MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SkuldStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
SHA3-384 hash: bd8c1a9d4b2e0aa1f1b7d400c7199bd0b5dbfe5ec23481c1835bc9628a047accb8d09e099cc6152e2cf3c5b9f47c99ec
SHA1 hash: 668c06288552d32bdad845e397a4bbc54f52bc1b
MD5 hash: c3075d13b1389b0e0c0de80f937bfe93
humanhash: zulu-oscar-winter-magnesium
File name:Hellify Booster.exe
Download: download sample
Signature SkuldStealer
Create hunting rule
File size:6'819'840 bytes
First seen:2025-08-09 09:02:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 98304:dqO5wVvJx0PkGlngEM5S72KHJNa2vHmk+k3k/iaWRE4ne8N/CQ9kJL7c16ZABn/3:dqTrT2zbHmS36As8SJQBDl2stD8
Threatray 2 similar samples on MalwareBazaar
TLSH T1056633E0541FB0E2E1BA6C7A0C69151F63B4D6BC5CA52F6C50202B505AFF6C63DC25EB
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe SkuldStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hellify Booster.exe
Verdict:
Malicious activity
Analysis date:
2025-08-08 15:36:35 UTC
Tags:
uac evasion skuld python stealer trox screenshot arch-doc
Link:
https://app.any.run/tasks/a153975f-358b-4a7f-b28a-91b5551de13d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19857/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68970b2011d7f9b979e6e245
Tags:
vmdetect lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Running batch commands
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68970eec2fbe0788fb1cb024/reports/bdd64b79-7602-4c86-a1fa-6db427096c4f/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f6613a6-f830-4698-aa3c-aa7bc81a3ced
Result
Threat name:
Go Stealer, Skuld Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753620
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Go Stealer
Yara detected Skuld Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753620 Sample: Hellify Booster.exe Startdate: 09/08/2025 Architecture: WINDOWS Score: 100 84 nameless-mouse-2f97.gogohoog546.workers.dev 2->84 86 ip-api.com 2->86 88 api.ipify.org 2->88 96 Antivirus / Scanner detection for submitted sample 2->96 98 Sigma detected: Capture Wi-Fi password 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 12 other signatures 2->102 10 Hellify Booster.exe 3 2->10         started        14 SecurityHealthSystray.exe 2->14         started        16 SecurityHealthSystray.exe 2->16         started        signatures3 process4 file5 80 C:\Users\user\AppData\Local\...\Hellify.exe, PE32+ 10->80 dropped 82 C:\Users\user\AppData\Local\...\Booster.exe, PE32+ 10->82 dropped 116 Encrypted powershell cmdline option found 10->116 18 Hellify.exe 2 73 10->18         started        23 Booster.exe 9 10->23         started        25 powershell.exe 23 10->25         started        118 Multi AV Scanner detection for dropped file 14->118 120 UAC bypass detected (Fodhelper) 14->120 122 Uses cmd line tools excessively to alter registry or file data 14->122 27 conhost.exe 14->27         started        29 cmd.exe 14->29         started        31 WMIC.exe 14->31         started        37 2 other processes 14->37 33 cmd.exe 16->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 90 ip-api.com 208.95.112.1, 49692, 49699, 80 TUT-ASUS United States 18->90 92 nameless-mouse-2f97.gogohoog546.workers.dev 104.21.25.193, 443, 49693 CLOUDFLARENETUS United States 18->92 94 api.ipify.org 104.26.13.205, 443, 49691, 49697 CLOUDFLARENETUS United States 18->94 64 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 18->64 dropped 66 C:\Windows\System32\drivers\etc\hosts, ASCII 18->66 dropped 104 Multi AV Scanner detection for dropped file 18->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 18->106 108 Uses cmd line tools excessively to alter registry or file data 18->108 112 11 other signatures 18->112 39 powershell.exe 18->39         started        42 powershell.exe 18->42         started        45 powershell.exe 18->45         started        55 12 other processes 18->55 68 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 23->68 dropped 70 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 23->70 dropped 72 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 23->72 dropped 74 4 other malicious files 23->74 dropped 47 Booster.exe 1 23->47         started        49 conhost.exe 23->49         started        110 Loading BitLocker PowerShell Module 25->110 51 conhost.exe 25->51         started        53 fodhelper.exe 33->53         started        file9 signatures10 process11 file12 76 C:\Users\user\AppData\...\lglyx5it.cmdline, Unicode 39->76 dropped 57 csc.exe 39->57         started        114 Loading BitLocker PowerShell Module 42->114 60 cmd.exe 47->60         started        signatures13 process14 file15 78 C:\Users\user\AppData\Local\...\lglyx5it.dll, PE32 57->78 dropped 62 cvtres.exe 57->62         started        process16
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/c3075d13b1389b0e0c0de80f937bfe93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Stealer
Link:
https://tip.neiki.dev/file/40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-08-09 08:45:57 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 38 (81.58%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idksjoqs33koypiedn3n5nbixzprs4bect4fyvmwgyvtkexphx7a._file
Verdict:
malicious
Label(s):
skuldstealer
Create hunting rule
Similar samples:
40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
SkuldStealer
a979631d37033b473182741d5835e9dfdb172f46702ff2da63fd134231aa26a5
SkuldStealer
error
SkuldStealer
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery upx
Link:
https://tria.ge/reports/250809-k1bwxabn4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/6098e6ec-f1e2-4506-8dd1-e9a8fe69ab95
Unpacked files
SH256 hash:
40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
MD5 hash:
c3075d13b1389b0e0c0de80f937bfe93
SHA1 hash:
668c06288552d32bdad845e397a4bbc54f52bc1b
Link:
https://www.unpac.me/results/bfe892d3-eca3-4cd4-abd5-94cfd7e3ff22/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/40d524ba12de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SkuldStealer

Executable exe 40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe

(this sample)

SkuldStealer

Executable exe 6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523

Cape
Cape
https://www.capesandbox.com/analysis/19857/
  
Dropping
SHA256 6381a3f5fc76fdd31bd00a04055d8a7a413217dbf94084fe9f37ef6ff51dd523
  
Dropping
MD5 5043c2662dc3317a39df544aa034ee3a

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments