1. Home
  2. Software
  3. DarkTortilla

DarkTortilla

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]

ID: S1066
Type: MALWARE
Platforms: Windows
Contributors: Mindaugas Gudzis, BT Security
Version: 1.0
Created: 16 February 2023
Last Modified: 06 March 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

DarkTortilla has used HTTP and HTTPS for C2.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Run registry key and by creating a .lnk shortcut file in the Windows startup folder.[1]
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.[1]
Enterprise T1115 Clipboard Data

DarkTortilla can download a clipboard information stealer module.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

DarkTortilla can use cmd.exe to add registry keys for persistence.[1]
Enterprise T1622 Debugger Evasion

DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.[1]
Enterprise T1564 Hide Artifacts

DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.[1]
Enterprise T1574 .012 Hijack Execution Flow: COR_PROFILER

DarkTortilla can detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.[1]
Enterprise T1105 Ingress Tool Transfer

DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]
Enterprise T1056 .001 Input Capture: Keylogging

DarkTortilla can download a keylogging module.[1]
Enterprise T1559 .001 Inter-Process Communication: Component Object Model

DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.[1]
Enterprise T1036 Masquerading

DarkTortilla's payload has been renamed PowerShellInfo.exe.[1]
Enterprise T1112 Modify Registry

DarkTortilla has modified registry keys for persistence.[1]
Enterprise T1106 Native API

DarkTortilla can use a variety of API calls for persistence and defense evasion.[1]
Enterprise T1027 Obfuscated Files or Information

DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.[1]
Enterprise T1057 Process Discovery

DarkTortilla can enumerate a list of running processes on a compromised system.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

DarkTortilla can use a .NET-based DLL named RunPe6 for process injection.[1]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

DarkTortilla can check for the Kaspersky Anti-Virus suite.[1]
Enterprise T1082 System Information Discovery

DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects.[1]
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

DarkTortilla can check for internet connectivity by issuing HTTP GET requests.[1]
Enterprise T1007 System Service Discovery

DarkTortilla can retrieve information about a compromised system's running services.[1]
Enterprise T1204 .002 User Execution: Malicious File

DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution.[1]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.[1]
.003 Virtualization/Sandbox Evasion: Time Based Evasion

DarkTortilla can implement the kernel32.dll Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.[1]
Enterprise T1102 Web Service

DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.[1]
Enterprise T1047 Windows Management Instrumentation

DarkTortilla can use WMI queries to obtain system information.[1]

References

  1. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.