MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0807bbceb5b347cc5952854fb9a0574189ab86320d5b21bb55fa8d3439b92159. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash: 0807bbceb5b347cc5952854fb9a0574189ab86320d5b21bb55fa8d3439b92159
SHA3-384 hash: 0d14735b5a7cb9f053370c67c261770dbb36b647b0f55a1d803a24e519c6682cd56210cd46b0f1315e5301f7299c4fd4
SHA1 hash: de49eeddc51d0aca875ebe37a09cd4b682fcdef4
MD5 hash: 8f5893b0903aefd4814d0f6b4a000d38
humanhash: winter-solar-harry-video
File name:kryptonclient.jar
Download: download sample
Signature SilentNet
File size:13'467'612 bytes
First seen:2026-07-09 09:35:46 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 196608:W9iyfxjj2QlFjyzAcNeVaqUA0i6hLtPGYyALAo7gyjVgM4/op5FaucFuZPxPIx83:SiWp/FgAfsKCtGYjLGy14gp53nbMk/
TLSH T189D633222FA8911F74B0B937DF11756938AC7F0670277EAD76298981F389DC29F25321
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
92
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
kryptonclient.jar
Verdict:
Malicious activity
Analysis date:
2026-07-09 09:28:39 UTC
Tags:
arch-exec silentnet stealer

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Result
Threat name:
EtherHiding, SilentNet
Detection:
malicious
Classification:
troj.expl.evad.spyw
Score:
100 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1939827 Sample: kryptonclient.jar Startdate: 09/07/2026 Architecture: WINDOWS Score: 100 80 pypi.org 2->80 82 files.pythonhosted.org 2->82 84 2 other IPs or domains 2->84 100 Suricata IDS alerts for network traffic 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 Yara detected SilentNet 2->104 106 4 other signatures 2->106 12 cmd.exe 1 2->12         started        signatures3 process4 process5 14 java.exe 5 12->14         started        16 conhost.exe 12->16         started        process6 18 javaw.exe 884 14->18         started        dnsIp7 86 150.136.141.142, 443, 49701, 49719 ORACLE-BMC-31898-OracleCorporationUS United States 18->86 88 198.178.224.35, 443, 49699, 49717 LATITUDE-SH-LatitudeshUS United States 18->88 90 185.178.208.191, 443, 49710, 49714 DDOS-GUARDRU Russia 18->90 48 C:\Users\user\AppData\Local\...\python.exe, PE32+ 18->48 dropped 50 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 18->50 dropped 52 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 18->52 dropped 54 623 other files (none is malicious) 18->54 dropped 22 python.exe 213 18->22         started        file8 process9 dnsIp10 92 151.101.0.175, 443, 49728 FASTLY-FastlyIncUS Canada 22->92 94 151.101.0.223, 443, 49723 FASTLY-FastlyIncUS Canada 22->94 96 2 other IPs or domains 22->96 64 C:\Users\user\AppData\...\tmpng_5rdu2.tmp, PE32+ 22->64 dropped 66 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 22->66 dropped 68 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 22->68 dropped 70 30 other files (none is malicious) 22->70 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->108 110 Tries to harvest and steal browser information (history, passwords, etc) 22->110 112 Writes to foreign memory regions 22->112 114 2 other signatures 22->114 27 pip.exe 22->27         started        29 python.exe 1088 22->29         started        33 cmd.exe 1 22->33         started        35 2 other processes 22->35 file11 signatures12 process13 dnsIp14 37 python.exe 27->37         started        40 conhost.exe 27->40         started        98 pypi.org 151.101.64.223, 443, 49740, 49741 FASTLY-FastlyIncUS Canada 29->98 72 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 29->72 dropped 74 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 29->74 dropped 76 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 29->76 dropped 78 378 other files (none is malicious) 29->78 dropped 42 conhost.exe 29->42         started        44 cmd.exe 29->44         started        file15 process16 file17 56 C:\Users\user\AppData\Local\...\tmpl3wr6d4u, Python 37->56 dropped 58 C:\Users\user\AppData\...\taskscheduler.pyd, PE32+ 37->58 dropped 60 95ad9cf1790ae51303...729f24d.body (copy), Python 37->60 dropped 62 458 other files (none is malicious) 37->62 dropped 46 cmd.exe 37->46         started        process18
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-03 12:02:45 UTC
File Type:
Binary (Archive)
Extracted files:
5326
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Author:vietdx.mb

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SilentNet

Java file jar 0807bbceb5b347cc5952854fb9a0574189ab86320d5b21bb55fa8d3439b92159

(this sample)

  
Delivery method
Distributed via web download

Comments