Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
83WMUEr268.dll

Overview

General Information

Sample name:83WMUEr268.dll
renamed because original name is a hash value
Original sample name:2bdf5181395313ddd75e8eb091ee06db85b2b7779cd97abc0b899c769ab96737-payload.bin-.dll
Analysis ID:1588843
MD5:a102cee15d494db5ae6c917374ffbfc3
SHA1:e2646ce8aa61578bc642f9978e2dc7c7bd51fd88
SHA256:2bdf5181395313ddd75e8eb091ee06db85b2b7779cd97abc0b899c769ab96737
Tags:dlluser-AzakaSekai
Infos:

Detection

DarkTortilla
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected DarkTortilla Crypter
AI detected suspicious sample
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • loaddll32.exe (PID: 7280 cmdline: loaddll32.exe "C:\Users\user\Desktop\83WMUEr268.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7332 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7348 cmdline: rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
No configs have been found
SourceRuleDescriptionAuthorStrings
83WMUEr268.dllJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 83WMUEr268.dllVirustotal: Detection: 33%Perma Link
    Source: 83WMUEr268.dllReversingLabs: Detection: 28%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.7% probability
    Source: 83WMUEr268.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: 83WMUEr268.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: 83WMUEr268.dllBinary or memory string: OriginalFilenameMofInagitap.dll8 vs 83WMUEr268.dll
    Source: 83WMUEr268.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
    Source: classification engineClassification label: mal60.evad.winDLL@6/0@0/0
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
    Source: 83WMUEr268.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: 83WMUEr268.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.58%
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
    Source: 83WMUEr268.dllVirustotal: Detection: 33%
    Source: 83WMUEr268.dllReversingLabs: Detection: 28%
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\83WMUEr268.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1Jump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: 83WMUEr268.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: 83WMUEr268.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 83WMUEr268.dll, type: SAMPLE
    Source: 83WMUEr268.dllStatic PE information: 0x9EC972C6 [Tue Jun 2 08:37:26 2054 UTC]
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: 83WMUEr268.dllBinary or memory string: VBoxTray
    Source: 83WMUEr268.dllBinary or memory string: 1220104579GSOFTWARE\VMware, Inc.\VMware VGAuth
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\83WMUEr268.dll",#1Jump to behavior
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading
    11
    Process Injection
    1
    Rundll32
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Virtualization/Sandbox Evasion
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Timestomp
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1588843 Sample: 83WMUEr268.dll Startdate: 11/01/2025 Architecture: WINDOWS Score: 60 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected DarkTortilla Crypter 2->17 19 AI detected suspicious sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.