MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DarkTortilla

Vendor detections: 20

Intelligence 20 IOCs YARA 4 File information Comments

SHA256 hash:	c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
SHA3-384 hash:	08130c7da3753daec47fbd890eb66151dc11e5491b6244d03e4138ddbfe1a6c1013b0756cef168098302d395a274f32c
SHA1 hash:	798cbe4ff1cdfd502a4788b7e4ead143a5372712
MD5 hash:	b2ab924d146eafae88ef5726d5899123
humanhash:	foxtrot-don-robert-sweet
File name:	TIMSANET...COTIZACIÓN 2025_______________PDF.exe
Download:	download sample
Signature	DarkTortilla Create hunting rule
File size:	731'136 bytes
First seen:	2025-11-25 13:27:10 UTC
Last seen:	2025-12-08 15:34:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:tWZ0Lpr9YtQZZzdCJvkx4uDsBVzlaDSNd7GPbv1b9iTQgm2Cagwz+0fSpCd/C/V:5dZZzdCJvkYzllNkPbdb9tV2Cv+Kz
Threatray	42 similar samples on MalwareBazaar
TLSH	T1CAF4AD2423EC5A08F5BF2B39697415140BF1FC26DA32DA1E6E9690DE0EA5F80DD61733
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	lowmal3
Tags:	DarkTortilla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

TIMSANET...COTIZACIN2025_______________PDF.exe

Verdict:

No threats detected

Analysis date:

2025-11-25 13:30:16 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/da24e82f-0381-4b7f-b366-967335af14e0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/41453/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.57866.843.31403.UNOFFICIAL

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6925aec05d7fac83ebf2dacd

Tags:

micro virus remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Creating a process from a recently created file

Creating a file

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Connection attempt to an infection source

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Creating a file in the mass storage device

Query of malicious DNS domain

Enabling autorun by creating a file

Enabling threat expansion on mass storage devices

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade obfuscated obfuscated packed vbnet

Link:

https://www.filescan.io/uploads/6925aebc8caf4f46cdec6d02/reports/0b7bec84-bf65-4bb9-989c-e4832ef4b68e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-24T11:48:00Z UTC

Last seen:

2025-11-27T10:38:00Z UTC

Hits:

~1000

Detections:

VHO:Trojan-PSW.Win32.Convagent.gen Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.c HEUR:Trojan-Spy.WinLNK.Xegumumune.gen HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.a PDM:Trojan.Win32.Generic Trojan.WinLNK.Agent.fb Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.b

Link:

https://opentip.kaspersky.com/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb/results?tab=lookup

Malware family:

XWorm

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c79c032-463e-4a2b-ba25-e65fc26fbf49

Result

Threat name:

DarkTortilla, XWorm

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1820547

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected XWorm

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86

Link:

https://app.malva.re/file/b2ab924d146eafae88ef5726d5899123

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

Threat name:

Win32.Backdoor.XWormRAT

Status:

Malicious

First seen:

2025-11-24 22:04:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zb6efahyxhdl6coavsdy6d25bmp7v4opayt2z3gqlbpht5ouwlvq._file

Verdict:

malicious

Label(s):

purecrypter

xworm

DarkTortilla

7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b

DarkTortilla

cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7

DarkTortilla

dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20

DarkTortilla

+ 32 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm discovery rat trojan

Link:

https://tria.ge/reports/251125-qp9xfscr91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

.NET Reactor proctector

Drops startup file

Detect Xworm Payload

Xworm

Xworm family

Malware Config

C2 Extraction:

petro4prime.ydns.eu:5909

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/54f2660e-5847-4912-b501-1805a0c5405c

Unpacked files

SH256 hash:

c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

MD5 hash:

b2ab924d146eafae88ef5726d5899123

SHA1 hash:

798cbe4ff1cdfd502a4788b7e4ead143a5372712

Link:

https://www.unpac.me/results/ace8982c-e3f7-46f7-89a5-f79f712c672c/

SH256 hash:

7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a

MD5 hash:

8445f7f856e34e9303600d717579a6c6

SHA1 hash:

28a54b1d1f14812e3c5fe68cf779c9117c098091

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

INDICATOR_EXE_Packed_DotNetReactor

Link:

https://www.unpac.me/results/ace8982c-e3f7-46f7-89a5-f79f712c672c/

Parent samples :

3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740

SH256 hash:

222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879

MD5 hash:

c71e17acab65a4dd054c78c0481c7674

SHA1 hash:

63b0d563f15ab5b92c337ef37d741004623d0f62

Link:

https://www.unpac.me/results/ace8982c-e3f7-46f7-89a5-f79f712c672c/

SH256 hash:

94c001ade179f07e1ef6ad085a80d2ecba3aea0300c59df296ee061fe56f91ee

MD5 hash:

70510dc432dea9b66d7f4083b79f2385

SHA1 hash:

b5e7040be95a77bd3624f2aa8780dc249d40b09b

Detections:

win_xworm_w0

XWorm

win_mal_XWorm

INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

MALWARE_Win_AsyncRAT

MALWARE_Win_XWorm

Link:

https://www.unpac.me/results/ace8982c-e3f7-46f7-89a5-f79f712c672c/

Parent samples :

f59a9d1fb36529a95208cd68096cd37d4e91ab86c68f0b820e063834e9feb1fa
d88fe34d1717339c4c27377b31b7a313867daefa50d05e54f0e35efb4a371062
60120d86d8ec490c3801947032ea19de9409c8963e01aba771d159a0d3319886
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
73641a6dd5f95201524760fb4b5e951dba1fa239bce351d6e765021ab08de01f

SH256 hash:

2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2

MD5 hash:

e5be1fdba36d5032726313afe4c7dd63

SHA1 hash:

c65ebe77906cec3bcb5e805a327f1aa823be57ca

Link:

https://www.unpac.me/results/ace8982c-e3f7-46f7-89a5-f79f712c672c/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c87c4280f8b9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

exe c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/41453/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample