MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dce3111a0327b3e3a572cdb2e3894e759d0b7678c8e0c3bd3be07361f4f7c69c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments

SHA256 hash: dce3111a0327b3e3a572cdb2e3894e759d0b7678c8e0c3bd3be07361f4f7c69c
SHA3-384 hash: 7a0dce3f97e2d04ef594f520ee740b9cb0065a54b84627786ea97ccbeb8dd8fb488a29100a72d07a0461438153717908
SHA1 hash: 4cb637c971fe2d691f831a7ca264b65a16c682a0
MD5 hash: 18e802f71e0cf5f4fe35054432ae7dd0
humanhash: equal-wolfram-solar-mockingbird
File name:KryptonCLIENTCracked.jar
Download: download sample
Signature SilentNet
File size:5'652'824 bytes
First seen:2026-06-27 10:18:29 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 98304:vQX66vQGWc8IQYrc16j5E0iG6oEiUyQtka0fyLmm800Dx+KyksqYGO:06MQ/+QR16j5E0bjDaUG80S8KMz
TLSH T1F5463320D5BD267DD1632730D4860E2B7B5E23C4AD027E2F2FB418B60D466C66FC6B99
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
110
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
KryptonCLIENTCracked.jar
Verdict:
Malicious activity
Analysis date:
2026-06-24 18:18:21 UTC
Tags:
silentnet stealer etherhiding python evasion arch-exec arch-doc openssl tool arch-scr

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File Type:
jar
First seen:
2026-06-22T10:18:00Z UTC
Last seen:
2026-06-28T01:55:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Java.Generic
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential Privilege Escalation using Task Scheduler highest RunLevel
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Schedule system process
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934454 Sample: KryptonCLIENTCracked.jar Startdate: 27/06/2026 Architecture: WINDOWS Score: 100 115 files.pythonhosted.org 2->115 117 pypi.org 2->117 119 2 other IPs or domains 2->119 135 Suricata IDS alerts for network traffic 2->135 137 Multi AV Scanner detection for dropped file 2->137 139 Multi AV Scanner detection for submitted file 2->139 141 9 other signatures 2->141 12 cmd.exe 1 2->12         started        14 powershell.exe 2->14         started        signatures3 process4 signatures5 17 java.exe 5 12->17         started        19 conhost.exe 12->19         started        163 Loading BitLocker PowerShell Module 14->163 21 conhost.exe 14->21         started        process6 process7 23 javaw.exe 884 17->23         started        dnsIp8 123 150.136.141.142, 443, 49698, 49714 ORACLE-BMC-31898-OracleCorporationUS United States 23->123 125 198.178.224.35, 443, 49696, 49712 LATITUDE-SH-LatitudeshUS United States 23->125 127 185.178.208.191, 443, 49704, 49709 DDOS-GUARDRU Russia 23->127 91 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 23->91 dropped 93 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 23->93 dropped 95 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 23->95 dropped 97 623 other malicious files 23->97 dropped 27 python.exe 218 23->27         started        file9 process10 dnsIp11 129 151.101.0.175, 443, 49723 FASTLY-FastlyIncUS Canada 27->129 131 151.101.0.223, 443, 49718 FASTLY-FastlyIncUS Canada 27->131 133 2 other IPs or domains 27->133 107 C:\Users\user\AppData\...\tmp0u73bj14.tmp, PE32+ 27->107 dropped 109 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 27->109 dropped 111 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 27->111 dropped 113 32 other malicious files 27->113 dropped 155 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->155 157 Tries to harvest and steal browser information (history, passwords, etc) 27->157 159 Writes to foreign memory regions 27->159 161 2 other signatures 27->161 32 pip.exe 27->32         started        34 python.exe 1088 27->34         started        39 python.exe 27->39         started        41 2 other processes 27->41 file12 signatures13 process14 dnsIp15 43 python.exe 32->43         started        46 conhost.exe 32->46         started        121 pypi.org 151.101.192.223, 443, 49736, 49737 FASTLY-FastlyIncUS Canada 34->121 75 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 34->75 dropped 77 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 34->77 dropped 79 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 34->79 dropped 87 378 other malicious files 34->87 dropped 143 Suspicious powershell command line found 34->143 145 Uses schtasks.exe or at.exe to add and modify task schedules 34->145 147 Uses netsh to modify the Windows network and firewall settings 34->147 151 2 other signatures 34->151 48 conhost.exe 34->48         started        50 cmd.exe 34->50         started        81 C:\Recovery\OEM\...\RuntimeBroker.exe, PE32+ 39->81 dropped 83 C:\Users\user\AppData\Local\...\stdole.py, Python 39->83 dropped 85 _78530B68_61F9_11D...A024580902_0_1_0.py, Python 39->85 dropped 89 4 other malicious files 39->89 dropped 149 Adds a directory exclusion to Windows Defender 39->149 52 powershell.exe 39->52         started        55 powershell.exe 39->55         started        57 powershell.exe 39->57         started        59 7 other processes 39->59 file16 signatures17 process18 file19 99 C:\Users\user\AppData\Local\...\wsdump.exe, PE32+ 43->99 dropped 101 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32+ 43->101 dropped 103 C:\Users\user\AppData\Local\...\win32ts.pyd, PE32+ 43->103 dropped 105 520 other malicious files 43->105 dropped 153 Loading BitLocker PowerShell Module 52->153 61 conhost.exe 52->61         started        63 conhost.exe 55->63         started        65 conhost.exe 57->65         started        67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        73 3 other processes 59->73 signatures20 process21
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-06-22 06:50:43 UTC
File Type:
Binary (Archive)
Extracted files:
546
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments