Overview

overview

8

Static

static

1

URLScan

urlscan

https://github.com/d...

windows10-2004-x64

8

Analysis

  • max time kernel
    72s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-04-2023 00:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

Score
8/10
agilenet

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 20 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Windows directory 3 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3820
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1300

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.3004.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png
    Filesize

    46KB

    MD5

    bd127f237b3f4a794308fc3576b495ad

    SHA1

    0a2ff256aa76a0deb134315e4a72844dabb37041

    SHA256

    59b60c0cd0e2f058fd06054fc3b546151c73930dfe605a2fb08dfd21086e6351

    SHA512

    2ac6ddd8e824017291c0b145434c06fbc2329135794eb6427915873ce940537055565c25cee03f531f862c931f58fc217d475ee8027e26a736e3f8ce46f4d8b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Ambrosial\log.txt
    Filesize

    3KB

    MD5

    788a93b04998c89d6f35709c6dcd6d18

    SHA1

    d7df96b78e15d6cc61ee8747c3fb38a1fe471a60

    SHA256

    e9381216aaf0e24f99500676c0eff42cedb8a8f2fd1981015bee036857082969

    SHA512

    8a1f25c7b0b00a9efa327d7ee36c94877ea280db3918235679f354d584ecb9eaf613af40e7452f00c757eb7f8d7fb2fcccdca6ee6aa928500ef8d390d7e6c7a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Ambrosial\log.txt
    Filesize

    3KB

    MD5

    19d94442f3104c029e162a21763bd6dc

    SHA1

    a9f0382473fe3509c0b3d5247843f5c47b4369fb

    SHA256

    76e369050d2c6af42b4c26a03ff2f7319f2607688d28a8c6dc795e17f1d80585

    SHA512

    2bdaac30bddd25f3c27dad83ec8ed30bbd027d2ed65881c5d724fa65df10fb97253ef75392da38c73a068b0ad0ef6cd6aa408ee874c7419c225db7ffce41ad44

    Download Submit
  • C:\Users\Admin\AppData\Local\Ambrosial\log.txt
    Filesize

    4KB

    MD5

    ba26e0d7a126c43cdb683b100a2360ec

    SHA1

    14702a3fa6f3647078225c350ff67f7f57883a9e

    SHA256

    1dd2eebd14ac9c8357a4b99f6efb60f62b9e34567c0c71b8898c7d8c45a46fb7

    SHA512

    8abc31e1f9d91b207d30c1f8678a7a0721b61371802a82c0be2cac41e83451bcba97ae851b8035b7eff4be1e1b2ddc323f562f7a215fb618fbddc5aa92d88c8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\Ambrosial[1].exe
    Filesize

    15.9MB

    MD5

    596b0f4684d45de83c204967c06e48a3

    SHA1

    933dc2dc29a17a9447c944289fed4f98e0eb5e5f

    SHA256

    6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

    SHA512

    8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe
    Filesize

    15.9MB

    MD5

    596b0f4684d45de83c204967c06e48a3

    SHA1

    933dc2dc29a17a9447c944289fed4f98e0eb5e5f

    SHA256

    6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

    SHA512

    8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe.i8ljm8b.partial
    Filesize

    15.9MB

    MD5

    596b0f4684d45de83c204967c06e48a3

    SHA1

    933dc2dc29a17a9447c944289fed4f98e0eb5e5f

    SHA256

    6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a

    SHA512

    8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
    Filesize

    142KB

    MD5

    9c43f77cb7cff27cb47ed67babe3eda5

    SHA1

    b0400cf68249369d21de86bd26bb84ccffd47c43

    SHA256

    f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

    SHA512

    cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll
    Filesize

    142KB

    MD5

    9c43f77cb7cff27cb47ed67babe3eda5

    SHA1

    b0400cf68249369d21de86bd26bb84ccffd47c43

    SHA256

    f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e

    SHA512

    cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

    Download Submit
  • C:\Users\Admin\Desktop\Azonix.otf
    Filesize

    11KB

    MD5

    cdfe47b31e9184a55cf02eef1baf7240

    SHA1

    b8825c605434d572f5277be0283d5a9b2cde59e4

    SHA256

    51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9

    SHA512

    a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

    Download Submit
  • C:\Windows\Fonts\OpenSansLight.ttf
    Filesize

    217KB

    MD5

    1bf71be111189e76987a4bb9b3115cb7

    SHA1

    40442c189568184b6e6c27a25d69f14d91b65039

    SHA256

    cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424

    SHA512

    cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

    Download Submit
  • memory/1300-406-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-415-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-169-0x0000029863CF0000-0x0000029863D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1300-398-0x00007FFA8D270000-0x00007FFA8D3BE000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1300-399-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-400-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-402-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-404-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-160-0x000002984B430000-0x000002984B44A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1300-408-0x00007FFA8A650000-0x00007FFA8A677000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1300-409-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-411-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-413-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-190-0x000002984B4E0000-0x000002984B502000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1300-417-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-419-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-421-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-423-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-425-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-427-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-429-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-431-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-433-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-435-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-437-0x0000029866480000-0x0000029866664000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1300-439-0x0000029863CF0000-0x0000029863D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1300-440-0x00007FFA8A650000-0x00007FFA8A677000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1300-159-0x0000029848770000-0x000002984975A000-memory.dmp
    Filesize

    15.9MB

    Download