MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 18

Intelligence 18 IOCs YARA 18 File information Comments

SHA256 hash:	bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436
SHA3-384 hash:	f399bc08d5d94032af28b90573624a01848ba601a30993f7298927074cc045d6bb7a73e46883251fd80ef02b0d1056ce
SHA1 hash:	df6b2d1084d5284ed6dab7c5eb5af3b2384f378c
MD5 hash:	7479900388524599256895898da52666
humanhash:	yankee-lithium-mars-mike
File name:	SecuriteInfo.com.BackDoor.DarkTortillaNET.1.23405.18921
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	494'592 bytes
First seen:	2025-10-05 11:52:14 UTC
Last seen:	2025-10-05 12:21:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:zWqtW71gnKXkep2sNbq4TydaFJ1a0nAKVpLqlftDOp+yOjxd25qMCRnN7C6aqy+b:zWq61g252Ybv2daD1xAKrLUfZOQyMs
Threatray	9 similar samples on MalwareBazaar
TLSH	T196B49D2023E88A54F5FF5779893105258BF1FC13D732D76EAAA480DD0E72B81CA66727
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.BackDoor.DarkTortillaNET.1.23405.18921

Verdict:

Malicious activity

Analysis date:

2025-10-05 11:54:36 UTC

Tags:

httpdebugger tool crypto-regex auto-startup

Link:

https://app.any.run/tasks/51fc0507-c508-40b0-8fa7-6e53cfa3d6df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/30585/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e25bff91bc581176cbfce2

Tags:

virus micro remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Launching a process

Creating a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Connection attempt to an infection source

Setting a global event handler for the keyboard

Creating a file in the mass storage device

Query of malicious DNS domain

Unauthorized injection to a system process

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin obfuscated obfuscated obfuscated remote vbnet

Link:

https://www.filescan.io/uploads/68e25c0f5a3bccf09eb86760/reports/7548f195-f272-44ab-896f-0e804e80a4e1/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-05T07:57:00Z UTC

Last seen:

2025-10-06T09:17:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/000eb352-5dc0-4177-a002-b2df3f6bb4a6

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.85 Win 32 Exe x86

Link:

https://app.malva.re/file/7479900388524599256895898da52666

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436/

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-05 11:53:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 37 (75.68%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmjxyealdpp7pyhmkpmmeqolwsgdmbj44qvsryf54wl64rf5mq3a._file

Verdict:

malicious

Label(s):

darktortilla

xworm

DarkTortilla

4206c4ded33b3137cb67d2013deb8c6d78b4a55fd16d9930904ad548d8802c19

DarkTortilla

bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

DarkTortilla

be24a2b0dad597b634cc1e5e59b8739ebccb87f2eaffa6a952f02c8933e420ce

DarkTortilla

error

DarkTortilla

Result

Malware family:

xworm

Score:

10/10

Tags:

family:darktortilla family:xworm crypter discovery loader rat trojan

Link:

https://tria.ge/reports/251005-n12zwatwhx/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Drops startup file

Darktortilla

Darktortilla family

Detect Xworm Payload

Detects Darktortilla crypter.

Xworm

Xworm family

Malware Config

C2 Extraction:

rency.ydns.eu:59013
twart.myfirewall.org:59013
wqo9.firewall-gateway.de:59013

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/60f42bb0-6bc4-4a40-a225-61072541b1b0

Unpacked files

SH256 hash:

bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

MD5 hash:

7479900388524599256895898da52666

SHA1 hash:

df6b2d1084d5284ed6dab7c5eb5af3b2384f378c

Link:

https://www.unpac.me/results/fd8ccddd-f98e-42c9-ab78-d1b9bc58b6f5/

SH256 hash:

86d8f2c12a8d1b2d5c642db75b3d28e81a74284f3f7aacd2a6b45df758afcd63

MD5 hash:

25850d56dc372edba928ad9423639043

SHA1 hash:

529d076dd3075bd1d34e10365bb442b8241b74bc

Link:

https://www.unpac.me/results/fd8ccddd-f98e-42c9-ab78-d1b9bc58b6f5/

SH256 hash:

222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879

MD5 hash:

c71e17acab65a4dd054c78c0481c7674

SHA1 hash:

63b0d563f15ab5b92c337ef37d741004623d0f62

Link:

https://www.unpac.me/results/fd8ccddd-f98e-42c9-ab78-d1b9bc58b6f5/

SH256 hash:

725db54fd326c8e07d4dd9e42bbf33706018d88b05118aacd68c93cd15c36894

MD5 hash:

5ce37014198b8a41dc0499712c357bd7

SHA1 hash:

bc75566815c565d4ef71d774744ed91461517990

Detections:

win_xworm_w0

XWorm

win_xworm_bytestring

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/fd8ccddd-f98e-42c9-ab78-d1b9bc58b6f5/

SH256 hash:

2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2

MD5 hash:

e5be1fdba36d5032726313afe4c7dd63

SHA1 hash:

c65ebe77906cec3bcb5e805a327f1aa823be57ca

Link:

https://www.unpac.me/results/fd8ccddd-f98e-42c9-ab78-d1b9bc58b6f5/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb137c100b1b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_AsyncRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects AsyncRAT backdoor.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	MALWARE_Win_XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TH_Generic_MassHunt_Webshells_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic multi-language webshell mass-hunt rule (PHP/ASP(X)/JSP/Python/Perl/Node) - 2025
Reference:	https://cyfare.net/

Rule name:	win_xworm_bytestring Create hunting rule
Author:	Matthew @ Embee_Research
Description:	Detects bytestring present in unobfuscated xworm

Rule name:	win_xworm_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects win.xworm.

Rule name:	XWorm Create hunting rule
Author:	ditekSHen
Description:	Detects XWorm

Rule name:	xworm_kingrat Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

exe bb137c100b1bdff7e0ec53d8c241cbb48c36053ce42b28e0bde597ee44bd6436

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3657580/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/30585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample