top of page

DarkTortilla Malware Analysis

DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.


ATT&CK IDS: T1055 - Process Injection, T1547 - Boot or Logon Autostart Execution, T1140 - Deobfuscate/Decode Files or Information, T1027 - Obfuscated Files or Information, T1127 - Trusted Developer Utilities Proxy Execution, T1059 - Command and Scripting Interpreter, T1057 - Process Discovery, T1115 - Clipboard Data, T1574 - Hijack Execution Flow, T1070 - Indicator Removal on Host, T1036 - Masquerading, T1056 - Input Capture, T1566 - Phishing

Read More:



bottom of page