Windows Analysis Report
83WMUEr268.dll

Overview

General Information

Sample name: 83WMUEr268.dll
renamed because original name is a hash value
Original sample name: 2bdf5181395313ddd75e8eb091ee06db85b2b7779cd97abc0b899c769ab96737-payload.bin-.dll
Analysis ID: 1588843
MD5: a102cee15d494db5ae6c917374ffbfc3
SHA1: e2646ce8aa61578bc642f9978e2dc7c7bd51fd88
SHA256: 2bdf5181395313ddd75e8eb091ee06db85b2b7779cd97abc0b899c769ab96737
Tags: dlluser-AzakaSekai
Infos:

Detection

DarkTortilla
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DarkTortilla Crypter
AI detected suspicious sample
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection

barindex
Source: 83WMUEr268.dll Virustotal: Detection: 33% Perma Link
Source: 83WMUEr268.dll ReversingLabs: Detection: 28%
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.7% probability
Source: 83WMUEr268.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: 83WMUEr268.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 83WMUEr268.dll Binary or memory string: OriginalFilenameMofInagitap.dll8 vs 83WMUEr268.dll
Source: 83WMUEr268.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.evad.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: 83WMUEr268.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 83WMUEr268.dll Static file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.58%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
Source: 83WMUEr268.dll Virustotal: Detection: 33%
Source: 83WMUEr268.dll ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\83WMUEr268.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: 83WMUEr268.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 83WMUEr268.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: Yara match File source: 83WMUEr268.dll, type: SAMPLE
Source: 83WMUEr268.dll Static PE information: 0x9EC972C6 [Tue Jun 2 08:37:26 2054 UTC]
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: 83WMUEr268.dll Binary or memory string: VBoxTray
Source: 83WMUEr268.dll Binary or memory string: 1220104579GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1 Jump to behavior