{
	"id": "1ce85605-cf8e-4333-8bc8-c11e4b4c8411",
	"created_at": "2026-04-06T00:12:19.150202Z",
	"updated_at": "2026-04-10T03:20:31.874193Z",
	"deleted_at": null,
	"sha1_hash": "07c4be32f05eef5c0ff03df6b2d176c875ea040c",
	"title": "New banking trojan W32.Silon -msjet51.dll",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48445,
	"plain_text": "New banking trojan W32.Silon -msjet51.dll\r\nArchived: 2026-04-05 16:49:36 UTC\r\nIf you have msjet51.dll in system32, you probably have a very dangerous banking trojan on your computer.\r\n \r\nDownload. Email me if you need the password.\r\nSee PDF for full analysis\r\n Extracts.\r\n  Browser Penetration\r\nWhen Internet Explorer runs, it loads several DLLs into its memory to\r\nflexibly enhance its functionality. One of these DLLs is msimtf.dll (a\r\nMicrosoft-signed DLL used to record keyboard inputs), which is not a\r\ncore DLL of Internet Explorer.\r\nThe malware dropper replaces a specific GUID =\u003e\r\nHKEY_CLASSES_ROOT\\CLSID\\{50D5107A-D278-4871-8989-\r\nF4CEAAF59CFC} which points to msimtf.dll, with msjet51.dll (under\r\n%systemroot%\\system32).\r\nOnce infected, every time the user runs Internet Explorer, msjet51.dll\r\nis loaded into iexplore.exe. Apparently, this installation step is carried\r\nout by the dropper, and not by the DLL itself.\r\nThe DLL file (msjet51.dll) is located in systemroot%\\System32, and\r\nhas its hidden attribute turned on.\r\nAdditional File / Registry Key\r\nW32.Silon uses the disk volume serial number to generate a machinespecific\r\nconsistent file name and a registry key name. The disk volume\r\nserial number for a specific machine can easily be found by issuing the\r\nvol command. Assuming that the disk volume serial number is\r\nH1H2H3H4-H5H6H7H8, the following entries are created:\r\n· File %Systemroot%\\Temp\\H1H2H3H4H5H6H7H8 - output file of the\r\nhttp://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html\r\nPage 1 of 3\n\nmalware. The malware writes encrypted data (stolen credentials)\r\ninto this file.\r\n· Registry key HKCU\\CLSID\\{H1H2H3H4H5H6H7H8-H3H4H5H6-\r\nH5H6H7H8-H3H4H5H6- H2H3H4H5H1H2H3H4H5H6H7H8}\\n,\r\nwhere the following values of n were observed:\r\n· 0 the malware configuration\r\n· 1 the C\u0026C URLs\r\n· 3,4 additional values (probably flags)\r\nThe malware then injects itself into iexplore.exe and svchost.exe.\r\nIt also removes itself from the loaded-module list of iexplore.exe, in\r\norder to elude runtime analysis by anti-virus engines.\r\nThe malware writes its data into a hidden file under the\r\n%systemroot%\\Temp folder.\r\nThe file is encrypted by one-byte XOR with 0xFF (25510).\r\nConfiguration\r\nAs mentioned above, the registry key\r\nHKCU\\CLSID\\{H1H2H3H4H5H6H7H8-H3H4H5H6-H5H6H7H8-H3H4H5H6-\r\nH2H3H4H5H1H2H3H4H5H6H7H8} contains four values:\r\n0 malware configuration\r\n1 C\u0026C URLs\r\n3, 4 Additional values (probably flags)\r\nW32.Silon intercepts the POST request, and writes the\r\nlogin data into an encrypted file in the\r\n%systemroot%\\System32\\Temp folder.\r\nPOST request which is sent to the C\u0026C Server. The\r\nserver's URL is one of a list stored in the registry.\r\n[D]:12.10.09 14:37:01 PM\r\n[U]:https://www4. [REMOVED]/.com/internetBanking/RequestRouter\r\n[R]:https://www4.[REMOVED]/.com/internetBanking/RequestRouter?requestCmdI\r\nd=DisplayLoginPage\r\n[\u003e]:requestCmdId=VALIDATEID\r\nUSERID=1133123\r\nRESPONSE_TYPE_IND=\r\nNONCE=NoNonce\r\nMACHINEATTR=colorDepth%3D32%7Cwidth%3D1024%7Cheight%3D768%7C\r\navailWidth%3D1024%7CavailHeight%3D735%7Cplatform%3DWin32%7CjavaEn\r\nabled%3DYes%7CuserAgent%3DMozilla%2F4.0+%28compatible%3B+MSIE+6.0\r\n%3B+Windows+NT+5.1%3B+SV1%3B+.NET+CLR+2.0.50727%29\r\ndoubleclick=2\r\nhttp://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html\r\nPage 2 of 3\n\n[D]:12.10.09 14:37:47 PM\r\n[U]:https://www4. [REMOVED]/.com/internetBanking/RequestRouter\r\n[R]:https://www4. [REMOVED]/.com/internetBanking/RequestRouter\r\n[\u003e]:requestCmdId=Logon\r\nUSERID=1133123\r\nPSWD=mysecret\r\nLOGINSESSIONID=z92VNnipxdXNNmQ_eoY0za9\r\nRESPONSE_TYPE_IND=\r\ndoubleclick=2\r\nUSEDSINGLEACCESSCODE=null\r\nW32.Silon Malware Analysis\r\n11\r\nTo identify the machine which sent the POST request, W32.Silon adds\r\nthe i parameter to the request:\r\nPOST /b/i.php?i=\u003cMachine_ID\u003e.\r\nThe machine id contains the hostname (with x replacing\r\nhyphens/underscores) followed by an underscore, followed by the disk\r\nvolume serial number (H1H2H3H4H5H6H7H8).\r\nSource: http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html\r\nhttp://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html"
	],
	"report_names": [
		"new-banking-trojan-w32silon-msjet51dll.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434339,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07c4be32f05eef5c0ff03df6b2d176c875ea040c.pdf",
		"text": "https://archive.orkl.eu/07c4be32f05eef5c0ff03df6b2d176c875ea040c.txt",
		"img": "https://archive.orkl.eu/07c4be32f05eef5c0ff03df6b2d176c875ea040c.jpg"
	}
}