Trojan.ShadowBrokers

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	2,713
Threat Level:	80 % (High)
Infected Computers:	352,590

First Seen:	May 1, 2017
Last Seen:	April 22, 2026
OS(es) Affected:	Windows

Table of Contents

SpyHunter Detects & Remove Trojan.ShadowBrokers

File System Details

Trojan.ShadowBrokers may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	Eternalblue-2.2.0.exe	8c80dd97c37525927c1e549cb59bcbf3	49,885
Name: Eternalblue-2.2.0.exe MD5: 8c80dd97c37525927c1e549cb59bcbf3 Size: 129.02 KB (129024 bytes) Detections: 49,885 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\Eternalblue-2.2.0.exe Group: Malware file Last Updated: April 22, 2026
2.	Doublepulsar-1.3.1.exe	c24315b0585b852110977dacafe6c8c1	21,337
Name: Doublepulsar-1.3.1.exe MD5: c24315b0585b852110977dacafe6c8c1 Size: 45.56 KB (45568 bytes) Detections: 21,337 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\Doublepulsar-1.3.1.exe Group: Malware file Last Updated: April 22, 2026
3.	libxml2.dll	9a5cec05e9c158cbc51cdc972693363d	21,334
Name: libxml2.dll MD5: 9a5cec05e9c158cbc51cdc972693363d Size: 826.36 KB (826368 bytes) Detections: 21,334 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\libxml2.dll Group: Malware file Last Updated: April 22, 2026
4.	posh-0.dll	2f0a52ce4f445c6e656ecebbcaceade5	21,283
Name: posh-0.dll MD5: 2f0a52ce4f445c6e656ecebbcaceade5 Size: 11.26 KB (11264 bytes) Detections: 21,283 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\posh-0.dll Group: Malware file Last Updated: April 22, 2026
5.	exma-1.dll	ba629216db6cf7c0c720054b0c9a13f3	21,081
Name: exma-1.dll MD5: ba629216db6cf7c0c720054b0c9a13f3 Size: 10.24 KB (10240 bytes) Detections: 21,081 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\exma-1.dll Group: Malware file Last Updated: April 22, 2026
6.	ucl.dll	6b7276e4aa7a1e50735d2f6923b40de4	21,009
Name: ucl.dll MD5: 6b7276e4aa7a1e50735d2f6923b40de4 Size: 58.36 KB (58368 bytes) Detections: 21,009 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\ucl.dll Group: Malware file Last Updated: April 22, 2026
7.	tibe-2.dll	f0881d5a7f75389deba3eff3f4df09ac	20,931
Name: tibe-2.dll MD5: f0881d5a7f75389deba3eff3f4df09ac Size: 237.56 KB (237568 bytes) Detections: 20,931 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\tibe-2.dll Group: Malware file Last Updated: April 22, 2026
8.	tucl-1.dll	83076104ae977d850d1e015704e5730a	20,917
Name: tucl-1.dll MD5: 83076104ae977d850d1e015704e5730a Size: 9.21 KB (9216 bytes) Detections: 20,917 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\tucl-1.dll Group: Malware file Last Updated: April 22, 2026
9.	zlib1.dll	e4ad4df4e41240587b4fe8bbcb32db15	17,227
Name: zlib1.dll MD5: e4ad4df4e41240587b4fe8bbcb32db15 Size: 60.41 KB (60416 bytes) Detections: 17,227 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\zlib1.dll Group: Malware file Last Updated: April 22, 2026
10.	libeay32.dll	f01f09fe90d0f810c44dce4e94785227	17,139
Name: libeay32.dll MD5: f01f09fe90d0f810c44dce4e94785227 Size: 903.16 KB (903168 bytes) Detections: 17,139 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\libeay32.dll Group: Malware file Last Updated: April 22, 2026
11.	ssleay32.dll	5e8ecdc3e70e2ecb0893cbda2c18906f	16,509
Name: ssleay32.dll MD5: 5e8ecdc3e70e2ecb0893cbda2c18906f Size: 184.32 KB (184320 bytes) Detections: 16,509 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\ssleay32.dll Group: Malware file Last Updated: April 22, 2026
12.	cnli-1.dll	a539d27f33ef16e52430d3d2e92e9d5c	16,489
Name: cnli-1.dll MD5: a539d27f33ef16e52430d3d2e92e9d5c Size: 100.86 KB (100864 bytes) Detections: 16,489 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\cnli-1.dll Group: Malware file Last Updated: April 22, 2026
13.	crli-0.dll	f82fa69bfe0522163eb0cf8365497da2	16,470
Name: crli-0.dll MD5: f82fa69bfe0522163eb0cf8365497da2 Size: 17.4 KB (17408 bytes) Detections: 16,470 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\crli-0.dll Group: Malware file Last Updated: April 22, 2026
14.	dmgd-4.dll	a05c7011ab464e6c353a057973f5a06e	15,768
Name: dmgd-4.dll MD5: a05c7011ab464e6c353a057973f5a06e Size: 479.74 KB (479744 bytes) Detections: 15,768 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\dmgd-4.dll Group: Malware file Last Updated: April 22, 2026
15.	WINSec.exe	b60f2efacb26a2462b3d6e826f281ac4	27
Name: WINSec.exe MD5: b60f2efacb26a2462b3d6e826f281ac4 Size: 1.23 MB (1233408 bytes) Detections: 27 Type: Executable File Path: C:\Windows\security\WINSec.exe Group: Malware file Last Updated: August 31, 2023
16.	1710vps.exe	957b4fefdda7a1f41ad29413a67b76b1	0
Name: 1710vps.exe MD5: 957b4fefdda7a1f41ad29413a67b76b1 Size: 3.25 MB (3258468 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: May 1, 2017

Registry Details

Trojan.ShadowBrokers may create the following registry entry or registry entries:

Regexp file mask

%ALLUSERSPROFILE%\blue.fb

%ALLUSERSPROFILE%\blue.xml

%ALLUSERSPROFILE%\star.fb

%ALLUSERSPROFILE%\star.xml

%ALLUSERSPROFILE%\temp1.exe

%ALLUSERSPROFILE%\uname

%ALLUSERSPROFILE%\upass

%WINDIR%\temp\svchost[RANDOM CHARACTERS].(exe$|xml$)

Directories

Trojan.ShadowBrokers may create the following directory or directories:

%HOMEDRIVE%\SMB445

Analysis Report

General information

Family Name:	Trojan.ShadowBrokers
Signature status:	No Signature

Known Samples

MD5: 50ed4bc5359b56245cda608506c455c1

SHA1: 8652992562152f5298993c856df7dcc77b7f512b

SHA256: 5644607EF306F313F7256BB325FFEE95DDA27E379F0895F69CE68F903F141ACD

File Size: 159.74 KB, 159744 bytes

MD5: 88bb8e86877aae53547c229bf9ba6b93

SHA1: 74f256e1b0f5daf6a9cd06b64cb685cac6cfe8af

SHA256: FA7774C0F5EBF0C63FB6B52256961039E24426888B18AA2FB2A2111547DBCBBF

File Size: 24.58 KB, 24576 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have security information
File is .NET application
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
File Description	Eternalblue
File Version	1.0.0.0
Internal Name	Eternalblue.exe
Legal Copyright	Copyright © 2021
Original Filename	Eternalblue.exe
Product Name	Eternalblue
Product Version	1.0.0.0

File Traits

.NET
x86

Block Information

Total Blocks:	31
Potentially Malicious Blocks:	30
Whitelisted Blocks:	1
Unknown Blocks:	0

Visual Map

x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.DiscordRAT.AD
MSIL.Metasploit.A

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ᕽ땷මǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᕽ땷මǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection Show More ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTerminateProcess ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiRestoreDC win32u.dll!NtGdiSaveDC win32u.dll!NtGdiSelectBitmap win32u.dll!NtGdiSetDIBitsToDeviceInternal win32u.dll!NtUserCallNoParam win32u.dll!NtUserConsoleControl win32u.dll!NtUserCreateEmptyCursorObject win32u.dll!NtUserGetDC win32u.dll!NtUserGetGUIThreadInfo win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetProcessWindowStation win32u.dll!NtUserGetThreadState win32u.dll!NtUserReleaseDC 3 additional items are not displayed above.
User Data Access	GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Process Shell Execute	CreateProcess WriteConsole
Anti Debug	IsDebuggerPresent
Process Terminate	TerminateProcess

Shell Command Execution


							"cmd.exe" /c ""c:\users\user\downloads\8652992562152f5298993c856df7dcc77b7f512b_0000159744" exploit all"


							WriteConsole: '"c:\users\user\


							WriteConsole:  file.

Trojan.ShadowBrokers

Threat Scorecard

EnigmaSoft Threat Scorecard

SpyHunter Detects & Remove Trojan.ShadowBrokers

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed