MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
SHA3-384 hash: e1946694c4efcc7de37666331e9bfeff3bc998cd40f955c644fb9aab8b2d41bd77681033524f73a1b2b8004b7672ac6b
SHA1 hash: 7238640baffe2ec139690527aa107d904eb20373
MD5 hash: 729ba8b3c90fa95007e7d545e8842323
humanhash: ten-robert-black-west
File name:Hellify Booster.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:15'406'592 bytes
First seen:2025-08-15 13:53:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 393216:5fsVmWRRLmug1z3tz/Gr8acwsjHYLcGM+aSHeOrphHWAH:CVmWRRiuetzLacxzYrbD+qpkI
Threatray 21 similar samples on MalwareBazaar
TLSH T167F633A5366C1B75F71E0779C97EE0C41411D7A784870ABA68162B6B0A8FB374CC38F9
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hellify.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 12:13:07 UTC
Tags:
evasion trox stealer python skuld auto skuldstealer susp-powershell screenshot blankgrabber arch-doc
Link:
https://app.any.run/tasks/15f3a993-1c08-4a6c-870b-0161a3096996

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21541/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689f3bb38fd55a79c5272de2
Tags:
vmdetect lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Сreating synchronization primitives
Loading a suspicious library
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending an HTTP GET request
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/689f3be0abfbaec3182385e9/reports/fb76c39c-fc42-46ba-8de9-3678c7c684f6/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2668ed3-dc1f-4cfd-99bd-1f3920bc32cf
Result
Threat name:
Blank Grabber, Go Stealer, Skuld Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757893
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Go Stealer
Yara detected Skuld Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757893 Sample: Hellify Booster.exe Startdate: 15/08/2025 Architecture: WINDOWS Score: 100 130 nameless-mouse-2f97.gogohoog546.workers.dev 2->130 132 ip-api.com 2->132 134 2 other IPs or domains 2->134 164 Antivirus detection for dropped file 2->164 166 Antivirus / Scanner detection for submitted sample 2->166 168 Sigma detected: Capture Wi-Fi password 2->168 170 15 other signatures 2->170 11 Hellify Booster.exe 3 2->11         started        15 SecurityHealthSystray.exe 2->15         started        signatures3 process4 file5 106 C:\Users\user\AppData\Local\Temp\Tokens.exe, PE32+ 11->106 dropped 108 C:\Users\user\AppData\...\Hellify Booster.exe, PE32 11->108 dropped 184 Encrypted powershell cmdline option found 11->184 17 Tokens.exe 27 11->17         started        21 Hellify Booster.exe 3 11->21         started        23 powershell.exe 23 11->23         started        186 Multi AV Scanner detection for dropped file 15->186 188 UAC bypass detected (Fodhelper) 15->188 25 cmd.exe 15->25         started        27 conhost.exe 15->27         started        signatures6 process7 file8 92 C:\Users\user\AppData\Local\...\backend_c.pyd, PE32+ 17->92 dropped 94 C:\Users\user\AppData\Local\...\_cffi.pyd, PE32+ 17->94 dropped 96 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 17->96 dropped 102 20 other malicious files 17->102 dropped 144 Found many strings related to Crypto-Wallets (likely being stolen) 17->144 146 Modifies Windows Defender protection settings 17->146 148 Tries to harvest and steal WLAN passwords 17->148 150 Removes signatures from Windows Defender 17->150 29 Tokens.exe 17->29         started        34 conhost.exe 17->34         started        98 C:\Users\user\AppData\Local\...\Hellify.exe, PE32+ 21->98 dropped 100 C:\Users\user\AppData\Local\...\Booster.exe, PE32+ 21->100 dropped 152 Encrypted powershell cmdline option found 21->152 36 Hellify.exe 2 73 21->36         started        38 Booster.exe 21->38         started        40 powershell.exe 23 21->40         started        154 Loading BitLocker PowerShell Module 23->154 42 conhost.exe 23->42         started        44 fodhelper.exe 25->44         started        46 fodhelper.exe 25->46         started        48 fodhelper.exe 25->48         started        signatures9 process10 dnsIp11 136 172.67.134.127, 443, 49728 CLOUDFLARENETUS United States 29->136 110 C:\Users\user\AppData\...\WUTJSCBCFX.png, ASCII 29->110 dropped 112 C:\Users\user\AppData\...\UMMBDNEQBN.docx, ASCII 29->112 dropped 124 2 other malicious files 29->124 dropped 190 Uses cmd line tools excessively to alter registry or file data 29->190 192 Tries to harvest and steal browser information (history, passwords, etc) 29->192 194 Modifies Windows Defender protection settings 29->194 204 4 other signatures 29->204 50 cmd.exe 29->50         started        53 cmd.exe 29->53         started        55 cmd.exe 29->55         started        66 19 other processes 29->66 138 ip-api.com 208.95.112.1, 49719, 49722, 49727 TUT-ASUS United States 36->138 140 nameless-mouse-2f97.gogohoog546.workers.dev 104.21.25.193, 443, 49724 CLOUDFLARENETUS United States 36->140 142 api.ipify.org 172.67.74.152, 443, 49718 CLOUDFLARENETUS United States 36->142 114 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 36->114 dropped 116 C:\Windows\System32\drivers\etc\hosts, ASCII 36->116 dropped 196 Multi AV Scanner detection for dropped file 36->196 198 Found many strings related to Crypto-Wallets (likely being stolen) 36->198 200 Encrypted powershell cmdline option found 36->200 206 6 other signatures 36->206 57 powershell.exe 36->57         started        68 12 other processes 36->68 118 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 38->118 dropped 120 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 38->120 dropped 122 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 38->122 dropped 126 4 other malicious files 38->126 dropped 60 Booster.exe 38->60         started        62 conhost.exe 38->62         started        202 Loading BitLocker PowerShell Module 40->202 64 conhost.exe 40->64         started        file12 signatures13 process14 file15 156 Modifies Windows Defender protection settings 50->156 70 powershell.exe 50->70         started        73 conhost.exe 50->73         started        75 getmac.exe 53->75         started        158 Uses cmd line tools excessively to alter registry or file data 55->158 77 reg.exe 55->77         started        104 C:\Users\user\AppData\...\gqllykk1.cmdline, Unicode 57->104 dropped 79 csc.exe 57->79         started        82 cmd.exe 60->82         started        160 Tries to harvest and steal WLAN passwords 66->160 84 systeminfo.exe 66->84         started        86 tasklist.exe 66->86         started        88 13 other processes 66->88 162 Loading BitLocker PowerShell Module 68->162 signatures16 process17 file18 172 Loading BitLocker PowerShell Module 70->172 174 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 75->174 176 Writes or reads registry keys via WMI 75->176 128 C:\Users\user\AppData\Local\...\gqllykk1.dll, PE32 79->128 dropped 90 cvtres.exe 79->90         started        178 Uses cmd line tools excessively to alter registry or file data 82->178 180 Modifies Windows Defender protection settings 82->180 182 Tries to harvest and steal WLAN passwords 82->182 signatures19 process20
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/729ba8b3c90fa95007e7d545e8842323
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-08-15 13:49:23 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgbrhvktft6clqgux6jwvfddd56m2ctyoi4ajg7htaadaqxxuovq._file
Verdict:
malicious
Label(s):
skuldstealer
Create hunting rule
Similar samples:
1afc446455b3b80f89b1367f9d59987ac5e0591230ffd3f63bec42c22e3af5e6
BlankGrabber
398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
BlankGrabber
422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
BlankGrabber
b3440511f1ed65aff14b5968e9fe7a55b0ac78b3c14365ab3bc30e02989c07e9
BlankGrabber
bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696
BlankGrabber
error
BlankGrabber
+ 11 additional samples on MalwareBazaar
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber defense_evasion discovery execution stealer
Link:
https://tria.ge/reports/250815-q682gsbk9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies trusted root certificate store through registry
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Detects BlankGrabber stealer in memory
blankgrabber
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3320bc74-2bbf-471d-844e-fb163d1d9c74
Unpacked files
SH256 hash:
398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab
MD5 hash:
729ba8b3c90fa95007e7d545e8842323
SHA1 hash:
7238640baffe2ec139690527aa107d904eb20373
Link:
https://www.unpac.me/results/4dd24f16-8cb7-43a1-a893-3673355dfc50/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/398313d5532c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/398313d5532cfc25c0d4bf936a94631f7ccd0a787238049be798003042f7a3ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21541/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments