Skip to content

Hide Navigation Hide TOC

DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8)

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware 1
DarkTortilla - S1066 (5faaf81a-aa5b-4a4b-bae5-522439e068f8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern COR_PROFILER - T1574.012 (ffeb0780-356e-4261-b036-cfb6bd234335) Attack Pattern 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 2
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Time Based Checks - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Winlogon Helper DLL - T1547.004 (6836813e-8ec8-4375-b459-abb388cb1a35) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2