Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkTortilla

107
Global rank
116 infographic chevron month
Month rank
123 infographic chevron week
Week rank
0
IOCs

DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
25 January, 2025
Last seen

How to analyze DarkTortilla with ANY.RUN

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
25 January, 2025
Last seen

IOCs

IP addresses
192.210.215.42
104.234.10.91
199.250.198.12
97.74.88.160
67.222.24.48
54.180.140.193
87.236.102.132
185.246.220.237
45.74.40.10
35.77.200.33
193.187.91.218
193.187.91.116
185.157.163.141
212.87.212.173
Domains
languagedscie.shop
mennyudosirso.shop
deallerospfosu.shop
quialitsuzoxm.shop
bassizcellskz.shop
pureeratee.duckdns.org
kellyjasmine1985.duckdns.org
celebratioopz.shop
complaintsipzzx.shop
writerospzm.shop
rampelloelectricidad.com
boyar.com.tr
mail.boyar.com.tr
littleurls.com
mentivy.xyz
ftp.vvspijkenisse.nl
138.68.13
gnammarly.com
Last Seen at

Recent blog posts

post image
I Used a Sandbox to Strengthen Bank’s Securit...
watchers 226
comments 0
post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 600
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1496
comments 0

What is Darktortilla crypter?

DarkTortilla is a crypter that has been utilized since 2015 to deliver some of the most popular RATs, such as NanoCore, AsyncRat, and AgentTesla, as well as information stealers like RedLine. It is equipped with obfuscation and anti-analysis functionality.

DarkTortilla is a multi-stage crypter. To deploy on the target host and start operating, it relies on a loader and a .DLL core processor. It can run its harmful payload entirely in the computer's memory (RAM). This means it does not need to save any files to the hard drive, making it more difficult for traditional security software to detect.

The crypter can make use of social engineering by displaying fake messages to users that look like real software errors or updates. This tricks victims into thinking that is is a safe and legitimate program. By doing this, the malware can continue to operate without raising suspicion

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DarkTortilla crypter execution process

Let's upload a sample of DarkTortilla to ANY.RUN sandbox to see how it operates.

The infection begins when the victim unknowingly runs the initial loader, which is often concealed within an archive or a malicious document. This loader is responsible for retrieving the .NET-based DLL (core processor). The DLL might be embedded within the loader's resources or downloaded from external sources like Pastebin.

DarkTortilla report in ANY.RUN DarkTortilla threat report generated by ANY.RUN

Once the initial loader is executed, it decodes and loads the core processor. This core component performs several tasks based on its configuration, including:

  • Displaying Fake Messages: It shows fake message boxes to deceive users, making them believe the crypter is a real program.
  • Evading Detection: It performs checks to detect if it is running in a virtual machine or a sandbox environment, which are commonly used by security researchers.
  • Establishing Persistence: It ensures that the malware stays on the system by modifying system files or using techniques like moving its execution to the Windows %TEMP% directory. This makes it difficult to remove the malware completely. It can achieve persistence by modifying user .LNK files' target path to point to its executable. DarkTortilla ensures that it can execute again even after a system reboot. This further complicates the removal process and helps the malware remain active on the infected system.

The core processor then injects the main malicious payload into the system. This payload can be various types of malware, such as Remote Access Trojans (RATs) or information stealers.

DarkTortilla graph in ANY.RUN Process graph generated by ANY.RUN allows us to see the main process of AsyncRAT injection through DarkTortilla

In our case, the payload is AsyncRAT. The sandbox session lets us see how the injection process is done in memory.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DarkTortilla crypter delivery methods

DarkTortilla spreads using different methods, yet the two main ones include:

  • Malicious attachments: The attackers send emails that look like they come from trusted sources. These emails usually come with attachments in the form of archives (like .zip or .tar). These files often hide the initial loader that starts the infection process.
  • Fake websites: Another way DarkTortilla can be delivered to the victim's machine is through phishing websites. Users are usually asked to download a file, which then turns out to be a loader.

Conclusion

DarkTortilla’s advanced encryption methods, in-memory execution, and anti-analysis capabilities make it particularly challenging to detect and mitigate. To avoid malware infection by DarkTortilla, it’s important to focus on a combination of security practices, including using a malware sandbox to proactively analyze any suspicious email, file, or link.

The ANY.RUN sandbox provides valuable tools for researchers to analyze and understand threats like DarkTortilla. By using it, security professionals can expose malware and phishing threats in seconds.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

X-Files screenshot
X-Files
xfiles
X-FILES Stealer is a sophisticated malware designed to infiltrate systems and steal sensitive information, targeting login credentials for email, social media, and other personal accounts. It captures data and transmits it back to the attacker’s command-and-control server. X-FILES Stealer employs advanced evasion techniques to avoid detection, making it a persistent threat in the cyber landscape.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More