MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
SHA3-384 hash: 9d692147ea00c6db0b248b73c028958962e4a8f9382ea96e4c1699551880b7f87351aa50644f0cb4f7ef931d6ac75f58
SHA1 hash: 4788ac87473bd247b4cabe68d67d2e5ba32b6936
MD5 hash: fc2ae0b717c99fc84195eb2ad2bd24e2
humanhash: burger-tango-fillet-iowa
File name:Nº 2502268142.pdf .exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:515'072 bytes
First seen:2025-11-27 03:09:39 UTC
Last seen:2025-12-08 15:57:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:4gYV1lh5pIiZuorxte5gLJl512oJsDg5kGAM1c6E+1hKYTq8uqbmWAV6naLnyhfM:SV1l3zZjrx550omh69b2W8jytCU+L
Threatray 44 similar samples on MalwareBazaar
TLSH T1E8B47C5833E99B44E17F97348A764A0047F2BD03CE32C79FA5562CEDAB6678055233A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
Nº 2502268142.pdf .exe
Verdict:
Malicious activity
Analysis date:
2025-11-27 03:09:59 UTC
Tags:
netreactor loader stealer auto-reg evasion auto-startup telegram rat quasar remote remcos
Link:
https://app.any.run/tasks/84fd14a3-7d92-49d6-b73a-8cdae6fc2c13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41609/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6927c1236cb1dcd57781661e
Tags:
micro spawn smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Creating a file
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 hacktool loki lokibot obfuscated obfuscated ransomware unsafe vbnet
Link:
https://www.filescan.io/uploads/6927c11f70be13a1f9cad9aa/reports/9501d607-35f2-439d-9cc6-54dae4a4cf0d/overview
Verdict:
Malicious
Labled as:
Ransom.Loki.Generic
Link:
https://www.hybrid-analysis.com/sample/cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-26T15:03:00Z UTC
Last seen:
2025-11-29T01:14:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073/results?tab=lookup
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/caf2d2b5-8777-4361-947a-e83c2ebf0bbd
Result
Threat name:
DarkCloud, DarkTortilla, Quasar, Remcos,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1821527
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Double Extension File Execution
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected Remcos RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1821527 Sample: N#U00ba 2502268142.pdf     ... Startdate: 27/11/2025 Architecture: WINDOWS Score: 100 100 code1.ydns.eu 2->100 102 showip.net 2->102 104 2 other IPs or domains 2->104 112 Found malware configuration 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 Antivirus detection for URL or domain 2->116 118 28 other signatures 2->118 14 N#U00ba 2502268142.pdf                 .exe 3 2->14         started        18 fishwife.exe 2->18         started        20 fishwife.exe 2->20         started        22 2 other processes 2->22 signatures3 process4 file5 98 N#U00ba 2502268142...           .exe.log, ASCII 14->98 dropped 160 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->160 162 Injects a PE file into a foreign processes 14->162 24 N#U00ba 2502268142.pdf                 .exe 1 14->24         started        164 Multi AV Scanner detection for dropped file 18->164 27 fishwife.exe 18->27         started        29 fishwife.exe 20->29         started        31 fishwife.exe 20->31         started        33 Notepadbook.exe 22->33         started        35 System.exe 22->35         started        signatures6 process7 signatures8 134 Encrypted powershell cmdline option found 24->134 37 powershell.exe 15 21 24->37         started        process9 dnsIp10 106 igw.myfirewall.org 91.92.242.93, 49721, 49722, 80 THEZONEBG Bulgaria 37->106 90 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 37->90 dropped 92 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 37->92 dropped 94 C:\Users\user\AppData\Roaming94OTEPAD.exe, PE32 37->94 dropped 96 C:\Users\user\AppData\RoamingXCEL.exe, PE32 37->96 dropped 130 Potential dropper URLs found in powershell memory 37->130 132 Powershell drops PE file 37->132 42 EXCEL.exe 37->42         started        45 NOTEPAD.exe 3 37->45         started        47 WORDS.exe 3 37->47         started        49 2 other processes 37->49 file11 signatures12 process13 signatures14 136 Multi AV Scanner detection for dropped file 42->136 138 Document exploit detected (process start blacklist hit) 42->138 140 Injects a PE file into a foreign processes 42->140 142 Unusual module load detection (module proxying) 42->142 51 EXCEL.exe 42->51         started        144 Uses schtasks.exe or at.exe to add and modify task schedules 45->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->146 55 NOTEPAD.exe 45->55         started        57 WORDS.exe 47->57         started        60 POWERPOINT.exe 49->60         started        process15 dnsIp16 82 C:\Users\user\AppData\Local\...\install.vbs, data 51->82 dropped 120 Creates multiple autostart registry keys 51->120 62 wscript.exe 51->62         started        84 C:\Users\user\AppData\...84otepadbook.exe, PE32 55->84 dropped 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->122 65 Notepadbook.exe 55->65         started        67 schtasks.exe 55->67         started        108 showip.net 162.55.60.2, 49725, 80 ACPCA United States 57->108 86 C:\Users\user\AppData\...\fishwife.exe, PE32 57->86 dropped 124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 57->124 126 Tries to steal Mail credentials (via file / registry access) 57->126 128 Tries to harvest and steal browser information (history, passwords, etc) 57->128 110 code1.ydns.eu 128.0.1.9, 59013 M247GB Romania 60->110 88 C:\Users\user\AppData\...\WindowsDefender.exe, PE32 60->88 dropped file17 signatures18 process19 signatures20 152 Windows Scripting host queries suspicious COM object (likely to drop second stage) 62->152 69 cmd.exe 62->69         started        154 Multi AV Scanner detection for dropped file 65->154 156 Hides that the sample has been downloaded from the Internet (zone.identifier) 65->156 158 Injects a PE file into a foreign processes 65->158 71 Notepadbook.exe 65->71         started        73 conhost.exe 67->73         started        process21 process22 75 System.exe 69->75         started        78 conhost.exe 69->78         started        signatures23 148 Hides that the sample has been downloaded from the Internet (zone.identifier) 75->148 150 Injects a PE file into a foreign processes 75->150 80 System.exe 75->80         started        process24
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/fc2ae0b717c99fc84195eb2ad2bd24e2
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073/
Threat name:
Win32.Trojan.PsDownload
Create hunting rule
Status:
Malicious
First seen:
2025-11-26 20:51:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxx6isdqmlhu73xoseweqqrcjspz5ydgk5baluy67kd25zy7ebzq._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
58c5dfa4020903964d305f0bd6caee651f3e29bc311f5191378641a66eaba4de
DarkTortilla
7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b
DarkTortilla
cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7
DarkTortilla
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
DarkTortilla
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
DarkTortilla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:quasar family:remcos family:xworm botnet:exec botnet:spain2 collection defense_evasion discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251127-dn8xjsvkak/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
Detect Xworm Payload
Quasar RAT
Quasar family
Quasar payload
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
code1.ydns.eu:59013
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15197bea-1b7c-4519-961e-e72deedb98e2
Unpacked files
SH256 hash:
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
MD5 hash:
fc2ae0b717c99fc84195eb2ad2bd24e2
SHA1 hash:
4788ac87473bd247b4cabe68d67d2e5ba32b6936
Link:
https://www.unpac.me/results/803c9712-3f76-44e6-bdd7-e1b08aba3a73/
SH256 hash:
7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a
MD5 hash:
8445f7f856e34e9303600d717579a6c6
SHA1 hash:
28a54b1d1f14812e3c5fe68cf779c9117c098091
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/803c9712-3f76-44e6-bdd7-e1b08aba3a73/
Parent samples :
3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
SH256 hash:
70b91717938eb88deebc96929dde2c02527d62b0fc4aaa0e53e07deeb6f59cf5
MD5 hash:
00029a998e895a7c1a93b8119362c508
SHA1 hash:
5d268d619b7eed0b2cbbfe0d6e534d24454b8d02
Link:
https://www.unpac.me/results/803c9712-3f76-44e6-bdd7-e1b08aba3a73/
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/803c9712-3f76-44e6-bdd7-e1b08aba3a73/
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/803c9712-3f76-44e6-bdd7-e1b08aba3a73/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cdefe4487062/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41609/

Comments