DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
DarkTortilla can use WMI queries to obtain system information.[1] |
|
| Enterprise | T1036 | 伪装 |
DarkTortilla's payload has been renamed |
|
| Enterprise | T1112 | 修改注册表 |
DarkTortilla has modified registry keys for persistence.[1] |
|
| Enterprise | T1115 | 剪贴板数据 |
DarkTortilla can download a clipboard information stealer module.[1] |
|
| Enterprise | T1574 | .012 | 劫持执行流: COR_PROFILER |
DarkTortilla can detect profilers by verifying the |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
DarkTortilla has established persistence via the |
| .004 | 启动或登录自动启动执行: Winlogon Helper DLL |
DarkTortilla has established persistence via the |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
DarkTortilla can use |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
DarkTortilla has used HTTP and HTTPS for C2.[1] |
| Enterprise | T1106 | 本机API |
DarkTortilla can use a variety of API calls for persistence and defense evasion.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 |
DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.[1] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution.[1] |
| Enterprise | T1082 | 系统信息发现 |
DarkTortilla can obtain system information by querying the |
|
| Enterprise | T1007 | 系统服务发现 |
DarkTortilla can retrieve information about a compromised system's running services.[1] |
|
| Enterprise | T1016 | .001 | 系统网络配置发现: Internet Connection Discovery |
DarkTortilla can check for internet connectivity by issuing HTTP GET requests.[1] |
| Enterprise | T1102 | 网络服务 |
DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.[1] |
| .003 | 虚拟化/沙盒规避: Time Based Evasion |
DarkTortilla can implement the |
||
| Enterprise | T1622 | 调试器规避 |
DarkTortilla can detect debuggers by using functions such as |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
DarkTortilla can check for the Kaspersky Anti-Virus suite.[1] |
| Enterprise | T1105 | 输入工具传输 |
DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
DarkTortilla can download a keylogging module.[1] |
| Enterprise | T1057 | 进程发现 |
DarkTortilla can enumerate a list of running processes on a compromised system.[1] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
DarkTortilla can use a .NET-based DLL named |
| Enterprise | T1559 | .001 | 进程间通信: Component Object Model |
DarkTortilla has used the |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.[1] |
| Enterprise | T1564 | 隐藏伪装 |
DarkTortilla has used |
|