The ThreatFox: DarkTortilla IOCs rule detects potential adversary activity linked to the DarkTortilla group, which is known for targeting organizations through sophisticated malware and command-and-control infrastructure. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced persistent threats before they cause significant damage.
IOC Summary
Malware Family: DarkTortilla Total IOCs: 3 IOC Types: md5_hash, sha256_hash, sha1_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 624eb52464199c7dfea8f082c5b4e9f7 | payload | 2026-06-11 | 95% |
| sha256_hash | c2a383a0dff5e69299443a119bb73f2b76f3f9c0f3951330ffea5db26fc3797f | payload | 2026-06-11 | 95% |
| sha1_hash | 60b2674a3acda83abedd7173355a9473f2904f17 | payload | 2026-06-11 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - DarkTortilla
let malicious_hashes = dynamic(["624eb52464199c7dfea8f082c5b4e9f7", "c2a383a0dff5e69299443a119bb73f2b76f3f9c0f3951330ffea5db26fc3797f", "60b2674a3acda83abedd7173355a9473f2904f17"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update using chocolatey to install a package that matches a DarkTortilla IOC
Filter/Exclusion: Check the command_line for chocolatey install and exclude packages known to be safe or whitelisted.
Scenario: Scheduled job running task scheduler to perform routine log rotation using a script that contains a DarkTortilla IOC
Filter/Exclusion: Filter by task_name containing “logrotate” or “backup” and exclude scripts from known system directories like C:\Windows\System32.
Scenario: Admin using PowerShell to run a legitimate script that includes a hardcoded IP address matching a DarkTortilla IOC
Filter/Exclusion: Filter by process_name containing “powershell.exe” and check for script_path in trusted directories like C:\Windows\System32\WindowsPowerShell\v1.0\.
Scenario: Database backup process using sqlcmd that includes a command with a DarkTortilla IOC in the script
Filter/Exclusion: Filter by process_name containing “sqlcmd” and check for script_path in known backup directories or exclude commands containing backup or restore.
Scenario: Network monitoring tool like Wireshark or tcpdump capturing traffic that includes a DarkTortilla IOC in the packet payload
Filter/Exclusion: Filter by process_name containing “wireshark” or “tcpdump” and exclude traffic from known monitoring interfaces or internal network ranges.