MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf
SHA3-384 hash: 384cc6fc30a273d814f9e5da2f2811af1291a8604d12292ef3e3b783f30d42798ae9cdb71046a93a76e9e8975a830c16
SHA1 hash: 004a6aae43fae2729c82fe22598f54f33ee41fd5
MD5 hash: 1344dd42f796869f3091e194b0d819da
humanhash: oxygen-september-florida-east
File name:1344dd42f796869f3091e194b0d819da.bin
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:3'020'288 bytes
First seen:2023-07-10 12:03:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 49152:tDm7Xj2PUHTdNcxflE3sBWTTFNeeSMbOSBcd6r+6iQYAtMzoN:iz2P0Tw5S3saFUeSPa+6OyM
Threatray 13 similar samples on MalwareBazaar
TLSH T134E53387798C1511CC0DDEFF933C5E7A4F7AE98A8892B699248043E59BF82D448C7DD8
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:bin DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
1344dd42f796869f3091e194b0d819da.bin
Verdict:
Malicious activity
Analysis date:
2023-07-10 12:05:01 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/72ff7896-921e-4374-8d2b-b038c2e4283e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/413535/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22750.6295.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/64abf3b49bd9f933fbb93e0b/reports/96549a27-4aa2-46a7-a606-c0399f9c8d9d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92b9084a-216c-4f3a-bfd3-586260a792b7
Result
Threat name:
AsyncRAT, DarkTortilla, DcRat, VenomRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1269700
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Yara detected DcRat
Yara detected VenomRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf/
Threat name:
ByteCode-MSIL.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-10 12:04:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6urbd6i75nacc4vsgu6wfdlusixmqiz377rbzniemnf6hflavwxq._file
Verdict:
malicious
Similar samples:
0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d
DarkTortilla
2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
DarkTortilla
800d7d569bde7e5f450e1848e54aa47df0811d7dcb5c338c0cc311b8f55cb9c5
DarkTortilla
b0e1d8b8115f50b5e89ad950bb7f9d6df0c540c3eb8706656de8c3eb8992a690
DarkTortilla
bf1bd7d13b353fcfcfac7fb3735575afb0a20eb6a5a3fd3b25ee95e91bcedd3d
DarkTortilla
c2cda600256314b688cf195f809356e2592ba8df9de9c2b1a117a0ee26ccfa28
DarkTortilla
+ 3 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230710-n8lb4aba2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
193.233.133.58:5631
Unpacked files
SH256 hash:
f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf
MD5 hash:
1344dd42f796869f3091e194b0d819da
SHA1 hash:
004a6aae43fae2729c82fe22598f54f33ee41fd5
Link:
https://www.unpac.me/results/855d05fb-48f2-414c-ab96-ca8f337fdd04/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f52211f91feb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkTortilla

Executable exe f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2679932/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/413535/

Comments