MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93916b2b689b390ba682fe037adbd2005ac1480b0391bbabc73d9efa2ff3427d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash: 93916b2b689b390ba682fe037adbd2005ac1480b0391bbabc73d9efa2ff3427d
SHA3-384 hash: bd026292822005881aa31206d01ac48dd69e456325a2db0dafd5f607698d1cc9a053ca92d45cbd765dadc756afd60b38
SHA1 hash: f0d3bc42875adbfb5e5352bec0df9d9fe10110cf
MD5 hash: 77bd6a8429d5aa31796420d80023484b
humanhash: march-oxygen-harry-louisiana
File name:4eclient.jar
Download: download sample
Signature SilentNet
File size:10'126'312 bytes
First seen:2026-07-09 09:36:04 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 196608:f9iyfxjj2QlFjyzAcNeVaqUA0i6hLtPGYyALAo7gyjVePJF+BAqkg:liWp/FgAfsKCtGYjLGysfW7
TLSH T106A633621BAD48C6E4F076B3CF35B8B9387CA7127162ACBD7224CC61754A5D2EF10B61
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
92
Origin country :
US US
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
4eclient.jar
Verdict:
Malicious activity
Analysis date:
2026-07-09 09:35:05 UTC
Tags:
arch-exec silentnet stealer etherhiding arch-doc python evasion openssl tool

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
File Type:
jar
First seen:
2026-07-09T06:52:00Z UTC
Last seen:
2026-07-09T06:55:00Z UTC
Hits:
~10
Result
Threat name:
SilentNet
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Schedule system process
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1939823 Sample: 4eclient.jar Startdate: 09/07/2026 Architecture: WINDOWS Score: 100 117 pypi.org 2->117 119 files.pythonhosted.org 2->119 121 2 other IPs or domains 2->121 151 Suricata IDS alerts for network traffic 2->151 153 Multi AV Scanner detection for dropped file 2->153 155 Yara detected SilentNet 2->155 157 9 other signatures 2->157 12 cmd.exe 1 2->12         started        14 powershell.exe 2->14         started        17 powershell.exe 2->17         started        signatures3 process4 signatures5 19 java.exe 5 12->19         started        21 conhost.exe 12->21         started        171 Loading BitLocker PowerShell Module 14->171 23 conhost.exe 14->23         started        25 conhost.exe 17->25         started        process6 process7 27 javaw.exe 884 19->27         started        dnsIp8 131 150.136.141.142, 443, 49701 ORACLE-BMC-31898-OracleCorporationUS United States 27->131 133 198.178.224.35, 443, 49697, 49708 LATITUDE-SH-LatitudeshUS United States 27->133 135 185.178.208.191, 443, 49703, 49704 DDOS-GUARDRU Russia 27->135 101 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 27->101 dropped 103 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 27->103 dropped 105 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 27->105 dropped 107 623 other malicious files 27->107 dropped 31 python.exe 217 27->31         started        file9 process10 dnsIp11 137 132.145.155.63, 443, 49710 ORACLE-BMC-31898-OracleCorporationUS United States 31->137 139 151.101.0.175, 443, 49720 FASTLY-FastlyIncUS Canada 31->139 141 3 other IPs or domains 31->141 77 C:\Users\user\AppData\...\tmpufzqj492.tmp, PE32+ 31->77 dropped 79 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 31->79 dropped 81 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 31->81 dropped 83 32 other malicious files 31->83 dropped 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->143 145 Tries to harvest and steal browser information (history, passwords, etc) 31->145 147 Writes to foreign memory regions 31->147 149 2 other signatures 31->149 36 pip.exe 31->36         started        38 python.exe 1088 31->38         started        43 python.exe 31->43         started        45 2 other processes 31->45 file12 signatures13 process14 dnsIp15 47 python.exe 36->47         started        50 conhost.exe 36->50         started        123 pypi.org 151.101.192.223, 443, 49729, 49731 FASTLY-FastlyIncUS Canada 38->123 85 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 38->85 dropped 87 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 38->87 dropped 89 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 38->89 dropped 97 378 other malicious files 38->97 dropped 161 Suspicious powershell command line found 38->161 163 Uses schtasks.exe or at.exe to add and modify task schedules 38->163 165 Uses netsh to modify the Windows network and firewall settings 38->165 169 2 other signatures 38->169 52 conhost.exe 38->52         started        125 142.251.157.119 GOOGLE-GoogleLLCUS United States 43->125 127 104.16.249.249 CLOUDFLARENET-CloudflareIncUS Canada 43->127 129 23.217.124.240 AKAMAI-AS-AkamaiTechnologiesIncUS United States 43->129 91 C:\Recovery\OEM\...\RuntimeBroker.exe, PE32+ 43->91 dropped 93 C:\Users\user\AppData\Local\...\stdole.py, Python 43->93 dropped 95 _78530B68_61F9_11D...A024580902_0_1_0.py, Python 43->95 dropped 99 4 other malicious files 43->99 dropped 167 Adds a directory exclusion to Windows Defender 43->167 54 powershell.exe 43->54         started        57 powershell.exe 43->57         started        59 powershell.exe 43->59         started        61 7 other processes 43->61 file16 signatures17 process18 file19 109 C:\Users\user\AppData\...\cffi-gen-src.exe, PE32+ 47->109 dropped 111 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 47->111 dropped 113 C:\Users\user\AppData\Local\...\win32ts.pyd, PE32+ 47->113 dropped 115 553 other malicious files 47->115 dropped 159 Loading BitLocker PowerShell Module 54->159 63 conhost.exe 54->63         started        65 conhost.exe 57->65         started        67 conhost.exe 59->67         started        69 conhost.exe 61->69         started        71 conhost.exe 61->71         started        73 conhost.exe 61->73         started        75 3 other processes 61->75 signatures20 process21
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-03 21:35:41 UTC
File Type:
Binary (Archive)
Extracted files:
5326
AV detection:
5 of 38 (13.16%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SilentNet

Java file jar 93916b2b689b390ba682fe037adbd2005ac1480b0391bbabc73d9efa2ff3427d

(this sample)

  
Delivery method
Distributed via web download

Comments