Overview

overview

8

Static

static

8

FateInjector.exe

windows7_x64

1

FateInjector.exe

windows10_x64

1

Ambrosial ...21.exe

windows7_x64

8

Ambrosial ...21.exe

windows10_x64

8

Ambrosial.exe

windows7_x64

4

Ambrosial.exe

windows10_x64

7

Release_Ve...on.dll

windows7_x64

1

Release_Ve...on.dll

windows10_x64

3

BadManPublic.dll

windows7_x64

1

BadManPublic.dll

windows10_x64

1

HorionInjector.exe

windows7_x64

8

HorionInjector.exe

windows10_x64

8

MetroSet UI.dll

windows7_x64

1

MetroSet UI.dll

windows10_x64

1

Newtonsoft.Json.dll

windows7_x64

1

Newtonsoft.Json.dll

windows10_x64

1

System.Run...fe.dll

windows7_x64

1

System.Run...fe.dll

windows10_x64

1

ure tyjk5_...]_.exe

windows7_x64

1

ure tyjk5_...]_.exe

windows10_x64

1

Coffee (1).exe

windows7_x64

1

Coffee (1).exe

windows10_x64

1

Coffee 1.16.220.exe

windows7_x64

1

Coffee 1.16.220.exe

windows10_x64

1

Coffee NOT...ON.exe

windows7_x64

1

Coffee NOT...ON.exe

windows10_x64

1

Fate.Client.dll

windows7_x64

3

Fate.Client.dll

windows10_x64

3

FateInjector.exe

windows7_x64

1

FateInjector.exe

windows10_x64

1

Fate.Client.dll

windows7_x64

3

Fate.Client.dll

windows10_x64

1

Analysis

  • max time kernel
    167s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17-11-2021 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ambrosial.exe

  • Size

    15.9MB

  • MD5

    e3635a875aa0817f0e29544ad9ff84b5

  • SHA1

    fd65adfd5be0391790442dc1b4d21b7ee4be271a

  • SHA256

    b9c94c4a6dca1b5a42b05e4814838a9281768ba9267803a554c23b68c0665b0f

  • SHA512

    132ee0718115097a6b9afc2368bf652d8b04207a6822a9a9e1900bc2921d3b8de384a40eec326e1662bfd7216b29cbe85ceeb8a7d49fe8ed293c4360b8115f0a

Score
7/10
agilenet

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Drops file in Windows directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe
    "C:\Users\Admin\AppData\Local\Temp\Ambrosial.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
    MD5

    9c43f77cb7cff27cb47ed67babe3eda5

    SHA1

    b0400cf68249369d21de86bd26bb84ccffd47c43

    SHA256

    f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

    SHA512

    cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

    Download Submit
  • memory/816-115-0x000001AEB1890000-0x000001AEB1891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-117-0x000001AECCD20000-0x000001AECCD22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/816-118-0x000001AEB2B90000-0x000001AEB2BA6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/816-119-0x000001AECCBF0000-0x000001AECCBF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-120-0x000001AECCD30000-0x000001AECCDDC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/816-121-0x000001AECE460000-0x000001AECE461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/816-122-0x000001AECE590000-0x000001AECE774000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/816-124-0x00007FFC20720000-0x00007FFC2084C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/816-125-0x000001AECCD22000-0x000001AECCD24000-memory.dmp
    Filesize

    8KB

    Download
  • memory/816-126-0x000001AECCD24000-0x000001AECCD25000-memory.dmp
    Filesize

    4KB

    Download