MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36d81a84352bb1bc13c00629d820c5bce1cd97b2081bb71e83f6b0d0c37bc472. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: 36d81a84352bb1bc13c00629d820c5bce1cd97b2081bb71e83f6b0d0c37bc472
SHA3-384 hash: 230c2f081046c9452bb836630733833af29c0542ff7d7ed04a37a6a68e1eccf297fdf74799c2cdf5aefe601931f81e3f
SHA1 hash: 102a125b9f327f090eeb5125724e26d7758c1956
MD5 hash: 25db96667ba026135fdd41f80c14a52d
humanhash: india-louisiana-princess-bulldog
File name:cococlient.jar
Download: download sample
Signature SilentNet
File size:771'983 bytes
First seen:2026-07-04 09:16:41 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 12288:kSB4lnqr/aofzzbe3NhCu5Jm+yfHLrT6Ndpm6un8szHBcS6AqWBR9u:kWsvKPq73YLGSZnRzV6AqWBR9u
TLSH T1CFF41266E409DC29E99F337110AF0EE3621C539CE5CA912B12B5C79705A1CCB2F2E56F
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
cococlient.jar
Verdict:
Malicious activity
Analysis date:
2026-07-03 17:49:09 UTC
Tags:
silentnet stealer sinkhole etherhiding evasion python openssl tool arch-exec arch-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
macros-on-open
Verdict:
Malicious
File Type:
jar
First seen:
2026-07-01T23:16:00Z UTC
Last seen:
2026-07-06T05:43:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Java.Generic
Result
Threat name:
SilentNet
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Schedule system process
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937422 Sample: cococlient.jar Startdate: 04/07/2026 Architecture: WINDOWS Score: 100 120 pypi.org 2->120 122 files.pythonhosted.org 2->122 124 2 other IPs or domains 2->124 146 Suricata IDS alerts for network traffic 2->146 148 Multi AV Scanner detection for dropped file 2->148 150 Multi AV Scanner detection for submitted file 2->150 152 10 other signatures 2->152 12 cmd.exe 1 2->12         started        14 powershell.exe 2->14         started        17 powershell.exe 2->17         started        19 cmd.exe 2->19         started        signatures3 process4 signatures5 21 java.exe 5 12->21         started        24 conhost.exe 12->24         started        176 Loading BitLocker PowerShell Module 14->176 26 conhost.exe 14->26         started        28 conhost.exe 17->28         started        process6 signatures7 162 Found many strings related to Crypto-Wallets (likely being stolen) 21->162 30 javaw.exe 884 21->30         started        process8 dnsIp9 140 150.136.141.142, 443, 49702, 49718 ORACLE-BMC-31898-OracleCorporationUS United States 30->140 142 198.178.224.35, 443, 49700, 49716 LATITUDE-SH-LatitudeshUS United States 30->142 144 185.178.208.191, 443, 49704, 49713 DDOS-GUARDRU Russia 30->144 112 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 30->112 dropped 114 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 30->114 dropped 116 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 30->116 dropped 118 623 other malicious files 30->118 dropped 34 python.exe 218 30->34         started        39 conhost.exe 30->39         started        file10 process11 dnsIp12 126 151.101.0.175, 443, 49726 FASTLY-FastlyIncUS Canada 34->126 128 151.101.64.223, 443, 49722 FASTLY-FastlyIncUS Canada 34->128 130 2 other IPs or domains 34->130 80 C:\Users\user\AppData\...\tmpjt58mo_j.tmp, PE32+ 34->80 dropped 82 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 34->82 dropped 84 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 34->84 dropped 86 32 other malicious files 34->86 dropped 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 34->156 158 Tries to harvest and steal browser information (history, passwords, etc) 34->158 160 3 other signatures 34->160 41 pip.exe 34->41         started        43 python.exe 1088 34->43         started        48 python.exe 34->48         started        50 3 other processes 34->50 file13 signatures14 process15 dnsIp16 52 python.exe 41->52         started        55 conhost.exe 41->55         started        132 pypi.org 151.101.192.223, 443, 49740, 49741 FASTLY-FastlyIncUS Canada 43->132 96 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 43->96 dropped 98 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 43->98 dropped 100 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 43->100 dropped 108 378 other malicious files 43->108 dropped 166 Suspicious powershell command line found 43->166 168 Uses schtasks.exe or at.exe to add and modify task schedules 43->168 170 Uses netsh to modify the Windows network and firewall settings 43->170 174 2 other signatures 43->174 134 132.145.155.63 ORACLE-BMC-31898-OracleCorporationUS United States 48->134 136 142.251.155.119 GOOGLE-GoogleLLCUS United States 48->136 138 23.222.125.27 AKAMAI-AS-AkamaiTechnologiesIncUS United States 48->138 102 C:\Recovery\OEM\...\RuntimeBroker.exe, PE32+ 48->102 dropped 104 C:\Users\user\AppData\Local\...\stdole.py, Python 48->104 dropped 106 _78530B68_61F9_11D...A024580902_0_1_0.py, Python 48->106 dropped 110 4 other malicious files 48->110 dropped 172 Adds a directory exclusion to Windows Defender 48->172 57 powershell.exe 48->57         started        60 powershell.exe 48->60         started        62 powershell.exe 48->62         started        64 7 other processes 48->64 file17 signatures18 process19 file20 88 C:\Users\user\AppData\Local\...\wsdump.exe, PE32+ 52->88 dropped 90 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 52->90 dropped 92 C:\Users\user\AppData\Local\...\win32ts.pyd, PE32+ 52->92 dropped 94 515 other malicious files 52->94 dropped 164 Loading BitLocker PowerShell Module 57->164 66 conhost.exe 57->66         started        68 conhost.exe 60->68         started        70 conhost.exe 62->70         started        72 conhost.exe 64->72         started        74 conhost.exe 64->74         started        76 conhost.exe 64->76         started        78 3 other processes 64->78 signatures21 process22
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-01 15:58:12 UTC
File Type:
Binary (Archive)
Extracted files:
218
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments