top of page
Search

DarkTortilla Malware Analysis

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.




MALWARE FAMILY: DarkTortilla


ATT&CK IDS: T1055 - Process Injection, T1547 - Boot or Logon Autostart Execution, T1140 - Deobfuscate/Decode Files or Information, T1027 - Obfuscated Files or Information, T1127 - Trusted Developer Utilities Proxy Execution, T1059 - Command and Scripting Interpreter, T1057 - Process Discovery, T1115 - Clipboard Data, T1574 - Hijack Execution Flow, T1070 - Indicator Removal on Host, T1036 - Masquerading, T1056 - Input Capture, T1566 - Phishing


Read More:

1 view
bottom of page