Joe Sandbox Cloud Basic

Want to search on specific fields?


Try our:

Advanced Search

Want to search in depth on all Cloud Basic reports?

Try: Joe Sandbox View

Register Login
Deep Malware Analysis
top title background image
flash

fart.exe

Status: finished
Submission Time: 2024-06-28 21:00:07 +02:00
Malicious
Trojan
Spyware
Exploiter
Evader
AsyncRAT, DcRat, Quasar, XWorm

Comments

Tags

  • exe

Details

  • Analysis ID:
    1464443
  • API (Web) ID:
    1464443
  • Analysis Started:
    2024-06-28 21:00:09 +02:00
  • Analysis Finished:
    2024-06-28 21:31:14 +02:00
  • MD5:
    e1a72f7e4426c8d5e849459fa7c7e476
  • SHA1:
    e1101a053ebe7cf5dc44f4f4ea787be113cae10f
  • SHA256:
    9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Full Report Management Report IOC Report
malicious
Score: 100
System: Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 134, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run Condition: Suspected VM Detection

Third Party Analysis Engines

malicious
Score: 21/24
malicious

IPs

IP Country Detection
208.95.112.1
 United States
147.185.221.20
 United States
140.82.121.3
 United States
Click to see the 1 hidden entries
140.82.121.4
 United States

Domains

Name IP Detection
best-bird.gl.at.ply.gg
 147.185.221.20
stop-largely.gl.at.ply.gg
 147.185.221.20
history-foo.gl.at.ply.gg
 147.185.221.20
Click to see the 8 hidden entries
ip-api.com
 208.95.112.1
super-nearest.gl.at.ply.gg
 147.185.221.20
finally-grande.gl.at.ply.gg
 147.185.221.20
www.cloudflare.com
 104.16.123.96
github.com
 140.82.121.3
raw.githubusercontent.com
 185.199.109.133
objects.githubusercontent.com
 185.199.109.133
i.ibb.co
 162.19.58.159

URLs

Name Detection
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
https://github.com/nodejs/node/issues/35452
Click to see the 97 hidden entries
https://github.com/features/packages
https://wiznon.000webhostapp.com/Image.png
https://github.com/heycam/webidl/pull/946.
https://github.com/nodejs/node/pull/33661
https://github.com/vercel/pkg/issues/1589
https://stackoverflow.com/a/5501711/3561
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
https://docs.github.com/get-started/accessibility/keyboard-shortcuts
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
http://www.squid-cache.org/Doc/config/half_closed_clients/
http://narwhaljs.org)
https://github.githubassets.com/assets/vendors-node_modules_smoothscroll-polyfill_dist_smoothscroll_
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
https://tools.ietf.org/html/rfc7540#section-8.1.2.5
https://nodejs.org/
http://www.midnight-commander.org/browser/lib/tty/key.c
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
https://github.com/mysticatea/abort-controller
https://stackoverflow.com/q/14436606/23354
https://github.com/ImagineBeingRatted/Sigma/raw/main/Install.exe"
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
https://github.com/nodejs/node/pull/21313
https://github.com/tc39/proposal-iterator-helpers/issues/169
https://sourcemaps.info/spec.html
https://github.com/features/discussions
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
https://api.github.com/_private/browser/errors
https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
https://www.ecma-international.org/ecma-262/#sec-line-terminators
https://ipwho.is/
https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
https://github.com/nodejs/node/pull/12607
https://github.com/nodejs/node/issues/39707
https://webassembly.github.io/spec/web-api
https://v8.dev/blog/v8-release-89
https://nodejs.org/api/fs.html
https://fetch.spec.whatwg.org/#fetch-timing-info
https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-cdd1e82b3795.js
https://github.com/trending
https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
https://code.google.com/p/chromium/issues/detail?id=25916
http://schemas.datacontract.org/2004/07/d
https://www.ecma-international.org/ecma-262/#sec-promise.all
https://github.com/Somali-Devs/Kematian-Stealer/releases/download/KematianBuild/kematian.bin
https://github.com/WICG/scheduling-apis
https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
https://console.spec.whatwg.org/#console-namespace
https://github.com/chalk/ansi-regex/blob/HEAD/index.js
https://github.com/nodejs/node/issues/35475
https://www.iana.org/assignments/tls-extensiontype-values
https://github.githubassets.com/assets/element-registry-debecf94978e.js
https://console.spec.whatwg.org/#table
https://user-images.githubusercontent.com/
https://github.com/features
https://github.com/features/code-review
https://www.ecma-international.org/ecma-262/#sec-timeclip
https://github.com/nodejs/node-v0.x-archive/issues/2876.
https://gist.github.com/XVilka/8346728#gistcomment-2823421
https://nodejs.org/api/fs.html#fs_stat_time_values)
https://github.com/solutions/devsecops
https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_
https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
https://github.com/chromium/chromium/blob/HEAD/third_party/blink/public/platform/web_crypto_algorith
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
https://tools.ietf.org/html/rfc6455#section-1.3
https://url.spec.whatwg.org/#concept-url-origin
https://github.com/nodejs/node/pull/36061#discussion_r533718029
https://goo.gl/t5IS6M).
https://github.githubassets.com/assets/github-elements-a7dc71cd6e4e.js
https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-cc7cb714ead5.js
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
https://url.spec.whatwg.org/#concept-urlencoded-serializer
https://github.githubassets.com/assets/vendors-node_modules_primer_octicons-react_dist_index_esm_js-
https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
https://github.com/google/caja/blob/HEAD/src/com/google/caja/ses/repairES5.js
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
https://tools.ietf.org/html/rfc7230#section-3.2.2
https://github.com/solutions/industries/financial-services
https://github.com/tc39/proposal-weakrefs
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
https://github.com/nodejs/node/issues/13435
https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_
https://api.github.com/_private/browser/stats
https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css
https://encoding.spec.whatwg.org/#textencoder
https://url.spec.whatwg.org/#url
https://github.com/solutions/industries/manufacturing
https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
https://github.githubassets.com/assets/environment-e783b3ca24c7.js

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fart.exe.log
 CSV text
 #
C:\Users\user\AppData\Local\Temp\5xhvz4ks\5xhvz4ks.cmdline
 Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
 #
C:\Users\user\AppData\Local\Temp\5xhvz4ks\5xhvz4ks.dll
 PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
 #
Click to see the 7 hidden entries
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fr.bat
 Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
 #
C:\Users\user\Desktop\Client-built.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\Desktop\ONPE.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\Desktop\hat.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\Desktop\index.exe
 PE32+ executable (console) x86-64, for MS Windows
 #
C:\Users\user\Desktop\mshta.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #
C:\Users\user\Desktop\svchost.exe
 PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
 #