Malware Analysis Report

2025-05-28 16:41

Sample ID 230628-y3rxssbh4v
Target boost-bo.exe
SHA256 aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d
Tags
agenttesla agilenet keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d

Threat Level: Known bad

The file boost-bo.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Obfuscated with Agile.Net obfuscator

Drops file in System32 directory

Enumerates system info in registry

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 20:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 20:18

Reported

2023-06-28 20:24

Platform

win7-20230621-en

Max time kernel

161s

Max time network

246s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 188.114.97.0:443 keyauth.win tcp

Files

memory/1560-54-0x00000000002E0000-0x0000000000780000-memory.dmp

memory/1560-55-0x0000000000BA0000-0x0000000000BEE000-memory.dmp

memory/1560-56-0x00000000009B0000-0x00000000009F0000-memory.dmp

memory/1560-57-0x00000000051B0000-0x0000000005458000-memory.dmp

memory/1560-60-0x00000000009B0000-0x00000000009F0000-memory.dmp

memory/1560-61-0x00000000009B0000-0x00000000009F0000-memory.dmp

memory/1560-62-0x00000000009B0000-0x00000000009F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 20:18

Reported

2023-06-28 20:24

Platform

win10v2004-20230621-en

Max time kernel

296s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B3ED97C1-29D5-4CEE-9746-37CFCCE534E8}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6869B309-902E-45DC-AB81-6C435E406890}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{B44163E1-9605-43A5-B590-6513C7924344}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D8246399-7C3B-474D-BA69-069CFB88A261}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5D562BA4-0445-4117-AB2C-6D5F4BF53022}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{05ACF860-7E97-44CD-9568-FFD4B874985E}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{129A8DC3-3A30-44E4-9F8D-37E2F7B44007}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5CB00B3C-2D5D-42D8-87C5-03A1527CFB16}.catalogItem C:\Windows\System32\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"message":"Logged in!","info":{"username":"oesje","subscriptions":[{"subscription":"default","key":null,"expiry":"1830024720","timeleft":142041157,"level":"1"}],"ip":"154.61.71.13","hwid":null,"createdate":"1687983211","lastlogin":"1687983563"},"nonce":"5AvbpZ9hPzO211X3cfPWihBIOeiKK75g"} && timeout /t 5"

C:\Windows\SysWOW64\cmd.exe

cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"message":"Logged in!","info":{"username":"oesje","subscriptions":[{"subscription":"default","key":null,"expiry":"1830024720","timeleft":142041157,"level":"1"}],"ip":"154.61.71.13","hwid":null,"createdate":"1687983211","lastlogin":"1687983563"},"nonce":"5AvbpZ9hPzO211X3cfPWihBIOeiKK75g"} && timeout /t 5"

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 188.114.97.0:443 keyauth.win tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
FR 23.72.248.204:443 assets.msn.com tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 204.248.72.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 13.89.179.10:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.44:443 assets.msn.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 44.74.101.95.in-addr.arpa udp

Files

memory/1528-133-0x0000000000820000-0x0000000000CC0000-memory.dmp

memory/1528-134-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/1528-135-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/1528-136-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1528-137-0x00000000058D0000-0x00000000058DA000-memory.dmp

memory/1528-138-0x0000000007520000-0x0000000007532000-memory.dmp

memory/1528-141-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1528-142-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1528-143-0x000000000A0B0000-0x000000000A0EC000-memory.dmp

memory/1528-144-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1528-145-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1528-146-0x0000000005650000-0x0000000005660000-memory.dmp