MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c
SHA3-384 hash: 1066a37b86cb6e366b56fc3127b32e72667976cbaacc03a57ffc34d511f45225ece821cc70deb7de41040c229089bd13
SHA1 hash: 7bcc790d239085d1a2a63ff70e9b7acaaaca9fa6
MD5 hash: 9652c13bb9f8dc080262133df40ac6d9
humanhash: four-hot-monkey-one
File name:Faith-1.0.1-setup.exe
Download: download sample
Signature SilentStealer
Create hunting rule
File size:90'450'761 bytes
First seen:2025-12-24 15:34:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:soYxcnyJVwaweFKT4f9F7I23ru2wcKhVTkqnf1DBKpbd+b3dAGuExCJ+:sbUyJejWKk92VTkQf1D4pWm+6+
TLSH T15218334702DD5E6FDBEBAA3B45395CBD19358A400BE298F58E976CF217D4E208E0910B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe SilentStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a06fbf6b-7a72-47a2-af70-b243fb995aa3/
Malware family:
n/a
ID:
1
File name:
Faith-1.0.1-setup.exe
Verdict:
Malicious activity
Analysis date:
2025-12-24 15:34:39 UTC
Tags:
silentstealer stealer python susp-powershell generic ims-api nodejs evasion discord phishing auto-reg
Link:
https://app.any.run/tasks/22eda6b0-9174-407e-b4a8-a98c1d413bac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694c080b01c7b4a8fe5556fd
Tags:
extens shell sage
Verdict:
Suspicious
Labled as:
TR/Malware
Link:
https://www.hybrid-analysis.com/sample/67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan-PSW.Win32.Greedy.gen HEUR:Trojan-PSW.Script.Generic HEUR:Trojan-PSW.JS.Greedy.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838910
Signature
Antivirus detection for URL or domain
Disables security and backup related services
Disables Windows Defender (via service or powershell)
Drops large PE files
Found pyInstaller with non standard icon
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Windows Service Tampering
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Yara detected Generic Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838910 Sample: Faith-1.0.1-setup.exe Startdate: 24/12/2025 Architecture: WINDOWS Score: 100 81 www.myexternalip.com 2->81 83 store8.gofile.io 2->83 85 10 other IPs or domains 2->85 93 Suricata IDS alerts for network traffic 2->93 95 Antivirus detection for URL or domain 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 4 other signatures 2->99 10 Faith.exe 1006 2->10         started        15 Faith.exe 2->15         started        17 Faith-1.0.1-setup.exe 12 699 2->17         started        signatures3 process4 dnsIp5 87 ip-api.com 208.95.112.1, 49768, 49967, 49995 TUT-ASUS United States 10->87 89 gcp-us-west1-1.origin.onrender.com.cdn.cloudflare.net 216.24.57.7, 443, 49770, 49772 RENDERUS United States 10->89 91 4 other IPs or domains 10->91 65 C:\Users\user\AppData\...\cookies.sqlite-shm, data 10->65 dropped 67 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 10->67 dropped 69 C:\Users\user\AppData\Local\...\pythonw.exe, PE32+ 10->69 dropped 77 744 other files (3 malicious) 10->77 dropped 105 Tries to harvest and steal browser information (history, passwords, etc) 10->105 107 Modifies Windows Defender protection settings 10->107 109 Disables security and backup related services 10->109 19 cmd.exe 10->19         started        22 cmd.exe 10->22         started        24 cmd.exe 10->24         started        26 40 other processes 10->26 111 Disables Windows Defender (via service or powershell) 15->111 113 Unusual module load detection (module proxying) 15->113 115 Found pyInstaller with non standard icon 15->115 71 C:\Users\user\AppData\Local\...\Faith.exe, PE32+ 17->71 dropped 73 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 17->73 dropped 75 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 17->75 dropped 79 28 other files (none is malicious) 17->79 dropped 117 Drops large PE files 17->117 file6 signatures7 process8 signatures9 101 Modifies Windows Defender protection settings 19->101 103 Disables Windows Defender (via service or powershell) 19->103 28 powershell.exe 19->28         started        31 conhost.exe 19->31         started        33 net.exe 22->33         started        41 2 other processes 22->41 35 tasklist.exe 24->35         started        43 3 other processes 24->43 37 net.exe 26->37         started        39 findstr.exe 26->39         started        45 48 other processes 26->45 process10 signatures11 119 Loading BitLocker PowerShell Module 28->119 47 net1.exe 33->47         started        49 Conhost.exe 35->49         started        51 net1.exe 37->51         started        53 Conhost.exe 39->53         started        55 net1.exe 45->55         started        57 Conhost.exe 45->57         started        59 Conhost.exe 45->59         started        61 3 other processes 45->61 process12 process13 63 Conhost.exe 49->63         started       
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Greedy
Link:
https://tip.neiki.dev/file/67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7ffit3dbpcvpi3hgsbgpygup7vhqoqqbpoetn7nd6hkmpgzq4oa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/251224-s1r7wsf13c/
Behaviour
Kills process with taskkill
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Indicator Removal: Clear Persistence
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads ssh keys stored on the system
Reads user/profile data of web browsers
Disables one or more Microsoft Defender components
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63d2d726-994e-48ac-a524-89d1d3296eea
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SilentStealer

Executable exe 67ca544f630bc557a367348267e0d47fea783a100bdc49b7ed1f8ea63cd9871c

(this sample)

SilentStealer

Java Script (JS) js 79f8b6b875bacab69122c39e9a7ece02f716c69130f39f14bc0e5c89d963b55d

  
Dropping
SHA256 79f8b6b875bacab69122c39e9a7ece02f716c69130f39f14bc0e5c89d963b55d
  
Dropping
MD5 e667058e85dd6f60df24a6502fce0342

Comments