MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlankGrabber


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
SHA3-384 hash: 514d850c4228868d529b4afbeab15399bb176be9c616a8ad84954327670845e2e318201b3fd1427179b893508f213c65
SHA1 hash: 435ece11e761c0f41e757a9fe2f9128b57bbaf55
MD5 hash: 5f715b2832f9e01bbc5a3fae77ba17f2
humanhash: sierra-video-west-ink
File name:Hellify Booster.exe
Download: download sample
Signature BlankGrabber
Create hunting rule
File size:15'406'080 bytes
First seen:2025-08-12 07:51:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 393216:IkCldwLLnprgTVaGUKoGCxuhQ9auolJYqXZL:IkudoLpMTVaGUxPuhQ9auoJ9
Threatray 18 similar samples on MalwareBazaar
TLSH T1A5F63329F4EC6E70D7AB1AFC65FD22A02762D13EA582D34C87F85406CAD57E23B55380
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:BlankGrabber exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hellify Booster.exe
Verdict:
Malicious activity
Analysis date:
2025-08-11 23:26:43 UTC
Tags:
evasion uac stealer trox python skuld screenshot blankgrabber arch-doc
Link:
https://app.any.run/tasks/45c65f8a-11b5-4277-b3ee-7dcee5845df7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20325/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689af287c633abe3908e2fc0
Tags:
xtreme shell lien sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Сreating synchronization primitives
Running batch commands
DNS request
Loading a suspicious library
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Sending an HTTP GET request
Launching the process to change network settings
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/689af2c79ef4d2ff7cf7e315/reports/24d594fe-62c2-46e9-b519-563a950b4428/overview
Verdict:
Malicious
Labled as:
Razy.Generic
Link:
https://www.hybrid-analysis.com/sample/422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
Malware family:
FrigidStealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37e9bd5d-d84e-43f7-a3ef-21c60aad8611
Result
Threat name:
Blank Grabber, Go Stealer, Skuld Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1755160
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Tries to steal Crypto Currency Wallets
UAC bypass detected (Fodhelper)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Go Stealer
Yara detected Skuld Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1755160 Sample: Hellify Booster.exe Startdate: 12/08/2025 Architecture: WINDOWS Score: 100 134 blank-dvqq1.in 2->134 136 nameless-mouse-2f97.gogohoog546.workers.dev 2->136 138 2 other IPs or domains 2->138 162 Antivirus / Scanner detection for submitted sample 2->162 164 Sigma detected: Capture Wi-Fi password 2->164 166 Multi AV Scanner detection for dropped file 2->166 168 16 other signatures 2->168 11 Hellify Booster.exe 3 2->11         started        15 SecurityHealthSystray.exe 2->15         started        signatures3 process4 file5 122 C:\Users\user\AppData\...\Hellify Booster.exe, PE32 11->122 dropped 124 C:\Users\user\AppData\Local\Temp\hel.exe, PE32+ 11->124 dropped 194 Encrypted powershell cmdline option found 11->194 17 hel.exe 26 11->17         started        21 Hellify Booster.exe 3 11->21         started        23 powershell.exe 23 11->23         started        196 Multi AV Scanner detection for dropped file 15->196 198 UAC bypass detected (Fodhelper) 15->198 200 Uses cmd line tools excessively to alter registry or file data 15->200 25 conhost.exe 15->25         started        27 cmd.exe 15->27         started        29 WMIC.exe 15->29         started        31 2 other processes 15->31 signatures6 process7 file8 90 C:\Users\user\AppData\Local\...\backend_c.pyd, PE32+ 17->90 dropped 92 C:\Users\user\AppData\Local\...\_cffi.pyd, PE32+ 17->92 dropped 94 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 17->94 dropped 100 20 other malicious files 17->100 dropped 150 Found many strings related to Crypto-Wallets (likely being stolen) 17->150 152 Modifies Windows Defender protection settings 17->152 154 Tries to harvest and steal WLAN passwords 17->154 156 Removes signatures from Windows Defender 17->156 33 hel.exe 17->33         started        38 conhost.exe 17->38         started        96 C:\Users\user\AppData\Local\...\Hellify.exe, PE32+ 21->96 dropped 98 C:\Users\user\AppData\Local\...\Booster.exe, PE32+ 21->98 dropped 158 Encrypted powershell cmdline option found 21->158 40 Hellify.exe 2 73 21->40         started        42 Booster.exe 21->42         started        44 powershell.exe 23 21->44         started        160 Loading BitLocker PowerShell Module 23->160 46 conhost.exe 23->46         started        signatures9 process10 dnsIp11 128 ip-api.com 208.95.112.1, 49693, 49694, 49702 TUT-ASUS United States 33->128 102 C:\Users\user\AppData\...\ZTGJILHXQB.docx, ASCII 33->102 dropped 104 C:\Users\user\AppData\...\SUAVTZKNFL.mp3, ASCII 33->104 dropped 116 3 other malicious files 33->116 dropped 170 Uses cmd line tools excessively to alter registry or file data 33->170 172 Tries to harvest and steal browser information (history, passwords, etc) 33->172 174 Modifies Windows Defender protection settings 33->174 184 4 other signatures 33->184 48 cmd.exe 33->48         started        51 cmd.exe 33->51         started        53 cmd.exe 33->53         started        62 24 other processes 33->62 130 nameless-mouse-2f97.gogohoog546.workers.dev 104.21.25.193, 443, 49697 CLOUDFLARENETUS United States 40->130 132 api.ipify.org 172.67.74.152, 443, 49691, 49701 CLOUDFLARENETUS United States 40->132 106 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 40->106 dropped 108 C:\Windows\System32\drivers\etc\hosts, ASCII 40->108 dropped 176 Multi AV Scanner detection for dropped file 40->176 178 Found many strings related to Crypto-Wallets (likely being stolen) 40->178 180 Encrypted powershell cmdline option found 40->180 186 6 other signatures 40->186 55 powershell.exe 40->55         started        58 powershell.exe 40->58         started        64 13 other processes 40->64 110 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 42->110 dropped 112 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 42->112 dropped 114 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 42->114 dropped 118 4 other malicious files 42->118 dropped 66 2 other processes 42->66 182 Loading BitLocker PowerShell Module 44->182 60 conhost.exe 44->60         started        file12 signatures13 process14 file15 140 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 48->140 142 Suspicious powershell command line found 48->142 144 Uses cmd line tools excessively to alter registry or file data 48->144 148 2 other signatures 48->148 68 powershell.exe 48->68         started        71 conhost.exe 48->71         started        73 getmac.exe 51->73         started        75 reg.exe 53->75         started        120 C:\Users\user\AppData\...\tleqdzr1.cmdline, Unicode 55->120 dropped 77 csc.exe 55->77         started        146 Loading BitLocker PowerShell Module 58->146 80 WMIC.exe 62->80         started        82 tasklist.exe 62->82         started        86 15 other processes 62->86 84 cmd.exe 66->84         started        signatures16 process17 file18 188 Loading BitLocker PowerShell Module 68->188 190 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 73->190 192 Writes or reads registry keys via WMI 73->192 126 C:\Users\user\AppData\Local\...\tleqdzr1.dll, PE32 77->126 dropped 88 cvtres.exe 77->88         started        signatures19 process20
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/5f715b2832f9e01bbc5a3fae77ba17f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445/
Verdict:
Malicious
Threat:
Family.BLANKGRABBER
Link:
https://tip.neiki.dev/file/422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 07:51:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 38 (78.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iiwpozkxjbihmhhvfnlx35d7rx5hznjmszh4h5ymjh5zbba6srcq._file
Verdict:
malicious
Label(s):
skuldstealer
Create hunting rule
Similar samples:
1afc446455b3b80f89b1367f9d59987ac5e0591230ffd3f63bec42c22e3af5e6
BlankGrabber
1d54a080d891484c7c3b2933c5cfb331a90d8c11d4445dfeec0025f8382d427c
BlankGrabber
40d524ba12ded4ec3d041b76deb428be5f19702414f85c5596362b3512ef3dfe
BlankGrabber
422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
BlankGrabber
b3440511f1ed65aff14b5968e9fe7a55b0ac78b3c14365ab3bc30e02989c07e9
BlankGrabber
bb8f5ce081436b3156b82cc4d2533dacb49ada314d258b10aad38f50c4ee5696
BlankGrabber
error
BlankGrabber
+ 8 additional samples on MalwareBazaar
Result
Malware family:
blankgrabber
Create hunting rule
Score:
  10/10
Tags:
family:blankgrabber defense_evasion discovery execution stealer upx
Link:
https://tria.ge/reports/250812-jqn8tawrv7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
UPX packed file
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Detects BlankGrabber stealer in memory
blankgrabber
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3df42289-5dc3-46eb-a856-5a93f2f337a7
Unpacked files
SH256 hash:
422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445
MD5 hash:
5f715b2832f9e01bbc5a3fae77ba17f2
SHA1 hash:
435ece11e761c0f41e757a9fe2f9128b57bbaf55
Link:
https://www.unpac.me/results/3a4a3b35-6137-478a-96d7-001fb463170b/
Malware family:
BlankGrabber
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/422cf7655748/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/422cf765574850761cf52b577df47f8dfa7cb52c964fc3f70c49fb90841e9445

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20325/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA

Comments