MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49ad4072fa8ba37e0503c4d507c10a0c1eb9db6e73bf44af59c2a0bcb4d500fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash: 49ad4072fa8ba37e0503c4d507c10a0c1eb9db6e73bf44af59c2a0bcb4d500fb
SHA3-384 hash: d3b3914650092a2c3ada2b024124d25e1b54fdd96f105ce49c10ab34ef56b5814271d28212919ed8878833ad02ab5444
SHA1 hash: 6759b5505d4459a1206d2e206850ca07c10cbdd2
MD5 hash: e5222881163bf7fdc28deb3068c069a9
humanhash: lion-sweet-double-butter
File name:mod-injected.jar
Download: download sample
Signature SilentNet
File size:24'688'261 bytes
First seen:2026-06-28 08:20:01 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 393216:u/0p4zySxWrU8mZDOocfbufiLZYMI9D9CQB0rqrqnkbXV2nYmuoMvt0XSc2XIXAg:8dzyG8a3cfQ+ZYMQ9/B0+rqnTYXoMvtS
TLSH T1C947336FF3663416FCA262BCCADCD5C43FA89031489FA6E905A34BD1BF50E61C94560E
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
mod-injected.jar
Verdict:
Malicious activity
Analysis date:
2026-06-27 19:53:55 UTC
Tags:
silentnet stealer etherhiding evasion python arch-exec arch-doc openssl tool

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
88 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934623 Sample: mod-injected.jar Startdate: 28/06/2026 Architecture: WINDOWS Score: 88 78 pypi.org 2->78 80 files.pythonhosted.org 2->80 82 2 other IPs or domains 2->82 100 Suricata IDS alerts for network traffic 2->100 102 Exploit detected, runtime environment starts unknown processes 2->102 104 Unusual module load detection (module proxying) 2->104 106 2 other signatures 2->106 11 cmd.exe 1 2->11         started        signatures3 process4 process5 13 java.exe 5 11->13         started        16 conhost.exe 11->16         started        signatures6 116 Found many strings related to Crypto-Wallets (likely being stolen) 13->116 18 javaw.exe 884 13->18         started        process7 dnsIp8 84 132.145.155.63, 443, 49697, 49715 ORACLE-BMC-31898-OracleCorporationUS United States 18->84 86 198.178.224.35, 443, 49694, 49713 LATITUDE-SH-LatitudeshUS United States 18->86 88 185.178.208.191, 443, 49699, 49710 DDOS-GUARDRU Russia 18->88 46 C:\Users\user\AppData\Local\...\python.exe, PE32+ 18->46 dropped 48 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 18->48 dropped 50 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 18->50 dropped 52 623 other files (none is malicious) 18->52 dropped 22 python.exe 213 18->22         started        file9 process10 dnsIp11 90 151.101.192.175, 443, 49723 FASTLY-FastlyIncUS Canada 22->90 92 151.101.64.223, 443, 49719 FASTLY-FastlyIncUS Canada 22->92 94 2 other IPs or domains 22->94 54 C:\Users\user\AppData\...\tmpk6qomxir.tmp, PE32+ 22->54 dropped 56 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 22->56 dropped 58 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 22->58 dropped 60 30 other files (none is malicious) 22->60 dropped 108 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->108 110 Found many strings related to Crypto-Wallets (likely being stolen) 22->110 112 Tries to harvest and steal browser information (history, passwords, etc) 22->112 114 3 other signatures 22->114 27 python.exe 1088 22->27         started        31 pip.exe 22->31         started        33 cmd.exe 1 22->33         started        35 2 other processes 22->35 file12 signatures13 process14 dnsIp15 96 pypi.org 151.101.128.223, 443, 49736, 49741 FASTLY-FastlyIncUS Canada 27->96 98 dualstack.python.map.fastly.net 151.101.192.223, 443, 49738, 49743 FASTLY-FastlyIncUS Canada 27->98 70 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 27->70 dropped 72 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 27->72 dropped 74 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 27->74 dropped 76 378 other files (none is malicious) 27->76 dropped 37 conhost.exe 27->37         started        39 cmd.exe 27->39         started        41 python.exe 31->41         started        44 conhost.exe 31->44         started        file16 process17 file18 62 95ad9cf1790ae51303...729f24d.body (copy), Python 41->62 dropped 64 750721289c257d7ef1...c2c8a0f.body (copy), Python 41->64 dropped 66 49583e7972e864a609...ef5e4e7.body (copy), Python 41->66 dropped 68 17 other files (none is malicious) 41->68 dropped
Gathering data
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-27 19:53:55 UTC
File Type:
Binary (Archive)
Extracted files:
20
AV detection:
3 of 24 (12.50%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet adware persistence ransomware spyware stealer
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments