Trojan.ShadowBrokers

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	12,413
Threat Level:	80 % (High)
Infected Computers:	350,467

First Seen:	May 1, 2017
Last Seen:	January 29, 2026
OS(es) Affected:	Windows

Table of Contents

SpyHunter Detects & Remove Trojan.ShadowBrokers

File System Details

Trojan.ShadowBrokers may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	Eternalblue-2.2.0.exe	8c80dd97c37525927c1e549cb59bcbf3	49,760
Name: Eternalblue-2.2.0.exe MD5: 8c80dd97c37525927c1e549cb59bcbf3 Size: 129.02 KB (129024 bytes) Detections: 49,760 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\Eternalblue-2.2.0.exe Group: Malware file Last Updated: January 29, 2026
2.	Doublepulsar-1.3.1.exe	c24315b0585b852110977dacafe6c8c1	21,212
Name: Doublepulsar-1.3.1.exe MD5: c24315b0585b852110977dacafe6c8c1 Size: 45.56 KB (45568 bytes) Detections: 21,212 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\Doublepulsar-1.3.1.exe Group: Malware file Last Updated: January 29, 2026
3.	libxml2.dll	9a5cec05e9c158cbc51cdc972693363d	21,209
Name: libxml2.dll MD5: 9a5cec05e9c158cbc51cdc972693363d Size: 826.36 KB (826368 bytes) Detections: 21,209 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\libxml2.dll Group: Malware file Last Updated: January 29, 2026
4.	posh-0.dll	2f0a52ce4f445c6e656ecebbcaceade5	21,158
Name: posh-0.dll MD5: 2f0a52ce4f445c6e656ecebbcaceade5 Size: 11.26 KB (11264 bytes) Detections: 21,158 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\posh-0.dll Group: Malware file Last Updated: January 29, 2026
5.	exma-1.dll	ba629216db6cf7c0c720054b0c9a13f3	20,956
Name: exma-1.dll MD5: ba629216db6cf7c0c720054b0c9a13f3 Size: 10.24 KB (10240 bytes) Detections: 20,956 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\exma-1.dll Group: Malware file Last Updated: January 29, 2026
6.	ucl.dll	6b7276e4aa7a1e50735d2f6923b40de4	20,884
Name: ucl.dll MD5: 6b7276e4aa7a1e50735d2f6923b40de4 Size: 58.36 KB (58368 bytes) Detections: 20,884 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\ucl.dll Group: Malware file Last Updated: January 29, 2026
7.	tibe-2.dll	f0881d5a7f75389deba3eff3f4df09ac	20,806
Name: tibe-2.dll MD5: f0881d5a7f75389deba3eff3f4df09ac Size: 237.56 KB (237568 bytes) Detections: 20,806 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\tibe-2.dll Group: Malware file Last Updated: January 29, 2026
8.	tucl-1.dll	83076104ae977d850d1e015704e5730a	20,792
Name: tucl-1.dll MD5: 83076104ae977d850d1e015704e5730a Size: 9.21 KB (9216 bytes) Detections: 20,792 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\tucl-1.dll Group: Malware file Last Updated: January 29, 2026
9.	zlib1.dll	e4ad4df4e41240587b4fe8bbcb32db15	17,101
Name: zlib1.dll MD5: e4ad4df4e41240587b4fe8bbcb32db15 Size: 60.41 KB (60416 bytes) Detections: 17,101 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\zlib1.dll Group: Malware file Last Updated: January 29, 2026
10.	libeay32.dll	f01f09fe90d0f810c44dce4e94785227	17,014
Name: libeay32.dll MD5: f01f09fe90d0f810c44dce4e94785227 Size: 903.16 KB (903168 bytes) Detections: 17,014 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\libeay32.dll Group: Malware file Last Updated: January 29, 2026
11.	ssleay32.dll	5e8ecdc3e70e2ecb0893cbda2c18906f	16,384
Name: ssleay32.dll MD5: 5e8ecdc3e70e2ecb0893cbda2c18906f Size: 184.32 KB (184320 bytes) Detections: 16,384 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\ssleay32.dll Group: Malware file Last Updated: January 29, 2026
12.	cnli-1.dll	a539d27f33ef16e52430d3d2e92e9d5c	16,364
Name: cnli-1.dll MD5: a539d27f33ef16e52430d3d2e92e9d5c Size: 100.86 KB (100864 bytes) Detections: 16,364 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\cnli-1.dll Group: Malware file Last Updated: January 29, 2026
13.	crli-0.dll	f82fa69bfe0522163eb0cf8365497da2	16,345
Name: crli-0.dll MD5: f82fa69bfe0522163eb0cf8365497da2 Size: 17.4 KB (17408 bytes) Detections: 16,345 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\crli-0.dll Group: Malware file Last Updated: January 29, 2026
14.	dmgd-4.dll	a05c7011ab464e6c353a057973f5a06e	15,643
Name: dmgd-4.dll MD5: a05c7011ab464e6c353a057973f5a06e Size: 479.74 KB (479744 bytes) Detections: 15,643 Type: Dynamic link library Path: %SYSTEMDRIVE%\Users\<username>\Desktop\d081b8737831f51655eb888511f268dc543cf590aa892927cd21c27bfe1b8787\dmgd-4.dll Group: Malware file Last Updated: January 29, 2026
15.	WINSec.exe	b60f2efacb26a2462b3d6e826f281ac4	27
Name: WINSec.exe MD5: b60f2efacb26a2462b3d6e826f281ac4 Size: 1.23 MB (1233408 bytes) Detections: 27 Type: Executable File Path: C:\Windows\security\WINSec.exe Group: Malware file Last Updated: August 31, 2023
16.	1710vps.exe	957b4fefdda7a1f41ad29413a67b76b1	0
Name: 1710vps.exe MD5: 957b4fefdda7a1f41ad29413a67b76b1 Size: 3.25 MB (3258468 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: May 1, 2017

Registry Details

Trojan.ShadowBrokers may create the following registry entry or registry entries:

Regexp file mask

%ALLUSERSPROFILE%\blue.fb

%ALLUSERSPROFILE%\blue.xml

%ALLUSERSPROFILE%\star.fb

%ALLUSERSPROFILE%\star.xml

%ALLUSERSPROFILE%\temp1.exe

%ALLUSERSPROFILE%\uname

%ALLUSERSPROFILE%\upass

%WINDIR%\temp\svchost[RANDOM CHARACTERS].(exe$|xml$)

Directories

Trojan.ShadowBrokers may create the following directory or directories:

%HOMEDRIVE%\SMB445

Analysis Report

General information

Family Name:	Trojan.ShadowBrokers
Signature status:	No Signature

Known Samples

MD5: 50ed4bc5359b56245cda608506c455c1

SHA1: 8652992562152f5298993c856df7dcc77b7f512b

SHA256: 5644607EF306F313F7256BB325FFEE95DDA27E379F0895F69CE68F903F141ACD

File Size: 159.74 KB, 159744 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have security information
File is .NET application
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
File Description	Eternalblue
File Version	1.0.0.0
Internal Name	Eternalblue.exe
Legal Copyright	Copyright © 2021
Original Filename	Eternalblue.exe
Product Name	Eternalblue
Product Version	1.0.0.0

File Traits

.NET
x86

Block Information

Total Blocks:	31
Potentially Malicious Blocks:	23
Whitelisted Blocks:	5
Unknown Blocks:	3

Visual Map

x x x x 0 x x 0 ? x x 0 x x x x x x x x x x x 0 x 0 x ? x x ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.Metasploit.A

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ᕽ땷මǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᕽ땷මǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection Show More ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTerminateProcess ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiRestoreDC win32u.dll!NtGdiSaveDC win32u.dll!NtGdiSelectBitmap win32u.dll!NtGdiSetDIBitsToDeviceInternal win32u.dll!NtUserCallNoParam win32u.dll!NtUserConsoleControl win32u.dll!NtUserCreateEmptyCursorObject win32u.dll!NtUserGetDC win32u.dll!NtUserGetGUIThreadInfo win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetProcessWindowStation win32u.dll!NtUserGetThreadState win32u.dll!NtUserReleaseDC win32u.dll!NtUserSelectPalette win32u.dll!NtUserSetCursorIconData win32u.dll!NtUserSetProcessDpiAwarenessContext
User Data Access	GetUserDefaultLocaleName GetUserObjectInformation
Process Shell Execute	CreateProcess WriteConsole
Anti Debug	IsDebuggerPresent
Process Terminate	TerminateProcess

Shell Command Execution


							"cmd.exe" /c ""c:\users\user\downloads\8652992562152f5298993c856df7dcc77b7f512b_0000159744" exploit all"


							WriteConsole: '"c:\users\user\


							WriteConsole:  file.

Trojan.ShadowBrokers

Threat Scorecard

EnigmaSoft Threat Scorecard

SpyHunter Detects & Remove Trojan.ShadowBrokers

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed