MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb7631efd363903461609683205e215ffde4f8edda7659608cdba69ad98cfdf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SilentNet


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash: eb7631efd363903461609683205e215ffde4f8edda7659608cdba69ad98cfdf9
SHA3-384 hash: f0fcc56a364d859565c7abc82eb9640ecac34327652b3274669460c85fea696d96e3d783e5c0593622d279396627c372
SHA1 hash: 91fa6914bcb96307da48f80cee25ef93917a9f64
MD5 hash: c08eb7cbe473f7116a59b7b0aaa4280f
humanhash: grey-berlin-network-edward
File name:krypton.jar
Download: download sample
Signature SilentNet
File size:2'500'769 bytes
First seen:2026-07-14 14:35:06 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 49152:IfeUfJ4P0zvck5MEw6KUV0CcFKXAVmGaykrl2rZU6dMVeOu8:0j4svcAD3+F+AVmGazQrZtO
TLSH T1C3C533F38C971858E5351265BC22DB0CAF502BB52300AF665DF94EA3C36E277A24677C
TrID 77.1% (.JAR) Java Archive (13500/1/2)
22.8% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar SilentNet

Intelligence


File Origin
# of uploads :
1
# of downloads :
136
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
jar
First seen:
2026-06-23T16:59:00Z UTC
Last seen:
2026-07-15T11:05:00Z UTC
Hits:
~10
Result
Threat name:
SilentNet
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Exploit detected, runtime environment starts unknown processes
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected SilentNet
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1942308 Sample: krypton.jar Startdate: 14/07/2026 Architecture: WINDOWS Score: 100 79 pypi.org 2->79 81 files.pythonhosted.org 2->81 83 2 other IPs or domains 2->83 101 Suricata IDS alerts for network traffic 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 Yara detected SilentNet 2->105 107 4 other signatures 2->107 12 cmd.exe 1 2->12         started        signatures3 process4 process5 14 java.exe 5 12->14         started        17 conhost.exe 12->17         started        signatures6 117 Found many strings related to Crypto-Wallets (likely being stolen) 14->117 19 javaw.exe 884 14->19         started        process7 dnsIp8 85 150.136.141.142, 443, 49701 ORACLE-BMC-31898-OracleCorporationUS United States 19->85 87 198.178.224.35, 443, 49699, 49719 LATITUDE-SH-LatitudeshUS United States 19->87 89 185.178.208.191, 443, 49705, 49716 DDOS-GUARDRU Russia 19->89 47 C:\Users\user\AppData\Local\...\python.exe, PE32+ 19->47 dropped 49 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 19->49 dropped 51 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 19->51 dropped 53 623 other files (none is malicious) 19->53 dropped 23 python.exe 213 19->23         started        file9 process10 dnsIp11 91 132.145.155.63, 443, 49721 ORACLE-BMC-31898-OracleCorporationUS United States 23->91 93 151.101.0.175, 443, 49729 FASTLY-FastlyIncUS Canada 23->93 95 3 other IPs or domains 23->95 63 C:\Users\user\AppData\...\tmpd1lo4d55.tmp, PE32+ 23->63 dropped 65 C:\Users\user\AppData\Local\...\winsound.pyd, PE32+ 23->65 dropped 67 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 23->67 dropped 69 30 other files (none is malicious) 23->69 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 23->111 113 Tries to harvest and steal browser information (history, passwords, etc) 23->113 115 3 other signatures 23->115 28 pip.exe 23->28         started        30 python.exe 1088 23->30         started        34 conhost.exe 23->34         started        36 chrome.exe 23->36         started        file12 signatures13 process14 dnsIp15 38 python.exe 28->38         started        41 conhost.exe 28->41         started        97 pypi.org 151.101.128.223, 443, 49742, 49768 FASTLY-FastlyIncUS Canada 30->97 99 dualstack.python.map.fastly.net 151.101.192.223, 443, 49743, 49770 FASTLY-FastlyIncUS Canada 30->99 71 C:\Users\user\AppData\Local\...\pip3.exe, PE32+ 30->71 dropped 73 C:\Users\user\AppData\Local\...\pip3.12.exe, PE32+ 30->73 dropped 75 C:\Users\user\AppData\Local\...\pip.exe, PE32+ 30->75 dropped 77 378 other files (none is malicious) 30->77 dropped 43 conhost.exe 30->43         started        file16 process17 file18 55 C:\Users\user\...\clear_comtypes_cache.exe, PE32+ 38->55 dropped 57 C:\Users\user\AppData\Local\...\docview.py, Python 38->57 dropped 59 C:\Users\user\AppData\Local\...\Pythonwin.exe, PE32+ 38->59 dropped 61 470 other files (none is malicious) 38->61 dropped 45 cmd.exe 38->45         started        process19
Threat name:
ByteCode-JAVA.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-14 20:21:02 UTC
File Type:
Binary (Archive)
Extracted files:
13
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Result
Malware family:
silentnet
Score:
  10/10
Tags:
family:silentnet stealer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:RANSOMWARE
Author:ToroGuitar

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments