Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

DarkTortilla

112
Global rank
112 infographic chevron month
Month rank
83 infographic chevron week
Week rank
0
IOCs

DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
31 March, 2025
Last seen

How to analyze DarkTortilla with ANY.RUN

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
31 March, 2025
Last seen

IOCs

IP addresses
192.210.215.42
104.234.10.91
199.250.198.12
97.74.88.160
67.222.24.48
54.180.140.193
87.236.102.132
185.246.220.237
45.74.40.10
35.77.200.33
193.187.91.218
193.187.91.116
185.157.163.141
212.87.212.173
Domains
bassizcellskz.shop
writerospzm.shop
deallerospfosu.shop
celebratioopz.shop
complaintsipzzx.shop
quialitsuzoxm.shop
languagedscie.shop
mennyudosirso.shop
rampelloelectricidad.com
boyar.com.tr
mail.boyar.com.tr
littleurls.com
mentivy.xyz
ftp.vvspijkenisse.nl
138.68.13
gnammarly.com
Last Seen at

Recent blog posts

post image
Release Notes: Android VM, Pre-Installed Dev...
watchers 274
comments 0
post image
How to Hunt and Investigate Linux Malware 
watchers 559
comments 0
post image
Salvador Stealer: New Android Malware That Ph...
watchers 3942
comments 0

What is Darktortilla crypter?

DarkTortilla is a crypter that has been utilized since 2015 to deliver some of the most popular RATs, such as NanoCore, AsyncRat, and AgentTesla, as well as information stealers like RedLine. It is equipped with obfuscation and anti-analysis functionality.

DarkTortilla is a multi-stage crypter. To deploy on the target host and start operating, it relies on a loader and a .DLL core processor. It can run its harmful payload entirely in the computer's memory (RAM). This means it does not need to save any files to the hard drive, making it more difficult for traditional security software to detect.

The crypter can make use of social engineering by displaying fake messages to users that look like real software errors or updates. This tricks victims into thinking that is is a safe and legitimate program. By doing this, the malware can continue to operate without raising suspicion

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DarkTortilla crypter execution process

Let's upload a sample of DarkTortilla to ANY.RUN sandbox to see how it operates.

The infection begins when the victim unknowingly runs the initial loader, which is often concealed within an archive or a malicious document. This loader is responsible for retrieving the .NET-based DLL (core processor). The DLL might be embedded within the loader's resources or downloaded from external sources like Pastebin.

DarkTortilla report in ANY.RUN DarkTortilla threat report generated by ANY.RUN

Once the initial loader is executed, it decodes and loads the core processor. This core component performs several tasks based on its configuration, including:

  • Displaying Fake Messages: It shows fake message boxes to deceive users, making them believe the crypter is a real program.
  • Evading Detection: It performs checks to detect if it is running in a virtual machine or a sandbox environment, which are commonly used by security researchers.
  • Establishing Persistence: It ensures that the malware stays on the system by modifying system files or using techniques like moving its execution to the Windows %TEMP% directory. This makes it difficult to remove the malware completely. It can achieve persistence by modifying user .LNK files' target path to point to its executable. DarkTortilla ensures that it can execute again even after a system reboot. This further complicates the removal process and helps the malware remain active on the infected system.

The core processor then injects the main malicious payload into the system. This payload can be various types of malware, such as Remote Access Trojans (RATs) or information stealers.

DarkTortilla graph in ANY.RUN Process graph generated by ANY.RUN allows us to see the main process of AsyncRAT injection through DarkTortilla

In our case, the payload is AsyncRAT. The sandbox session lets us see how the injection process is done in memory.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DarkTortilla crypter delivery methods

DarkTortilla spreads using different methods, yet the two main ones include:

  • Malicious attachments: The attackers send emails that look like they come from trusted sources. These emails usually come with attachments in the form of archives (like .zip or .tar). These files often hide the initial loader that starts the infection process.
  • Fake websites: Another way DarkTortilla can be delivered to the victim's machine is through phishing websites. Users are usually asked to download a file, which then turns out to be a loader.

Conclusion

DarkTortilla’s advanced encryption methods, in-memory execution, and anti-analysis capabilities make it particularly challenging to detect and mitigate. To avoid malware infection by DarkTortilla, it’s important to focus on a combination of security practices, including using a malware sandbox to proactively analyze any suspicious email, file, or link.

The ANY.RUN sandbox provides valuable tools for researchers to analyze and understand threats like DarkTortilla. By using it, security professionals can expose malware and phishing threats in seconds.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More