee58b745d1afff0c439297db0a5e6c3361f
Link:
https://www.unpac.me/results/83826b6c-3395-4929-9759-31f1820c339b/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0d42bf65e48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe b0d42bf65e480d232fa60d58d47eeaabf7b5a7d58c869185139a180f5cb4d920

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65515/

Comments