MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b3d90c90c03d4ebb10f6e76f32d5f12dbae8e01d42518060e14f8968e32dc15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: 6b3d90c90c03d4ebb10f6e76f32d5f12dbae8e01d42518060e14f8968e32dc15
SHA3-384 hash: 0f3caa7ba8a892ad4d5089470cf6d840fd8664a4e2571c920a704a0cc17e40d158dca743c103ef9532bf2a92e06fb114
SHA1 hash: e3ce283b5c396130ed22e6d004f61a30ce615151
MD5 hash: a1856636846948b488f2172028084294
humanhash: enemy-double-beryllium-alabama
File name:nightclient.jar
Download: download sample
Signature SilentNet
File size:10'061'867 bytes
First seen:2026-06-27 10:21:31 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 196608:oNdonIlkZgvWMy2948PbEBhImHb4N3WtDVWQbM5OS3d:oNdoOkZg/z4EEBhIkZtDVIJ3d
TLSH T165A623209F0C4036EC77FF73D04378A1A0BBEE5A120FF5563A7A628D8816B54DB39695
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
120
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
nightclient.jar
Verdict:
Malicious activity
Analysis date:
2026-06-24 14:04:03 UTC
Tags:
silentnet stealer etherhiding

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug explorer lolbin obfuscated rundll32
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
88 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934445 Sample: nightclient.jar Startdate: 27/06/2026 Architecture: WINDOWS Score: 88 76 pypi.org 2->76 78 files.pythonhosted.org 2->78 80 2 other IPs or domains 2->80 98 Suricata IDS alerts for network traffic 2->98 100 Exploit detected, runtime environment starts unknown processes 2->100 102 Unusual module load detection (module proxying) 2->102 104 2 other signatures 2->104 11 cmd.exe 1 2->11         started        signatures3 process4 process5 13 java.exe 5 11->13         started        16 conhost.exe 11->16         started        signatures6 114 Found many strings related to Crypto-Wallets (likely being stolen) 13->114 18 javaw.exe 884 13->18         started        process7 dnsIp8 82 150.136.141.142, 443, 49692, 49707 ORACLE-BMC-31898-OracleCorporationUS United States 18->82 84 198.178.224.35, 443, 49689, 49705 LATITUDE-SH-LatitudeshUS United States 18->84 86 185.178.208.191, 443, 49700, 49702 DDOS-GUARDRU Russia 18->86 44 C:\Users\user\AppData\Local\...\python.exe, PE32+ 18->44 dropped 46 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 18->46 dropped 48 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 18->48 dropped 50 623 other files (none is malicious) 18->50 dropped 22 python.exe 216 18->22         started        file9 process10 dnsIp11 88 151.101.0.223, 443, 49711, 49735 FASTLY-FastlyIncUS Canada 22->88 90 151.101.64.175, 443, 49716 FASTLY-FastlyIncUS Canada 22->90 92 2 other IPs or domains 22->92 60 C:\Users\user\AppData\...\tmp5lco19wq.tmp, PE32+ 22->60 dropped 62 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 22->62 dropped 64 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 22->64 dropped 66 31 other files (none is malicious) 22->66 dropped 106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->106 108 Found many strings related to Crypto-Wallets (likely being stolen) 22->108 110 Tries to harvest and steal browser information (history, passwords, etc) 22->110 112 3 other signatures 22->112 27 pip.exe 22->27         started        29 python.exe 1088 22->29         started        33 conhost.exe 22->33         started        35 chrome.exe 22->35         started        file12 signatures13 process14 dnsIp15 37 python.exe 27->37         started        40 conhost.exe 27->40         started        94 dualstack.python.map.fastly.net 151.101.128.223, 443, 49728 FASTLY-FastlyIncUS Canada 29->94 96 pypi.org 151.101.192.223, 443, 49726, 49733 FASTLY-FastlyIncUS Canada 29->96 68 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 29->68 dropped 70 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 29->70 dropped 72 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 29->72 dropped 74 378 other files (none is malicious) 29->74 dropped 42 conhost.exe 29->42         started        file16 process17 file18 52 C:\Users\user\AppData\Local\...\wsdump.exe, PE32+ 37->52 dropped 54 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 37->54 dropped 56 C:\Users\user\AppData\Local\...\win32ts.pyd, PE32+ 37->56 dropped 58 534 other files (none is malicious) 37->58 dropped
Threat name:
Win32.Trojan.Qwexlafiba
Status:
Malicious
First seen:
2026-06-24 14:04:04 UTC
File Type:
Binary (Archive)
Extracted files:
2339
AV detection:
6 of 23 (26.09%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments