MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c19a1542080f4012dc56f080c367c4646190b9e4dd8dde151de7a5efd01bb86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash: 7c19a1542080f4012dc56f080c367c4646190b9e4dd8dde151de7a5efd01bb86
SHA3-384 hash: b9a04668c2c817ef472b8ba869d15a8554d3d32bfe9a64af4a4522aafd59154d269362fb401d709b80dbb564987a3773
SHA1 hash: df17576b83b7a7ad04fa5ae95a6f52bae3c95e63
MD5 hash: b69f79202f4c392eb5274969590594fa
humanhash: sierra-mobile-india-jig
File name:Radiumclient.jar
Download: download sample
Signature SilentNet
File size:17'727'127 bytes
First seen:2026-07-09 09:35:57 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 393216:biWp/FgAfsKCtGYjLGyinT9otZSOz984PtunRVyQh8o:1J07ltinT9oXRZ8Ruo
TLSH T1090733776FD64A4A405082338FA1B95C79780BD2A2626D9C73B2CDB272C89BDDF31711
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
91
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
Radiumclient.jar
Verdict:
No threats detected
Analysis date:
2026-07-09 09:35:23 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
File Type:
jar
First seen:
2026-07-09T06:57:00Z UTC
Last seen:
2026-07-09T07:05:00Z UTC
Hits:
~10
Result
Threat name:
SilentNet
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
96 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1939826 Sample: Radiumclient.jar Startdate: 09/07/2026 Architecture: WINDOWS Score: 96 80 thisisafalsepositive.st 2->80 82 pypi.org 2->82 84 3 other IPs or domains 2->84 102 Suricata IDS alerts for network traffic 2->102 104 Yara detected SilentNet 2->104 106 Exploit detected, runtime environment starts unknown processes 2->106 108 4 other signatures 2->108 12 cmd.exe 1 2->12         started        signatures3 process4 process5 14 java.exe 5 12->14         started        16 conhost.exe 12->16         started        process6 18 javaw.exe 884 14->18         started        dnsIp7 86 150.136.141.142, 443, 49708 ORACLE-BMC-31898-OracleCorporationUS United States 18->86 88 198.178.224.35, 443, 49699, 49715 LATITUDE-SH-LatitudeshUS United States 18->88 90 thisisafalsepositive.st 185.178.208.191, 443, 49711, 49712 DDOS-GUARDRU Russia 18->90 48 C:\Users\user\AppData\Local\...\python.exe, PE32+ 18->48 dropped 50 C:\Users\user\AppData\Local\...\python312.zip, Zip 18->50 dropped 52 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 18->52 dropped 54 624 other files (none is malicious) 18->54 dropped 22 python.exe 213 18->22         started        file8 process9 dnsIp10 92 132.145.155.63, 443, 49717 ORACLE-BMC-31898-OracleCorporationUS United States 22->92 94 151.101.192.175, 443, 49727 FASTLY-FastlyIncUS Canada 22->94 96 3 other IPs or domains 22->96 56 C:\Users\user\AppData\Local\...\python.exe, PE32+ 22->56 dropped 58 C:\Users\user\AppData\...\tmp_ndtvtb50.zip, Zip 22->58 dropped 60 C:\Users\user\AppData\Local\...\python312.zip, Zip 22->60 dropped 62 32 other files (none is malicious) 22->62 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->110 112 Tries to harvest and steal browser information (history, passwords, etc) 22->112 114 Writes to foreign memory regions 22->114 116 3 other signatures 22->116 27 python.exe 1088 22->27         started        32 pip.exe 22->32         started        34 conhost.exe 22->34         started        36 chrome.exe 22->36         started        file11 signatures12 process13 dnsIp14 100 dualstack.python.map.fastly.net 151.101.192.223, 443, 49739 FASTLY-FastlyIncUS Canada 27->100 72 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 27->72 dropped 74 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 27->74 dropped 76 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 27->76 dropped 78 378 other files (none is malicious) 27->78 dropped 118 Writes many files with high entropy 27->118 38 conhost.exe 27->38         started        40 python.exe 32->40         started        44 conhost.exe 32->44         started        file15 signatures16 process17 dnsIp18 98 151.101.128.223, 443, 49747 FASTLY-FastlyIncUS Canada 40->98 64 95ad9cf1790ae51303...729f24d.body (copy), Python 40->64 dropped 66 750721289c257d7ef1...c2c8a0f.body (copy), Python 40->66 dropped 68 49583e7972e864a609...ef5e4e7.body (copy), Python 40->68 dropped 70 87 other files (20 malicious) 40->70 dropped 46 cmd.exe 40->46         started        file19 process20
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-07-09 02:16:17 UTC
File Type:
Binary (Archive)
Extracted files:
5326
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet adware persistence ransomware spyware stealer
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SilentNet

Java file jar 7c19a1542080f4012dc56f080c367c4646190b9e4dd8dde151de7a5efd01bb86

(this sample)

  
Delivery method
Distributed via web download

Comments