MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
SHA3-384 hash: e01456a5b421391b62bb8aa56533fc04eebb797a0ee02644b3bd5dad1dbf868f4e32726a6b11bdc0e41e33e4cc85d2d7
SHA1 hash: d7a2989d309f97a88121b72cc73796a030db90d0
MD5 hash: 615cb3c8c5408eec21df8aa32e465e5e
humanhash: two-diet-network-table
File name:Presupuesto 1-89375251581 EUR SL.pdf(82KB)
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:588'800 bytes
First seen:2025-10-27 15:38:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:IhY7hCjck+pf5F3VIARRYC/VrKaMUTL/J12Xk:IhuhCgk+pfb2M/FKaMUX/JcXk
TLSH T143C4AD287BD69648D83EEB38CA72461807F2E547CA23D32BFE4230DD866E7464551F27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Presupuesto1-89375251581EURSL.pdf82KB.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-27 09:49:23 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/dc2a9df3-925c-4a32-a011-27057ad14118

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34304/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ff40223bdc93eb0564db59
Tags:
virus smtp remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Restart of the analyzed sample
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Running batch commands
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/68ff9424c85c5c56973795a7/reports/5c02a703-fccb-4427-a2e9-6de31afc3b36/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-27T06:06:00Z UTC
Last seen:
2025-10-29T12:36:00Z UTC
Hits:
~10000
Detections:
Trojan.APosT.UDP.C&C Backdoor.Agent.TCP.C&C Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.Stealer.sb Trojan-PSW.MSIL.Stealer.sb Trojan-PSW.Win32.DarkCloud.sb HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Downloader.Win32.PsDownload.sb VHO:Trojan-PSW.MSIL.Agent.gen HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.Crysan.d Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Inject.b PDM:Exploit.Win32.Generic Trojan.Win32.Mucc.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Inject.gen Backdoor.Win32.Androm Trojan.MSIL.Inject.c Trojan-PSW.Win32.Pycoon.sb HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9108be95-f308-4070-9d78-5f437c053d2f
Result
Threat name:
Remcos, AsyncRAT, DarkCloud, DarkTortill
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802290
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Document exploit detected (process start blacklist hit)
Encrypted powershell cmdline option found
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Remcos
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DarkCloud
Yara detected DarkTortilla Crypter
Yara detected Powershell download and execute
Yara detected Quasar RAT
Yara detected Remcos RAT
Yara detected Telegram RAT
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802290 Sample: Presupuesto 1-89375251581 E... Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 116 twart.myfirewall.org 2->116 118 rency.ydns.eu 2->118 120 3 other IPs or domains 2->120 138 Suricata IDS alerts for network traffic 2->138 140 Found malware configuration 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 20 other signatures 2->144 12 Presupuesto 1-89375251581 EUR SL.exe 4 2->12         started        16 iPads.exe 2->16         started        18 iPad.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 110 Presupuesto 1-89375251581 EUR SL.exe.log, ASCII 12->110 dropped 178 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->178 180 Injects a PE file into a foreign processes 12->180 22 Presupuesto 1-89375251581 EUR SL.exe 1 12->22         started        25 Excelbooks.exe 12->25         started        27 Excelbooks.exe 12->27         started        29 iPads.exe 16->29         started        33 iPad.exe 18->33         started        35 iPad.exe 20->35         started        signatures6 process7 dnsIp8 152 Encrypted powershell cmdline option found 22->152 37 powershell.exe 15 20 22->37         started        126 showip.net 162.55.60.2, 49726, 80 ACPCA United States 29->126 112 C:\Users\user\AppData\...\boorishness.exe, PE32 29->112 dropped 154 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->154 156 Tries to steal Mail credentials (via file / registry access) 29->156 158 Creates multiple autostart registry keys 29->158 160 Tries to harvest and steal browser information (history, passwords, etc) 29->160 114 C:\ProgramData\remcos\logs.dat, data 33->114 dropped 162 Installs a global keyboard hook 33->162 file9 signatures10 process11 dnsIp12 122 igw.myfirewall.org 91.92.242.237, 49719, 80 THEZONEBG Bulgaria 37->122 124 bmh-global.myfirewall.org 178.16.53.63, 49720, 80 DUSNET-ASDE Germany 37->124 94 C:\Users\user\AppData\Roaming\WORDS.exe, PE32 37->94 dropped 96 C:\Users\user\AppData\...\POWERPOINT.exe, PE32 37->96 dropped 98 C:\Users\user\AppData\Roaming98OTEPAD.exe, PE32 37->98 dropped 100 C:\Users\user\AppData\RoamingXCEL.exe, PE32 37->100 dropped 164 Potential dropper URLs found in powershell memory 37->164 166 Powershell drops PE file 37->166 42 POWERPOINT.exe 3 37->42         started        45 NOTEPAD.exe 3 37->45         started        47 EXCEL.exe 37->47         started        49 2 other processes 37->49 file13 signatures14 process15 signatures16 168 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->168 51 cmd.exe 42->51         started        54 cmd.exe 42->54         started        57 cmd.exe 45->57         started        59 cmd.exe 45->59         started        170 Uses schtasks.exe or at.exe to add and modify task schedules 47->170 172 Document exploit detected (process start blacklist hit) 47->172 174 Injects a PE file into a foreign processes 47->174 61 EXCEL.exe 47->61         started        176 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->176 63 WORDS.exe 49->63         started        process17 dnsIp18 146 Uses ping.exe to sleep 51->146 148 Uses cmd line tools excessively to alter registry or file data 51->148 150 Uses ping.exe to check the status of other devices and networks 51->150 66 reg.exe 51->66         started        77 2 other processes 51->77 102 C:\Users\user\AppData\Roaming\iPads.exe, PE32 54->102 dropped 69 iPads.exe 54->69         started        80 3 other processes 54->80 104 C:\Users\user\AppData\Roaming\iPad.exe, PE32 57->104 dropped 71 iPad.exe 57->71         started        82 3 other processes 57->82 84 3 other processes 59->84 73 Excelbooks.exe 61->73         started        75 schtasks.exe 61->75         started        130 twart.myfirewall.org 91.92.241.145, 2404, 49723, 49725 THEZONEBG Bulgaria 63->130 106 C:\Users\user\AppData\...\WDUpdate2025.exe, PE32 63->106 dropped 108 C:\Users\user\AppData\...\Protect544cd51a.dll, PE32 63->108 dropped file19 signatures20 process21 dnsIp22 132 Creates multiple autostart registry keys 66->132 134 Hides that the sample has been downloaded from the Internet (zone.identifier) 69->134 136 Injects a PE file into a foreign processes 69->136 86 iPads.exe 69->86         started        88 iPads.exe 69->88         started        90 iPad.exe 71->90         started        92 conhost.exe 75->92         started        128 127.0.0.1 unknown unknown 77->128 signatures23 process24
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Link:
https://app.malva.re/file/615cb3c8c5408eec21df8aa32e465e5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
Threat name:
Win32.Trojan.Snake
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 09:10:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
32 of 37 (86.49%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7e6o6p7jnuhhxmggnz7lqunsbyopevxrxninp3glwavcsizozjtq._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud family:darktortilla family:quasar family:remcos family:xworm botnet:es xworm botnet:spain collection crypter defense_evasion discovery execution loader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251027-s6cz6aymez/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Obfuscated Files or Information: Command Obfuscation
.NET Reactor proctector
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Badlisted process makes network request
Downloads MZ/PE file
DarkCloud
Darkcloud family
Darktortilla
Darktortilla family
Detect Xworm Payload
Detects Darktortilla crypter.
Quasar RAT
Quasar family
Quasar payload
Remcos
Remcos family
Xworm
Xworm family
Malware Config
C2 Extraction:
rency.ydns.eu:59013
wqo9.firewall-gateway.de:59013
twart.myfirewall.org:59013
twart.myfirewall.org:9792
rency.ydns.eu:5287
wqo9.firewall-gateway.de:8841
code1.ydns.eu:5287
wqo9.firewall-gateway.de:9792
rency.ydns.eu:2404
wqo9.firewall-gateway.de:4045
code1.ydns.eu:9302
https://api.telegram.org/bot6274587098:AAEvD64fpPpZLNdkxKF7wS-y2GX94H3OkSM/sendMessage?chat_id=6265187542
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3d42721a-f21c-4101-b459-18eb397fab88
Unpacked files
SH256 hash:
f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
MD5 hash:
615cb3c8c5408eec21df8aa32e465e5e
SHA1 hash:
d7a2989d309f97a88121b72cc73796a030db90d0
Link:
https://www.unpac.me/results/94c8bbd7-fc8a-42d3-ad3e-642ad6f7cb6d/
SH256 hash:
9fb4506a7571af1630f055584ee41055f4edfb3ed2939990593e6a117c82f145
MD5 hash:
e1368e9929f8e77e9327274534ea57fd
SHA1 hash:
62ae4ab0a0570645506f2f442c087b04d585d4a6
Detections:
DotNetPSDownloader
Create hunting rule
Link:
https://www.unpac.me/results/94c8bbd7-fc8a-42d3-ad3e-642ad6f7cb6d/
Parent samples :
f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
Link:
https://www.unpac.me/results/94c8bbd7-fc8a-42d3-ad3e-642ad6f7cb6d/
SH256 hash:
e85a6b8eb1d98b78941197990aa61a9768e3c66c5c932fac71f3e9933a4dbe2a
MD5 hash:
e681645e011800fda1f7e13d33429160
SHA1 hash:
7549537f9215deb56b68e33fea2a2f142dee2dc3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/94c8bbd7-fc8a-42d3-ad3e-642ad6f7cb6d/
Parent samples :
cb29310b5e68fa5f5c4aab781924807aea4f10e1d40164892cbf8651abf7bfd7
7eb16b0b45dab6d07f6b00b20923751acc5313db25c978ee5f5c42317479af3b
6c22a1818f78be2dd32749140bfcaa6d930cf94984f1c58a8f21c1a2b0b27e35
dbb01cca36d9593010e54589aca147accf107a297d9863773b58f45ca8e1ec20
898aedc9de508d5a88e225689c03908dbf7ae7f86067cb2930da7f53143e9b97
64c2eb337d6f52f74f77b541d8a915a90ae5bd2cbda6a9497d7a2f026a64f152
db9d3f10e7fe84323b9bfe6a3fd205b98c83625314422b0a8f3b66f424d3d244
7fc90f92f50d98b3bc737f0de1fd17c2f24ae9a72fa2ddbb67c55f8dd73d700d
f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67
000d2ec0988cfef8ea5f0f7feb80f928c9f21109dcb8f95d5252584d821e402d
1f1e97a35caf2831608ec2e0c6ad91a22052f44c57de7d115754382bff3f3890
59636b7cbff5b2aabc062847722c9a98515ca99e50f4d8f8104f21225312bbdb
7f739a509c26046509a167ac582b9aae60c9ab7c27b23af2d7aaaa234a9507fd
ef0c66368c8fd108028508e8e23d36aa2b88dcc972fc5e068464c91fd452aa2e
d326d0395da36c738476b5349eb65d59166aa4547bd26f8543cfff26150e85a8
ade0a4047ab1b1906d978a453a4efa38691a305f7d846463101e9533610a2ed4
b7b7861536992715f97316df0345c4da87001c4f2d48c8a5648e5445204a5cfa
2f18faa567de85a9af071bb6b52c9497d412f50179e0796e2cd8f4f4ecb098f2
6e4854a0a4a965d1ecb59cd4e664b6c5452e00873134bb32a3ef96333738b951
432393600780f23c5e93469a8725e0fc453404d06b3ac64e0d3c28ff7bb625d8
b3b29bb015dcf4d167651ac1da563b9c6cf9bdfdaf344d6a9a017907b5ac48d1
36c38c62e9276d44558f77044e996522eaf2b1c3f0e9783c1d0024ff98ff47ba
2d44efd28bad1cd2c8dfb6f21c89b2c105781b0aec01b0951a64d6f1deaef64e
383f8a1216ca0eef171c6aa72da84e540d5c0337e8e6e492c68496f89c4c28a1
d78d47fd0b46c35215d5d3a04a62ddeab1d37d4b7921ca491caa699c9b802f5c
94d4d79500c8e8e0191f9af6f4ca4408dee9a633f8325146b886ee101ee8a737
223850176955ed89a903fa81454768fa0fd69df46f9456ece918058417ffd217
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
Link:
https://www.unpac.me/results/94c8bbd7-fc8a-42d3-ad3e-642ad6f7cb6d/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f93cef3fe96d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkTortilla

Executable exe f93cef3fe96d0e7bb0c66e7eb851b20e1cf256f1bb50d7eccbb02a29232eca67

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34304/

Comments