MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
SHA3-384 hash: a62ac934d8acea0dbe90bf108fa01e08b2787659443d0b9240e44f1ff01201601d93067561a62f576e97731f5441d332
SHA1 hash: 0b83edfd3c70f1c62d2d670052ba0f2dd6ee0261
MD5 hash: e745df0c8be81837c89e236084e4a7b3
humanhash: violet-lima-california-nine
File name:d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:5'579'264 bytes
First seen:2026-03-06 15:35:37 UTC
Last seen:2026-03-06 16:30:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'778 x Formbook, 12'298 x SnakeKeylogger)
ssdeep 98304:bm8dwNuAWm3GMvD+dHLR49AdY3WkYSyC:b9vNm7r+dR4WRyy
Threatray 841 similar samples on MalwareBazaar
TLSH T15A4622393E434505C63A57BD81268EC477F0DA8B9B03C71FBBDE01ECAA166A79721354
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/cfa96c2e-b7a3-4bd0-86b5-bde66187e6fd/
Malware family:
amadey
Create hunting rule
ID:
1
File name:
virusvippro.exe
Verdict:
Malicious activity
Analysis date:
2026-02-26 14:03:12 UTC
Tags:
auto metasploit framework github amadey botnet stealer stealc possible-phishing anti-evasion telegram phishing clickfix python barys powershell maskgram xenorat rat anydesk rmm-tool generic action1rmm screenconnect tool remote maskgramstealer tinynuke miner meterpreter backdoor havoc koistealer koiloader loader wannacry ransomware cobaltstrike guloader cryptowall njrat remcos vidar xred networm amus asyncrat smb bruteratel formbook sheet pyinstaller redline stealerium pastebin coinminer gh0st cryptolocker bladabindi pushware adware scan smbscan donutloader putty noescape wiper gotohttp ghostsocks proxyware whitesnakestealer xworm
Link:
https://app.any.run/tasks/1cf7f269-638c-477f-9a92-9fcd7b08a3e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/56379/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.81299769.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69975536c950ab5d9aaf7f6a
Tags:
autorun shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/69aaf48697feb4afd6702b88/reports/44c6561c-d296-469d-97a2-2f9dac7434e4/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
Verdict:
Malicious
File Type:
exe x32
Link:
https://opentip.kaspersky.com/d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4a2270c-9d71-48da-84ac-b24b8d4abdba
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c/
Verdict:
Malicious
Threat:
Family.QUASAR
Link:
https://tip.neiki.dev/file/d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-02-19 12:56:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
285
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3bskgdkfafl64as5s7onfjvgx44gogp4jqkmunq7qwvjcrtfmv6a._file
Verdict:
malicious
Label(s):
quasarrat
Create hunting rule
purecrypter
Create hunting rule
Similar samples:
16b394d76cf5663a9370672de28ef6016233c3d4415492a731834ef01f1386fe
DarkTortilla
2c03efcf8673a901a4d51f24e3d4f4ed698f9b4782b53a8c254dd1a1a00a2604
DarkTortilla
40c6d95876d7a085020471145c41cd5a16090625919d5de147334a52d24a6f1b
DarkTortilla
7cf92236a23833476c9e91eabf6bf023de5572b65a62da1e6cb9be39247162a6
DarkTortilla
+ 831 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/260306-s1vb9ahx8p/
Behaviour
System Location Discovery: System Language Discovery
.NET Reactor proctector
Unpacked files
SH256 hash:
d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
MD5 hash:
e745df0c8be81837c89e236084e4a7b3
SHA1 hash:
0b83edfd3c70f1c62d2d670052ba0f2dd6ee0261
Link:
https://www.unpac.me/results/a8fdce44-0895-4d57-98f9-a41583fe99d4/
SH256 hash:
a6a6cf76c8a7dd497424f636ddaa9c58a77971f9b267b257f1906c0388c281d6
MD5 hash:
f0ff6d188e5191a7295ae1e852259e7d
SHA1 hash:
c3f1b28ff5806069dc6b694eb2c40af6bdc27078
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/a8fdce44-0895-4d57-98f9-a41583fe99d4/
Parent samples :
24d6cbd8f4eb920651f82adb1288cd4d5227f6bcd8fe71341ebdeb434bbfae01
b430b6d8ffe30bb994eb58e11cab86092452755f0044acba6de4ef305f8fc28c
6f998e066e89d74f97f68b8b300cbf96f10df8bca0f96b78082e54ae578c6808
dbd4edd258813db2cac4abddb2a4230b62874591c09daa6ffbcd5c9022ebd042
787603ed370b21f4b0c042915f7fec0e3ad9f1a74f9bea21a99f9e7a5232a31c
cf790980d19ae946d6de6a03100ec1c207ceff95cf7e220d90108c2749fd0f63
24a07efb7c95800b89d34683abe09cf8e7d7776483f586abca769c2f98bb67c6
5524f65612afc339bd726ce2d20c9b8040a2137c7c23d8b68c47fe35a02c616d
55a9d922e96e48f6dafe5d3a8026268cc10ae3958b61b9121f0e4c93edca3b29
c2f557d0ec74807286105a5a4a0303d68638aaab4642aba9f035231742a0f38e
fdb5f65b86c93754b642aa54fa2628355c0bfd389bed24e435fef2d49ce6c8e4
4e5d15afc37e313296a27f94002517b351bad2dc3f3d1125e26ec078b57edbad
82cf55fa23c0c2493080bf0cbf52165ee502a58c782f8d85cfbbb5e601f8b6b3
9e82ffb9944fb58a8f2ea6c728ce6e3afa6560563666701d125b295fbf209bb3
b8e84695c8a14f7223d17d6957f4eb1ef4cadba8918911a5988b51a925042cfc
7157165f0ec7acf431db00aed0a0afbf01a2314396797399194ef0e80f6b2f54
4cc2ab119438950aeee01fd33fe268802e5362cb0d38349bf5df6269d9b8462f
d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe d864a30d450157ee025d97dcd2a6a6bf386719fc4c14ca361f85aa914665657c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3780166/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3780167/
Cape
Cape
https://www.capesandbox.com/analysis/56379/

Comments