Skip to content

S1066 DarkTortilla

DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.1

Item Value
ID S1066
Associated Names
Type MALWARE
Version 1.0
Created 16 February 2023
Last Modified 06 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DarkTortilla has used HTTP and HTTPS for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Run registry key and by creating a .lnk shortcut file in the Windows startup folder.1
enterprise T1547.004 Winlogon Helper DLL DarkTortilla has established persistence via the Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.1
enterprise T1115 Clipboard Data DarkTortilla can download a clipboard information stealer module.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell DarkTortilla can use cmd.exe to add registry keys for persistence.1
enterprise T1622 Debugger Evasion DarkTortilla can detect debuggers by using functions such as DebuggerIsAttached and DebuggerIsLogging. DarkTortilla can also detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.1
enterprise T1140 Deobfuscate/Decode Files or Information DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.1
enterprise T1564 Hide Artifacts DarkTortilla has used %HiddenReg% and %HiddenKey% as part of its persistence via the Windows registry.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.012 COR_PROFILER DarkTortilla can detect profilers by verifying the COR_ENABLE_PROFILING environment variable is present and active.1
enterprise T1105 Ingress Tool Transfer DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging DarkTortilla can download a keylogging module.1
enterprise T1559 Inter-Process Communication -
enterprise T1559.001 Component Object Model DarkTortilla has used the WshShortcut COM object to create a .lnk shortcut file in the Windows startup folder.1
enterprise T1036 Masquerading DarkTortilla‘s payload has been renamed PowerShellInfo.exe.1
enterprise T1112 Modify Registry DarkTortilla has modified registry keys for persistence.1
enterprise T1106 Native API DarkTortilla can use a variety of API calls for persistence and defense evasion.1
enterprise T1027 Obfuscated Files or Information DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.1
enterprise T1057 Process Discovery DarkTortilla can enumerate a list of running processes on a compromised system.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection DarkTortilla can use a .NET-based DLL named RunPe6 for process injection.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery DarkTortilla can check for the Kaspersky Anti-Virus suite.1
enterprise T1082 System Information Discovery DarkTortilla can obtain system information by querying the Win32_ComputerSystem, Win32_BIOS, Win32_MotherboardDevice, Win32_PnPEntity, and Win32_DiskDrive WMI objects.1
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery DarkTortilla can check for internet connectivity by issuing HTTP GET requests.1
enterprise T1007 System Service Discovery DarkTortilla can retrieve information about a compromised system’s running services.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks DarkTortilla can search a compromised system’s running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.1
enterprise T1497.003 Time Based Evasion DarkTortilla can implement the kernel32.dll Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.1
enterprise T1102 Web Service DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.1
enterprise T1047 Windows Management Instrumentation DarkTortilla can use WMI queries to obtain system information.1

References