MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkTortilla


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b
SHA3-384 hash: c33f8eb42cb3cceb89f20b3a65b57c0d7816331c7855cb753f9fbf1d645619a7fc66520ff3c71cdf10699cb390784d88
SHA1 hash: 00f63fcc87b0a75de4b1679ba1a0821e58cb5411
MD5 hash: 40e1cc47ecf2457f0cd4d1c19eb6c572
humanhash: steak-october-grey-ohio
File name:40e1cc47ecf2457f0cd4d1c19eb6c572.exe
Download: download sample
Signature DarkTortilla
Create hunting rule
File size:4'001'792 bytes
First seen:2023-08-12 07:30:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:CN2ROCRB/KQbw1nD2k4NeJ41/8qycK3aOc:LRB/KWw1DH/J41/8qyzqO
Threatray 25 similar samples on MalwareBazaar
TLSH T132063342D95E7A63C959E8F4ABC11015EBF898356210F7DB0CCC6AE939E3B810D236D7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DarkTortilla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
40e1cc47ecf2457f0cd4d1c19eb6c572.exe
Verdict:
Malicious activity
Analysis date:
2023-08-12 07:32:44 UTC
Tags:
remote rat asyncrat stealer
Link:
https://app.any.run/tasks/f41b7552-0d74-407d-a6f6-160822bdd44f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442285/
Detection(s):
SecuriteInfo.com.Win32.RansomX-gen.4962.18124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f002be36-e2d6-4d15-9689-f0a17804e89c
Result
Threat name:
AsyncRAT, DarkTortilla, StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290384
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected BrowserPasswordDump
Yara detected DarkTortilla Crypter
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290384 Sample: HmS2QptgRa.exe Startdate: 12/08/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 11 other signatures 2->55 8 HmS2QptgRa.exe 3 2->8         started        process3 signatures4 61 Writes to foreign memory regions 8->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->63 65 Injects a PE file into a foreign processes 8->65 11 InstallUtil.exe 18 164 8->11         started        16 InstallUtil.exe 8->16         started        process5 dnsIp6 43 185.106.94.122, 4449, 49757, 49761 SUPERSERVERSDATACENTERRU Russian Federation 11->43 45 ip-api.com 208.95.112.1, 49764, 80 TUT-ASUS United States 11->45 47 4 other IPs or domains 11->47 37 C:\Users\user\AppData\...37WTVCDUMOB.png, ASCII 11->37 dropped 39 C:\Users\user\AppData\...39WTVCDUMOB.png, ASCII 11->39 dropped 41 C:\Users\user\AppData\...\AFWAAFRXKO.pdf, ASCII 11->41 dropped 67 Tries to harvest and steal browser information (history, passwords, etc) 11->67 69 Tries to harvest and steal WLAN passwords 11->69 71 Modifies existing user documents (likely ransomware behavior) 11->71 18 cmd.exe 1 11->18         started        21 cmd.exe 1 11->21         started        73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->73 75 May check the online IP address of the machine 16->75 77 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->77 file7 signatures8 process9 signatures10 57 Uses netsh to modify the Windows network and firewall settings 18->57 59 Tries to harvest and steal WLAN passwords 18->59 23 netsh.exe 3 18->23         started        25 conhost.exe 18->25         started        27 findstr.exe 1 18->27         started        29 chcp.com 1 18->29         started        31 netsh.exe 3 21->31         started        33 conhost.exe 21->33         started        35 chcp.com 1 21->35         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-12 07:31:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7wdrkwxbmkdoitvqa2hy5imkonn4rofb7px4md3qw6s2crjym55q._file
Verdict:
malicious
Similar samples:
0adf4ceabac0411e7c0760e5156b9b1e59e7da10ddc7c4490ae67f3f323f752d
DarkTortilla
188eced85124122e1465031e6536377b4283f00d24fa28626f71138a4dc06cfc
DarkTortilla
19554d3c701bb2d8c3d86adaabc4843b400278cb5d0a013c18ebeb5e20a2e8a0
DarkTortilla
2297e75fe8813c4d7c4b3514e0763d2cdc08b1b8a30962afac4dc6f00ce6fddf
DarkTortilla
800d7d569bde7e5f450e1848e54aa47df0811d7dcb5c338c0cc311b8f55cb9c5
DarkTortilla
b62fc62a03e4d6c0eac25a8b104d8064288fdc5665ddc19ba55ed520ab9f2827
DarkTortilla
b79718f59f3d7d72a416fe00c3ab3477b43282981e69f9cf5426b2c8012423c1
DarkTortilla
f52211f91feb402172b2353d628d74922ec8233bffe21cb504634be39560adaf
DarkTortilla
+ 15 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/230812-jbv3taaf39/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
185.106.94.122:4449
Unpacked files
SH256 hash:
fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b
MD5 hash:
40e1cc47ecf2457f0cd4d1c19eb6c572
SHA1 hash:
00f63fcc87b0a75de4b1679ba1a0821e58cb5411
Link:
https://www.unpac.me/results/5b121b62-5e18-4a16-a4a0-3a378791ffa0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd87155ae162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/fd87155ae16286e44eb0068f8ea18a735bc8b8a1fbefc60f70b7a5a14538677b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AcRat
Create hunting rule
Author:Nikos 'n0t' Totosis
Description:AcRat Payload (based on AsyncRat)
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:MAL_AsnycRAT
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:MAL_AsyncRAT_Config_Decryption
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects AsnycRAT based on it's config decryption routine
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_DOTNET_PE_List_AV
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detecs .NET Binary that lists installed AVs

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/442285/

Comments