MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98106340b98a635dc433a672ab2c1fccf2b714928c43ab9cc96e390a8d6dbe99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash: 98106340b98a635dc433a672ab2c1fccf2b714928c43ab9cc96e390a8d6dbe99
SHA3-384 hash: 35800e04f8db080e3aa0ce3a448b3a3d14302929373b34b3c3202a6599a1fa925aae2080d4140369ad935978d65c7394
SHA1 hash: a666f44ea7deb3d14f99b0bfd64d5a41bc836d8d
MD5 hash: 811dd3f7ffc02f4221668a676d18f01d
humanhash: oranges-lemon-eight-georgia
File name:QearanQlient_1.21.11sn.jar
Download: download sample
Signature SilentNet
File size:10'312'760 bytes
First seen:2026-07-12 11:12:25 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 196608:6Aq+n9sHuJCd57gPl0F2FSRwj7TZSl71BkNnvf0aLBG3B4ZifMzF2y1PPtu:C+n9sOJc57g7F17E5gZvckma9F2KP4
TLSH T1F6A6333EE889DE38E9E6B09942E0BC12F17067C9E01258F9675C373DD41670AE79C61B
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
142
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
QearanQlient_1.21.11sn.jar
Verdict:
Malicious activity
Analysis date:
2026-07-11 12:46:25 UTC
Tags:
silentnet stealer github evasion auto generic python arch-doc arch-exec arch-scr

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
shellcode virus java
Result
Threat name:
SilentNet
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1941194 Sample: QearanQlient_1.21.11sn.jar Startdate: 12/07/2026 Architecture: WINDOWS Score: 100 79 pypi.org 2->79 81 files.pythonhosted.org 2->81 83 2 other IPs or domains 2->83 101 Suricata IDS alerts for network traffic 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 Yara detected SilentNet 2->105 107 5 other signatures 2->107 11 cmd.exe 1 2->11         started        signatures3 process4 process5 13 java.exe 5 11->13         started        16 conhost.exe 11->16         started        signatures6 117 Found many strings related to Crypto-Wallets (likely being stolen) 13->117 18 javaw.exe 884 13->18         started        process7 dnsIp8 85 150.136.141.142, 443, 49706, 49715 ORACLE-BMC-31898-OracleCorporationUS United States 18->85 87 198.178.224.35, 443, 49701, 49713 LATITUDE-SH-LatitudeshUS United States 18->87 89 185.178.208.191, 443, 49709, 49710 DDOS-GUARDRU Russia 18->89 47 C:\Users\user\AppData\Local\...\python.exe, PE32+ 18->47 dropped 49 C:\Users\user\AppData\Local\...\python312.zip, Zip 18->49 dropped 51 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 18->51 dropped 53 624 other files (none is malicious) 18->53 dropped 22 python.exe 213 18->22         started        file9 process10 dnsIp11 91 151.101.64.175, 443, 49725 FASTLY-FastlyIncUS Canada 22->91 93 151.101.64.223, 443, 49719 FASTLY-FastlyIncUS Canada 22->93 95 2 other IPs or domains 22->95 63 C:\Users\user\AppData\Local\...\python.exe, PE32+ 22->63 dropped 65 C:\Users\user\AppData\...\tmp_ujjwo4pu.zip, Zip 22->65 dropped 67 C:\Users\user\AppData\Local\...\python312.zip, Zip 22->67 dropped 69 32 other files (none is malicious) 22->69 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 22->111 113 Tries to harvest and steal browser information (history, passwords, etc) 22->113 115 4 other signatures 22->115 27 pip.exe 22->27         started        29 python.exe 1088 22->29         started        34 conhost.exe 22->34         started        36 chrome.exe 22->36         started        file12 signatures13 process14 dnsIp15 38 python.exe 27->38         started        41 conhost.exe 27->41         started        97 dualstack.python.map.fastly.net 151.101.0.223, 443, 49738, 49743 FASTLY-FastlyIncUS Canada 29->97 99 pypi.org 151.101.192.223, 443, 49737, 49741 FASTLY-FastlyIncUS Canada 29->99 71 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 29->71 dropped 73 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 29->73 dropped 75 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 29->75 dropped 77 378 other files (none is malicious) 29->77 dropped 119 Writes many files with high entropy 29->119 43 conhost.exe 29->43         started        45 cmd.exe 29->45         started        file16 signatures17 process18 file19 55 C:\Users\user\AppData\Local\...\tmpzqk2k989, Zip 38->55 dropped 57 C:\Users\user\AppData\Local\...\tmpol5yiyo5, Zip 38->57 dropped 59 C:\Users\user\AppData\Local\...\tmpj0bta0n_, Zip 38->59 dropped 61 461 other files (17 malicious) 38->61 dropped
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-07-07 07:09:28 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments