Skip to content

Hide Navigation Hide TOC

DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8)

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern 2
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2