Malware Analysis Report

2025-05-28 16:41

Sample ID 230628-zaemfabh6y
Target boost-bo.exe
SHA256 aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d
Tags
agenttesla agilenet keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa203ad2aac0bf8b392ec2add640ba020c2ed9938bea18dbf26631e9faa70f9d

Threat Level: Known bad

The file boost-bo.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla agilenet keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Obfuscated with Agile.Net obfuscator

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 20:30

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-28 20:30

Reported

2023-06-28 20:35

Platform

win10v2004-20230621-en

Max time kernel

294s

Max time network

297s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 188.114.96.0:443 keyauth.win tcp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4696-133-0x00000000002C0000-0x0000000000760000-memory.dmp

memory/4696-134-0x00000000056F0000-0x0000000005C94000-memory.dmp

memory/4696-135-0x0000000005140000-0x00000000051D2000-memory.dmp

memory/4696-136-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4696-137-0x0000000005380000-0x000000000538A000-memory.dmp

memory/4696-138-0x0000000006FC0000-0x0000000006FD2000-memory.dmp

memory/4696-141-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4696-142-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4696-143-0x0000000009B50000-0x0000000009B8C000-memory.dmp

memory/4696-144-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4696-145-0x0000000005130000-0x0000000005140000-memory.dmp

memory/4696-146-0x0000000005130000-0x0000000005140000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 20:30

Reported

2023-06-28 20:35

Platform

win7-20230621-en

Max time kernel

53s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\boost-bo.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\boost-bo.exe

"C:\Users\Admin\AppData\Local\Temp\boost-bo.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 188.114.97.0:443 keyauth.win tcp

Files

memory/1312-54-0x0000000001050000-0x00000000014F0000-memory.dmp

memory/1312-55-0x0000000000210000-0x000000000025E000-memory.dmp

memory/1312-56-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1312-57-0x0000000005290000-0x0000000005538000-memory.dmp

memory/1312-60-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1312-61-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1312-62-0x0000000004D10000-0x0000000004D50000-memory.dmp