MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
SHA3-384 hash: 153e9b55756df23f6cb5f430759bbb46c709cceb2410e28b1f75dd84b171098c356e680f1706f63e9723a4d1c0a77d7c
SHA1 hash: 68cb0382fd73f351f752c785fad2990b96bb437f
MD5 hash: 5d111baa0e77c02c77cb240dfb546497
humanhash: steak-hydrogen-cardinal-winner
File name:transferencia interbancaria BBVA.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:805'376 bytes
First seen:2025-11-06 14:05:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Ek/r8H4IqVqkKDuHMpP2aHs/KuSaZYesNg+1YOMuNzunGyd:fr8HT4qnaH0P2l/daes9S7uNu
Threatray 44 similar samples on MalwareBazaar
TLSH T12305BF2923CA674CF47EA3B8CBB1552887F0F816D6B1D30FBA6960FD6516F818548723
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter James_inthe_box
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705.exe
Verdict:
No threats detected
Analysis date:
2025-11-06 14:05:49 UTC
Tags:
netreactor auto-startup
Link:
https://app.any.run/tasks/a6797e22-54ba-4af3-aa1e-29ebc694451d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36365/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690cab3b5a5ed7864e239365
Tags:
micro virus remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-05T11:30:00Z UTC
Last seen:
2025-11-06T20:31:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Convagent.gen HEUR:Trojan.MSIL.Inject.gen HEUR:Backdoor.MSIL.XWorm.gen Trojan.WinLNK.Agent.fb Trojan.MSIL.Inject.c Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b Trojan.MSIL.Agent.sb HEUR:Trojan-Spy.WinLNK.Xegumumune.gen Backdoor.MSIL.XWorm.a
Link:
https://opentip.kaspersky.com/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/5d111baa0e77c02c77cb240dfb546497
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705/
Verdict:
Malicious
Threat:
Family.DARKTORTILLA
Link:
https://tip.neiki.dev/file/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
Threat name:
Win32.Backdoor.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 15:39:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5af2vdqzomqb4edoebraq7vy7d2peh3ykxtw7i74q7z3pfbw4cq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
58c5dfa4020903964d305f0bd6caee651f3e29bc311f5191378641a66eaba4de
DarkTortilla
7588832247132c319cf651c3c22d96a7e6e427c642c95caad385ea086624f28d
DarkTortilla
7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b
DarkTortilla
cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7
DarkTortilla
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
DarkTortilla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:xworm crypter discovery loader rat trojan
Link:
https://tria.ge/reports/251106-rd1ebafz9f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Drops startup file
Darktortilla
Darktortilla family
Detect Xworm Payload
Detects Darktortilla crypter.
Xworm
Xworm family
Malware Config
C2 Extraction:
petro4prime.ydns.eu:5909
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3910fa33-85cd-4035-b934-68cebba9104b
Unpacked files
SH256 hash:
bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
MD5 hash:
5d111baa0e77c02c77cb240dfb546497
SHA1 hash:
68cb0382fd73f351f752c785fad2990b96bb437f
Link:
https://www.unpac.me/results/f1e67f43-19dd-47cb-9d11-a60984a087c9/
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/f1e67f43-19dd-47cb-9d11-a60984a087c9/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/f1e67f43-19dd-47cb-9d11-a60984a087c9/
SH256 hash:
b269e5ad872f75df1e00c3bb5159ae0f8993a28fe288d58997335faceb859545
MD5 hash:
a5fe5f7d121e902d31be788b3e17c0cd
SHA1 hash:
da981ad6ea301ef07cdc5b05b561e991a210db53
Detections:
win_xworm_w0
Create hunting rule
XWorm
Create hunting rule
win_mal_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
Link:
https://www.unpac.me/results/f1e67f43-19dd-47cb-9d11-a60984a087c9/
Parent samples :
b5530271f10e05e1bf2a67b4d89344c90d6ad746d1c78bf0cf75d9755a9f2ae5
c63caf60058b17c399a5bbae72d7386cf5cbac4095e943ba3d1f1f578a1fab2d
be24a2b0dad597b634cc1e5e59b8739ebccb87f2eaffa6a952f02c8933e420ce
4206c4ded33b3137cb67d2013deb8c6d78b4a55fd16d9930904ad548d8802c19
ddc72caa3151b8ed4d54dae76f078dbe0c3d3de110ec9bee16c29c7f76b2720b
f4862dbce922841b392d640cc9469fa48b53509cdd81ca783d851a7537b6478d
8f526c18a2151d5d43f9d3569696519bfb76a900fa8b7ff4e4f0100051730c8d
bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
c0141e9acfac5a67dcd3a794c24ab41dfb379f14e3c1931771c9a7e98e3f12ea
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
426fd8cbda5097fbd159476c10aaea55508712928bfcc765fe6b423b57b545f6
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
37435cb1937605bc54b865e27c56b97165e0eadd7c2eadcb1479d9ff83c6b117
SH256 hash:
5e5e9bec537b4fab9eae02d55b33d1081452fae45b71834bf8b25727626286d0
MD5 hash:
4dc6fa0129ba1d37901119568d9818f7
SHA1 hash:
eadbcd089d6b884130cb404875ade25d4786b4bf
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/f1e67f43-19dd-47cb-9d11-a60984a087c9/
Parent samples :
75e978c27e6262cb702ceeb675c1daee950e477e0f5be0f7f65b834ea1b91682
d25df8d5b45fe5cd79e2b45896459838b06ccc9abf6358d97232af011d273976
bbe71876eadd05fb527c215d6e3d40a204cbf6dbf8ffd65212d7c746a825e55d
0f683ab320b6070a7bc825c53640c042011063b95e8fee80be4335a15b9b528f
6d971963f42e669f9a023c9017036579ee6ad6485470e1723606e9fba5f538ba
7588832247132c319cf651c3c22d96a7e6e427c642c95caad385ea086624f28d
848a5affafea6d8247f56c301bc9c2996e51e26015183f1c979a82ff24c49013
a48f535d6b7b30519c4ae130d656070607fed004b9b5d1cb0cb711a424a295b1
bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705
ab28803f79757760027a140b87cf9d068ec8c6c8ebc541a680b6f874aeb63a05
495ebfa4a23110b80b574a0dd8cf31022b207c50d2623ce9ac5156bc7660669e
db710d8b8a05aa6b73f401df24f73bb5b2e390921cb9e05a2fa4bfb8b9622447
76ed78255fcc7085a301b43e6fe98ca38a0563e22be70be2afa7be8dfd4b3148
88fc0ee9287443da3f60088a825600b81fd8548cd4a2dda386e9d3b0eaab2522
0f8052863203f2ca4e22cddbb5b6df34f24f4405d5e8ee2baacb0179dfa22b79
4e45b33ef8d4447d199c7e6f7bb9d2e4baa3c2370a1e4e0ffa72bc042c9a5ca6
04e1f69458d2d6d073a4b61f97ba8a4d1219f8d57d4d682b48b9473bfc5dd1d4
3c70bd86849bc23186189bf40b89a9030195885a9b3d823145d9be423c5f8d15
426c058bc1bb6b9088bfbec9582f54cb3256fc42d66cdd32a816c8c46321c8c8
3a7772e29f89c0844024b2a9529109212fc15c824810bd52188a14fffcfb5571
88fc71441cbb84f06e8d10c6aa5763581bb5bf39b8bc395e6bccb6c4aa184e70
b3373b9443b2c689f550e98ae11b37a8942f071485ed8fbea9909cecafff797a
Malware family:
DarkTortilla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf405d5470cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf405d5470cb9900f08371031043f5c7c7a790fbc2af3b7d1fe43f9dbca1b705

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36365/

Comments