Description
[DarkTortilla](https://attack.mitre.org/software/S1066) is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. [DarkTortilla](https://attack.mitre.org/software/S1066) has been used to deliver popular information stealers, RATs, and payloads such as [Agent Tesla](https://attack.mitre.org/software/S0331), AsyncRat, [NanoCore](https://attack.mitre.org/software/S0336), RedLine, [Cobalt Strike](https://attack.mitre.org/software/S0154), and Metasploit.(Citation: Secureworks DarkTortilla Aug 2022)
External References
Techniques Used by This Malware
- T1007 — System Service Discovery
- T1016.001 — Internet Connection Discovery
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1047 — Windows Management Instrumentation
- T1055.001 — Dynamic-link Library Injection
- T1056.001 — Keylogging
- T1057 — Process Discovery
- T1059.003 — Windows Command Shell
- T1071.001 — Web Protocols
- T1082 — System Information Discovery
- T1102 — Web Service
- T1105 — Ingress Tool Transfer
- T1106 — Native API
- T1112 — Modify Registry
- T1115 — Clipboard Data
- T1140 — Deobfuscate/Decode Files or Information
- T1204.002 — Malicious File
- T1497.001 — System Checks
- T1497.003 — Time Based Evasion
- T1518.001 — Security Software Discovery
- T1547.001 — Registry Run Keys / Startup Folder
- T1547.004 — Winlogon Helper DLL
- T1559.001 — Component Object Model
- T1564 — Hide Artifacts
- T1566.001 — Spearphishing Attachment
- T1574.012 — COR_PROFILER
- T1622 — Debugger Evasion