MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae
SHA3-384 hash: b0ef7d1cb60c6d30938e707e6a97ed02cf8f410f3932533e7c87a8310a1a305680db32db16b19b6ae1db4e32720db96c
SHA1 hash: a6531acda0c26ae9269c80e9e64b2ec711b4874c
MD5 hash: f17e14678bfb1475eefa43dcb91a8cad
humanhash: nevada-california-one-wolfram
File name:New Quote.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:1'254'400 bytes
First seen:2026-06-22 08:02:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'040 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:zv2kQMk/Plb0HsBsxpbrqKR1N9LnOTmmYMNKjGhhv:m1ssBsTbFN9LnGmWB
Threatray 27 similar samples on MalwareBazaar
TLSH T12645D02933D88688F47EDB358A761B4407F2F987D921D70FBE4A31DC4899B569A00B37
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
NewQuote.exe
Verdict:
No threats detected
Analysis date:
2026-06-17 09:21:53 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/34be7b27-285c-4709-acfc-89ab3296e0e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71512/
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3267301a97308eef89d27b
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/6a38ee0390632a45f731a08f/reports/109b0e48-d97a-4409-9f55-f5755110b476/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-17T02:27:00Z UTC
Last seen:
2026-06-24T04:50:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3bd535a0-8b17-4510-8037-c46e3ee0ecba
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/f17e14678bfb1475eefa43dcb91a8cad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-06-17 05:30:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rn57l3seepcrtnzkzqvdwzm7pmy2j67nacyfz4vwktz4diaisxa._file
Verdict:
malicious
Label(s):
purecrypter
Create hunting rule
Similar samples:
14f62053739732d93f517339bc700faa7de9ced2050b9055d71c84108feb577a
DarkTortilla
31e351001b4b4cfad664fcb3d0eda202cd643215611bca3123e1167f0faf3af3
DarkTortilla
60f29781b976a9e1d2638edb1f04333335712a572c0bcfb7d4c49eeab6dd2eb9
DarkTortilla
aeeab05d1eb82a29003d7e90ef6133a3b1cbc33aeb07abd402efc2a2882399cd
DarkTortilla
b4e7a3375a80a0da7b08f6caf8d83d795e01dd0693d9e76dd8f8ba6e8a03f1fd
DarkTortilla
+ 17 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260622-j37kxsat3q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae
MD5 hash:
f17e14678bfb1475eefa43dcb91a8cad
SHA1 hash:
a6531acda0c26ae9269c80e9e64b2ec711b4874c
Link:
https://www.unpac.me/results/ddf18459-06e5-4276-ba79-c45715d94673/
SH256 hash:
cad6f02bdd6527c30442d766a69e826e9f5f36a3b8df7ef88d9076964411d87b
MD5 hash:
19c9cab32601134a7cc3ce7d0b25c34a
SHA1 hash:
017b7554650afcd6ea8aaffaafe5ce71762739ee
Link:
https://www.unpac.me/results/ddf18459-06e5-4276-ba79-c45715d94673/
SH256 hash:
b9fbbc0882a9292051f67b55e19ce05642087cc0b28cfad9c4179ec83e10a260
MD5 hash:
e1bc2eed219732e90e59d2ca3556f7b9
SHA1 hash:
5ff3d4764df59d5c26bb66c0462e95c9ce5ef24f
Link:
https://www.unpac.me/results/ddf18459-06e5-4276-ba79-c45715d94673/
SH256 hash:
8567bfcb4198ac228c8491c45fe1a3503b0ef512f3a4e4a60849e125d0c31e65
MD5 hash:
e22ae9aa18da51cee7d287944079191a
SHA1 hash:
6c3427d9bc91a03f613b0581c394deb57110b80b
Link:
https://www.unpac.me/results/ddf18459-06e5-4276-ba79-c45715d94673/
SH256 hash:
2d471d877e164ca447e36f7b36dd5d86df9364e3d0fc2f9d325709ab0ce3f6c6
MD5 hash:
a0bfa16cdb3aee88d57d8b55bfe968a5
SHA1 hash:
f93bfee58b745d1afff0c439297db0a5e6c3361f
Link:
https://www.unpac.me/results/ddf18459-06e5-4276-ba79-c45715d94673/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d45bdfaf7221/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe d45bdfaf72211e28cdb9566151db2cfbd98d27df680582e795b2a79e0d0044ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71512/

Comments