Malware Analysis Report

2025-06-15 21:44

Sample ID 230414-a5435sgf6s
Target https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe
Tags
agilenet
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe was found to be: Likely malicious.

Malicious Activity Summary

agilenet

Downloads MZ/PE file

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer Phishing Filter

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-14 00:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-14 00:48

Reported

2023-04-14 00:53

Platform

win10v2004-20230220-en

Max time kernel

72s

Max time network

104s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Azonix.otf C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A
File opened for modification C:\Windows\Fonts\Azonix.otf C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A
File created C:\Windows\Fonts\OpenSansLight.ttf C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9731bf4db045d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388205511" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E359A00C-DA6E-11ED-BDA1-F6AC10968584} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3085989955" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{4E604D6A-5323-4F2F-BF62-AE3D1B21480A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3086146023" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026811" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026811" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/disepi/ambrosial/releases/download/1.5/Ambrosial.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:17410 /prefetch:2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.242:443 assets.msn.com tcp
IN 20.207.73.82:443 github.com tcp
IN 20.207.73.82:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 242.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 82.73.207.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\Ambrosial[1].exe

MD5 596b0f4684d45de83c204967c06e48a3
SHA1 933dc2dc29a17a9447c944289fed4f98e0eb5e5f
SHA256 6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
SHA512 8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe.i8ljm8b.partial

MD5 596b0f4684d45de83c204967c06e48a3
SHA1 933dc2dc29a17a9447c944289fed4f98e0eb5e5f
SHA256 6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
SHA512 8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\Ambrosial.exe

MD5 596b0f4684d45de83c204967c06e48a3
SHA1 933dc2dc29a17a9447c944289fed4f98e0eb5e5f
SHA256 6ff53b8187d0d3e287ad9ce3da20eca4f9dd105a2e3421ca1ad73b533ec4b91a
SHA512 8f50098d120d32a84347a8337dee27061a6914d66b951f930d491a81a9804317318f25f80467684fd4fecea6bccc6de38b2df3ee2742a54805f2cdb4413d3830

memory/1300-159-0x0000029848770000-0x000002984975A000-memory.dmp

memory/1300-160-0x000002984B430000-0x000002984B44A000-memory.dmp

C:\Users\Admin\Desktop\Azonix.otf

MD5 cdfe47b31e9184a55cf02eef1baf7240
SHA1 b8825c605434d572f5277be0283d5a9b2cde59e4
SHA256 51a65e5c09bf27980adf640cb54cb2a5bbb217fdaab79b377e158f92533362a9
SHA512 a2e5141c0f7ca72bcf5b1a303fce1734953d83ad363d4c3c7d8786e1bfd872a6b96eeabce3740b547a5447e255415cdf688a0d2074cecfaa0c54c49d0f2882c5

memory/1300-169-0x0000029863CF0000-0x0000029863D00000-memory.dmp

C:\Windows\Fonts\OpenSansLight.ttf

MD5 1bf71be111189e76987a4bb9b3115cb7
SHA1 40442c189568184b6e6c27a25d69f14d91b65039
SHA256 cf5f5184c1441a1660aa52526328e9d5c2793e77b6d8d3a3ad654bdb07ab8424
SHA512 cb18b69e98a194af5e3e3d982a75254f3a20bd94c68816a15f38870b9be616cef0c32033f253219cca9146b2b419dd6df28cc4ceeff80d01f400aa0ed101e061

memory/1300-190-0x000002984B4E0000-0x000002984B502000-memory.dmp

C:\Users\Admin\AppData\Local\Ambrosial\log.txt

MD5 788a93b04998c89d6f35709c6dcd6d18
SHA1 d7df96b78e15d6cc61ee8747c3fb38a1fe471a60
SHA256 e9381216aaf0e24f99500676c0eff42cedb8a8f2fd1981015bee036857082969
SHA512 8a1f25c7b0b00a9efa327d7ee36c94877ea280db3918235679f354d584ecb9eaf613af40e7452f00c757eb7f8d7fb2fcccdca6ee6aa928500ef8d390d7e6c7a2

C:\Users\Admin\AppData\Local\Ambrosial\log.txt

MD5 19d94442f3104c029e162a21763bd6dc
SHA1 a9f0382473fe3509c0b3d5247843f5c47b4369fb
SHA256 76e369050d2c6af42b4c26a03ff2f7319f2607688d28a8c6dc795e17f1d80585
SHA512 2bdaac30bddd25f3c27dad83ec8ed30bbd027d2ed65881c5d724fa65df10fb97253ef75392da38c73a068b0ad0ef6cd6aa408ee874c7419c225db7ffce41ad44

C:\Users\Admin\AppData\Local\Ambrosial\log.txt

MD5 ba26e0d7a126c43cdb683b100a2360ec
SHA1 14702a3fa6f3647078225c350ff67f7f57883a9e
SHA256 1dd2eebd14ac9c8357a4b99f6efb60f62b9e34567c0c71b8898c7d8c45a46fb7
SHA512 8abc31e1f9d91b207d30c1f8678a7a0721b61371802a82c0be2cac41e83451bcba97ae851b8035b7eff4be1e1b2ddc323f562f7a215fb618fbddc5aa92d88c8e

C:\Users\Admin\AppData\Local\Ambrosial\assets\clients\1.19.3004.0\Zephyr Classic\launcherAssets\ProjectHalcyon.png

MD5 bd127f237b3f4a794308fc3576b495ad
SHA1 0a2ff256aa76a0deb134315e4a72844dabb37041
SHA256 59b60c0cd0e2f058fd06054fc3b546151c73930dfe605a2fb08dfd21086e6351
SHA512 2ac6ddd8e824017291c0b145434c06fbc2329135794eb6427915873ce940537055565c25cee03f531f862c931f58fc217d475ee8027e26a736e3f8ce46f4d8b6

C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

C:\Users\Admin\AppData\Local\Temp\0e1a63fc-9228-4b4f-96fc-fee060f96e92\GunaDotNetRT64.dll

MD5 9c43f77cb7cff27cb47ed67babe3eda5
SHA1 b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256 f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512 cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7

memory/1300-398-0x00007FFA8D270000-0x00007FFA8D3BE000-memory.dmp

memory/1300-399-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-400-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-402-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-404-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-406-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-408-0x00007FFA8A650000-0x00007FFA8A677000-memory.dmp

memory/1300-409-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-411-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-413-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-415-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-417-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-419-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-421-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-423-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-425-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-427-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-429-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-431-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-433-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-435-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-437-0x0000029866480000-0x0000029866664000-memory.dmp

memory/1300-439-0x0000029863CF0000-0x0000029863D00000-memory.dmp

memory/1300-440-0x00007FFA8A650000-0x00007FFA8A677000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee