BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

DarkTortilla

96
Global rank
92 infographic chevron month
Month rank
116 infographic chevron week
Week rank
0
IOCs

DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
9 October, 2024
Last seen

How to analyze DarkTortilla with ANY.RUN

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
9 October, 2024
Last seen

IOCs

IP addresses
192.210.215.42
104.234.10.91
199.250.198.12
97.74.88.160
67.222.24.48
54.180.140.193
87.236.102.132
185.246.220.237
45.74.40.10
35.77.200.33
212.87.212.173
Domains
bassizcellskz.shop
celebratioopz.shop
complaintsipzzx.shop
languagedscie.shop
mennyudosirso.shop
writerospzm.shop
deallerospfosu.shop
quialitsuzoxm.shop
rampelloelectricidad.com
boyar.com.tr
mail.boyar.com.tr
littleurls.com
mentivy.xyz
ftp.vvspijkenisse.nl
138.68.13
gnammarly.com
Last Seen at

Recent blog posts

post image
How TI Feeds Support Organizational Performan...
watchers 123
comments 0
post image
Recent Cyber Attacks Discovered by ANY.RUN: O...
watchers 407
comments 0
post image
Notifications in Threat Intelligence Lookup 
watchers 881
comments 0

What is Darktortilla crypter?

DarkTortilla is a crypter that has been utilized since 2015 to deliver some of the most popular RATs, such as NanoCore, AsyncRat, and AgentTesla, as well as information stealers like RedLine. It is equipped with obfuscation and anti-analysis functionality.

DarkTortilla is a multi-stage crypter. To deploy on the target host and start operating, it relies on a loader and a .DLL core processor. It can run its harmful payload entirely in the computer's memory (RAM). This means it does not need to save any files to the hard drive, making it more difficult for traditional security software to detect.

The crypter can make use of social engineering by displaying fake messages to users that look like real software errors or updates. This tricks victims into thinking that is is a safe and legitimate program. By doing this, the malware can continue to operate without raising suspicion

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DarkTortilla crypter execution process

Let's upload a sample of DarkTortilla to ANY.RUN sandbox to see how it operates.

The infection begins when the victim unknowingly runs the initial loader, which is often concealed within an archive or a malicious document. This loader is responsible for retrieving the .NET-based DLL (core processor). The DLL might be embedded within the loader's resources or downloaded from external sources like Pastebin.

DarkTortilla report in ANY.RUN DarkTortilla threat report generated by ANY.RUN

Once the initial loader is executed, it decodes and loads the core processor. This core component performs several tasks based on its configuration, including:

  • Displaying Fake Messages: It shows fake message boxes to deceive users, making them believe the crypter is a real program.
  • Evading Detection: It performs checks to detect if it is running in a virtual machine or a sandbox environment, which are commonly used by security researchers.
  • Establishing Persistence: It ensures that the malware stays on the system by modifying system files or using techniques like moving its execution to the Windows %TEMP% directory. This makes it difficult to remove the malware completely. It can achieve persistence by modifying user .LNK files' target path to point to its executable. DarkTortilla ensures that it can execute again even after a system reboot. This further complicates the removal process and helps the malware remain active on the infected system.

The core processor then injects the main malicious payload into the system. This payload can be various types of malware, such as Remote Access Trojans (RATs) or information stealers.

DarkTortilla graph in ANY.RUN Process graph generated by ANY.RUN allows us to see the main process of AsyncRAT injection through DarkTortilla

In our case, the payload is AsyncRAT. The sandbox session lets us see how the injection process is done in memory.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DarkTortilla crypter delivery methods

DarkTortilla spreads using different methods, yet the two main ones include:

  • Malicious attachments: The attackers send emails that look like they come from trusted sources. These emails usually come with attachments in the form of archives (like .zip or .tar). These files often hide the initial loader that starts the infection process.
  • Fake websites: Another way DarkTortilla can be delivered to the victim's machine is through phishing websites. Users are usually asked to download a file, which then turns out to be a loader.

Conclusion

DarkTortilla’s advanced encryption methods, in-memory execution, and anti-analysis capabilities make it particularly challenging to detect and mitigate. To avoid malware infection by DarkTortilla, it’s important to focus on a combination of security practices, including using a malware sandbox to proactively analyze any suspicious email, file, or link.

The ANY.RUN sandbox provides valuable tools for researchers to analyze and understand threats like DarkTortilla. By using it, security professionals can expose malware and phishing threats in seconds.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More