Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

DarkTortilla

126
Global rank
167 infographic chevron month
Month rank
152 infographic chevron week
Week rank
0
IOCs

DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
21 May, 2026
Last seen

How to analyze DarkTortilla with ANY.RUN

Crypter
Type
Unknown
Origin
1 August, 2015
First seen
21 May, 2026
Last seen

IOCs

IP addresses
192.210.215.42
104.234.10.91
199.250.198.12
97.74.88.160
67.222.24.48
54.180.140.193
87.236.102.132
185.246.220.237
45.74.40.10
193.187.91.116
193.187.91.218
185.157.163.141
212.87.212.173
Domains
rampelloelectricidad.com
boyar.com.tr
mail.boyar.com.tr
mentivy.xyz
ftp.vvspijkenisse.nl
138.68.13
gnammarly.com
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4232
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 8849
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7132
comments 0

What is Darktortilla crypter?

DarkTortilla is a crypter that has been utilized since 2015 to deliver some of the most popular RATs, such as NanoCore, AsyncRat, and AgentTesla, as well as information stealers like RedLine. It is equipped with obfuscation and anti-analysis functionality.

DarkTortilla is a multi-stage crypter. To deploy on the target host and start operating, it relies on a loader and a .DLL core processor. It can run its harmful payload entirely in the computer's memory (RAM). This means it does not need to save any files to the hard drive, making it more difficult for traditional security software to detect.

The crypter can make use of social engineering by displaying fake messages to users that look like real software errors or updates. This tricks victims into thinking that is is a safe and legitimate program. By doing this, the malware can continue to operate without raising suspicion

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

DarkTortilla crypter execution process

Let's upload a sample of DarkTortilla to ANY.RUN sandbox to see how it operates.

The infection begins when the victim unknowingly runs the initial loader, which is often concealed within an archive or a malicious document. This loader is responsible for retrieving the .NET-based DLL (core processor). The DLL might be embedded within the loader's resources or downloaded from external sources like Pastebin.

DarkTortilla report in ANY.RUN DarkTortilla threat report generated by ANY.RUN

Once the initial loader is executed, it decodes and loads the core processor. This core component performs several tasks based on its configuration, including:

  • Displaying Fake Messages: It shows fake message boxes to deceive users, making them believe the crypter is a real program.
  • Evading Detection: It performs checks to detect if it is running in a virtual machine or a sandbox environment, which are commonly used by security researchers.
  • Establishing Persistence: It ensures that the malware stays on the system by modifying system files or using techniques like moving its execution to the Windows %TEMP% directory. This makes it difficult to remove the malware completely. It can achieve persistence by modifying user .LNK files' target path to point to its executable. DarkTortilla ensures that it can execute again even after a system reboot. This further complicates the removal process and helps the malware remain active on the infected system.

The core processor then injects the main malicious payload into the system. This payload can be various types of malware, such as Remote Access Trojans (RATs) or information stealers.

DarkTortilla graph in ANY.RUN Process graph generated by ANY.RUN allows us to see the main process of AsyncRAT injection through DarkTortilla

In our case, the payload is AsyncRAT. The sandbox session lets us see how the injection process is done in memory.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

DarkTortilla crypter delivery methods

DarkTortilla spreads using different methods, yet the two main ones include:

  • Malicious attachments: The attackers send emails that look like they come from trusted sources. These emails usually come with attachments in the form of archives (like .zip or .tar). These files often hide the initial loader that starts the infection process.
  • Fake websites: Another way DarkTortilla can be delivered to the victim's machine is through phishing websites. Users are usually asked to download a file, which then turns out to be a loader.

Conclusion

DarkTortilla’s advanced encryption methods, in-memory execution, and anti-analysis capabilities make it particularly challenging to detect and mitigate. To avoid malware infection by DarkTortilla, it’s important to focus on a combination of security practices, including using a malware sandbox to proactively analyze any suspicious email, file, or link.

The ANY.RUN sandbox provides valuable tools for researchers to analyze and understand threats like DarkTortilla. By using it, security professionals can expose malware and phishing threats in seconds.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
BlindEagle screenshot
BlindEagle
blindeagle
BlindEagle is a cyber threat actor primarily associated with espionage and credential theft campaigns targeting organizations in Latin America, especially Colombia. Active since at least 2018, the group relies heavily on phishing, remote access trojans (RATs), PowerShell scripts, and social engineering to infiltrate systems and maintain persistence. BlindEagle is known for continuously evolving its delivery mechanisms and malware stack to bypass detection and compromise high-value targets.
Read More
Moonrise screenshot
Moonrise
moonrise
Moonrise RAT is a newly discovered Go-based remote access trojan with zero detections at launch, featuring credential theft, keylogging, webcam access, clipboard hijacking, and UAC bypass.
Read More
Pay2Key screenshot
Pay2Key is a ransomware strain primarily written in C++ for Windows (with recent Linux variants), attributed to Iranian-linked actors, notably the Fox Kitten APT group (also known as UNC757 or related operations). First observed in late 2020, it employs double-extortion tactics (encrypting files and threatening to leak stolen data) while showing signs of both financial and state-aligned motivations. It has resurfaced in campaigns targeting Western organizations, including rapid encryption attacks on healthcare.
Read More
Mispadu screenshot
Mispadu is a Windows banking trojan known for targeting online banking credentials, cryptocurrency wallets, and sensitive financial information. First identified in Latin America, the malware has continuously evolved with improved evasion techniques, phishing campaigns, and credential theft capabilities. Its reliance on social engineering rather than software vulnerabilities makes it an enduring threat to organizations whose employees interact with financial services online.
Read More