Malware Analysis Report

2025-05-28 16:41

Sample ID 230628-ywyrrsah76
Target boost-bo.exe
SHA256 aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d
Tags
agenttesla agilenet keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d

Threat Level: Known bad

The file boost-bo.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Obfuscated with Agile.Net obfuscator

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 20:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 20:08

Reported

2023-06-28 20:14

Platform

win7-20230621-en

Max time kernel

31s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 188.114.96.0:443 keyauth.win tcp

Files

memory/1984-54-0x0000000000BE0000-0x0000000001080000-memory.dmp

memory/1984-55-0x00000000009F0000-0x0000000000A3E000-memory.dmp

memory/1984-56-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/1984-57-0x0000000005480000-0x0000000005728000-memory.dmp

memory/1984-60-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/1984-61-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/1984-62-0x0000000004F60000-0x0000000004FA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 20:08

Reported

2023-06-28 20:14

Platform

win10v2004-20230621-en

Max time kernel

262s

Max time network

265s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 188.114.96.0:443 keyauth.win tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/5116-133-0x00000000002E0000-0x0000000000780000-memory.dmp

memory/5116-134-0x0000000005740000-0x0000000005CE4000-memory.dmp

memory/5116-135-0x0000000005190000-0x0000000005222000-memory.dmp

memory/5116-136-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/5116-137-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/5116-138-0x00000000086D0000-0x00000000086E2000-memory.dmp

memory/5116-141-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/5116-142-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/5116-143-0x0000000008C80000-0x0000000008CBC000-memory.dmp

memory/5116-144-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/5116-145-0x0000000002B20000-0x0000000002B30000-memory.dmp

memory/5116-146-0x0000000002B20000-0x0000000002B30000-memory.dmp