MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SilentNet


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571
SHA3-384 hash: 96bc4f58c08323a0ffa2b64354a98a43503d264da0d835703dc301b7aa87557b977e938ae0f3c9d16d73181fed317e01
SHA1 hash: fceafd1f667bbbf4c9d87ff783836ae7fb252b31
MD5 hash: c306a83ef040b8d2551dd79a6cba21f2
humanhash: batman-charlie-six-pennsylvania
File name:WaterClient1.21.4.jar
Download: download sample
Signature SilentNet
Create hunting rule
File size:2'531'285 bytes
First seen:2026-06-24 11:54:04 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 49152:mKg7GDZbhkXXPcWzH0pXyZ5s+w21HljNhtLQ:BlDZNknEWzH0pXyZ5Pw21FNQ
TLSH T1A6C523B3B9CCD934E927F731E0610D32A61C5FC4E646D4AB02F15CDBA85F6D90B4AA09
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
WaterClient1.21.4.jar
Verdict:
Malicious activity
Analysis date:
2026-06-24 09:33:44 UTC
Tags:
silentnet stealer etherhiding python evasion arch-exec arch-doc openssl tool
Link:
https://app.any.run/tasks/35c339cb-ee07-4c6d-b8c4-8e4ca35b74bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71827/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3ba4761548daf709f95be7
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571
Verdict:
Malicious
File Type:
jar
First seen:
2026-06-20T20:51:00Z UTC
Last seen:
2026-06-25T23:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Java.Generic
Link:
https://opentip.kaspersky.com/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1933122
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes many files with high entropy
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1933122 Sample: WaterClient1.21.4.jar Startdate: 24/06/2026 Architecture: WINDOWS Score: 100 80 www.google.com 2->80 82 pypi.org 2->82 84 5 other IPs or domains 2->84 102 Suricata IDS alerts for network traffic 2->102 104 Antivirus detection for URL or domain 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 5 other signatures 2->108 12 cmd.exe 1 2->12         started        signatures3 process4 process5 14 java.exe 5 12->14         started        17 conhost.exe 12->17         started        signatures6 118 Found many strings related to Crypto-Wallets (likely being stolen) 14->118 19 javaw.exe 884 14->19         started        process7 dnsIp8 86 132.145.155.63, 443, 49720, 49729 ORACLE-BMC-31898-OracleCorporationUS United States 19->86 88 198.178.224.35, 443, 49718, 49727 LATITUDE-SH-LatitudeshUS United States 19->88 90 185.178.208.191, 443, 49722, 49723 DDOS-GUARDRU Russia 19->90 48 C:\Users\user\AppData\Local\...\python.exe, PE32+ 19->48 dropped 50 C:\Users\user\AppData\Local\...\python312.zip, Zip 19->50 dropped 52 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 19->52 dropped 54 624 other files (none is malicious) 19->54 dropped 23 python.exe 213 19->23         started        file9 process10 dnsIp11 92 151.101.64.175, 443, 49737 FASTLY-FastlyIncUS Canada 23->92 94 151.101.64.223, 443, 49733 FASTLY-FastlyIncUS Canada 23->94 96 2 other IPs or domains 23->96 56 C:\Users\user\AppData\Local\...\python.exe, PE32+ 23->56 dropped 58 C:\Users\user\AppData\...\tmp_65imgj7d.zip, Zip 23->58 dropped 60 C:\Users\user\AppData\Local\...\python312.zip, Zip 23->60 dropped 62 32 other files (none is malicious) 23->62 dropped 110 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->110 112 Found many strings related to Crypto-Wallets (likely being stolen) 23->112 114 Tries to harvest and steal browser information (history, passwords, etc) 23->114 116 4 other signatures 23->116 28 python.exe 1088 23->28         started        33 pip.exe 23->33         started        35 conhost.exe 23->35         started        37 chrome.exe 23->37         started        file12 signatures13 process14 dnsIp15 98 dualstack.python.map.fastly.net 151.101.0.223, 443, 49750, 49756 FASTLY-FastlyIncUS Canada 28->98 100 pypi.org 151.101.192.223, 443, 49749, 49754 FASTLY-FastlyIncUS Canada 28->100 72 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 28->72 dropped 74 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 28->74 dropped 76 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 28->76 dropped 78 378 other files (none is malicious) 28->78 dropped 120 Writes many files with high entropy 28->120 39 conhost.exe 28->39         started        41 python.exe 33->41         started        44 conhost.exe 33->44         started        file16 signatures17 process18 file19 64 95ad9cf1790ae51303...729f24d.body (copy), Python 41->64 dropped 66 750721289c257d7ef1...c2c8a0f.body (copy), Python 41->66 dropped 68 49583e7972e864a609...ef5e4e7.body (copy), Python 41->68 dropped 70 31 other files (14 malicious) 41->70 dropped 46 cmd.exe 41->46         started        process20
Score:
33%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571/
Verdict:
Malicious
Threat:
Family.SILENTNET
Link:
https://tip.neiki.dev/file/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571
Threat name:
ByteCode-JAVA.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-20 16:06:34 UTC
File Type:
Binary (Archive)
Extracted files:
547
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5iuli4of3f5xepbw4smjuzcc54zl54x5r7b3fnihzsitomwfivyq._file
Result
Malware family:
silentnet
Create hunting rule
Score:
  10/10
Tags:
family:silentnet stealer
Link:
https://tria.ge/reports/260624-n26dpabx5x/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ea28b471c5d97b723c36e4989a6442ef32bef2fd8fc3b2b507cc913732c54571

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/71827/

Comments