MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

NanoCore

Vendor detections: 16

Intelligence 16 IOCs YARA 23 File information Comments

SHA256 hash:	7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a
SHA3-384 hash:	0c868f120d8ea0fd331f3f522c15c445431859c66661ca18af9a2adbc362801a487774d426bbf9469de78cb3f76116e3
SHA1 hash:	4e35e77a0c416fe0fb9c0b4961642f7d8b3c77f0
MD5 hash:	c83f3a585192de9c5bdf3850726b6263
humanhash:	minnesota-two-seven-texas
File name:	eternalblue-go.exe
Download:	download sample
Signature	NanoCore Create hunting rule
File size:	2'525'696 bytes
First seen:	2025-09-15 11:11:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6ed4f5f04d62b18d96b26d6db7c18840 (234 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep	49152:/BWMwH9v/XQz9b10F6JLSsMRBY0j6F1tvYlBmdafko+Qx65tQBlCcVmM:5yHVXQ/0F6JLSsMBJjkHvybfko+S65tq
TLSH	T142C5335B646AB4F0F0657F308369F9942A4E70932F6128A54F1AC5D90B78ED1F9E038B
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4504/4/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	skocherhan
Tags:	exe github-invoicefa NanoCore

skocherhan

https://github.com/invoicefa/United-States/raw/refs/heads/main/eternalblue-go.exe

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eternalblue-go.exe

Verdict:

No threats detected

Analysis date:

2025-09-15 11:13:03 UTC

Tags:

smb upx golang

Link:

https://app.any.run/tasks/fa9f6432-052b-4346-a9ca-6903871f0777

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/27535/

Detection(s):

Win.Malware.Shadowbrokers-9919377-0

Win.Tool.Shadowbrokers-9800457-0

Win.Tool.Shadowbrokers-10026173-0

Win.Exploit.EQGRP-6322722-0

SecuriteInfo.com.Trojan.Equation.4.24445.10532.UNOFFICIAL

Win.Exploit.Doublepulsar-7427328-0

Xml.Exploit.EQGRP-6322719-1

Win.Exploit.Ulise-9853106-0

Win.Trojan.Generic-9858245-0

Win.Trojan.Emotet-9858246-0

Win.Exploit.EternalBlue-6320312-0

Win.Exploit.Eternal-6320394-0

Win.Trojan.Agent-6284384-0

Win.Malware.Cxce-10040847-0

Win.Malware.Cxcd-9888060-0

Win.Malware.Cxcd-9888201-0

Win.Malware.Cxcd-9888693-0

SecuriteInfo.com.PUA.HackTool.AYBA.26448.25415.UNOFFICIAL

SecuriteInfo.com.SCGeneric1.DEP.4289.2668.UNOFFICIAL

SecuriteInfo.com.Trojan.Equation.24.27752.2303.UNOFFICIAL

Win.Tool.Shadowbrokers-9943477-0

SecuriteInfo.com.PUA.HackTool.AXIK.19547.2787.UNOFFICIAL

Win.Tool.Shadowbrokers-10040848-0

Win.Trojan.NanoCore-9852758-0

Win.Trojan.Nanocore-5

Win.Tool.Shadowbrokers-9775051-0

Win.Tool.Shadowbrokers-9943479-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c7f46cd49ea3f1e4b5e9cf

Tags:

nanocore virlock

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Connection attempt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm obfuscated packed packed packed packed upx

Link:

https://www.filescan.io/uploads/68c7f46473287948292a5b37/reports/a782350b-57a0-41a5-93c1-5267da91008c/overview

Verdict:

Malicious

Labled as:

Ransom.Snatch.Generic

Link:

https://www.hybrid-analysis.com/sample/7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-15T10:28:00Z UTC

Last seen:

2025-09-15T10:28:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a/results?tab=lookup

Malware family:

FuzzBunch

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2122d6bf-2e27-4595-8342-d8fb9632e835

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/c83f3a585192de9c5bdf3850726b6263

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a/

Threat name:

Win32.Ransomware.Snatch

Status:

Malicious

First seen:

2025-09-15 11:12:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pul3uqnlfvgnae3frywunvaovwbhwkztxzk7aoh22h6brdyi555a._file

Verdict:

malicious

Label(s):

darkpulsar

Similar samples:

error

NanoCore

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery upx

Link:

https://tria.ge/reports/250915-nakb5sal6v/

Behaviour

System Location Discovery: System Language Discovery

UPX packed file

Verdict:

Malicious

Tags:

trojan Win.Malware.Shadowbrokers-9919377-0

YARA:

SUSP_Imphash_Mar23_3

Link:

https://app.threat.zone/submission/c3df269f-ef04-4a5d-80b1-04d7c34246ff

Unpacked files

SH256 hash:

7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

MD5 hash:

c83f3a585192de9c5bdf3850726b6263

SHA1 hash:

4e35e77a0c416fe0fb9c0b4961642f7d8b3c77f0

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

SH256 hash:

0839d466be571c06806e915b483326c13d7d8c9a678460e86dc2f95808598273

MD5 hash:

7bfe21a9475b0fee5f4107c45f4def51

SHA1 hash:

d22ae1d34b4909eaf4c9e2f76d8e10ea42178f63

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

SH256 hash:

8ee006bbcba8de790e55c9a396c6b9f807f47532143c9032fa31a5567759e9c8

MD5 hash:

7210d5a005b14b80de452c4c6be7b116

SHA1 hash:

f71c1203b6c2ddc85c2cb097df8dee0a28b45ee1

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

SH256 hash:

b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa

MD5 hash:

3e89c56056e5525bf4d9e52b28fbbca7

SHA1 hash:

08f93ab25190a44c4e29bee5e8aacecc90dab80c

Detections:

win_darkpulsar_auto

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

Parent samples :

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
dc1e68fc5367bd44af8bec53aa4d33e9a50c1012be139eeb056f45b0b365fa1a
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

SH256 hash:

b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3

MD5 hash:

f82fa69bfe0522163eb0cf8365497da2

SHA1 hash:

75be54839f3d01dc4755ddc319f23f287b1f9a7b

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

SH256 hash:

0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887

MD5 hash:

3c2fe2dbdf09cfa869344fdb53307cb2

SHA1 hash:

b67a8475e6076a24066b7cb6b36d307244bb741f

Detections:

win_darkpulsar_auto

INDICATOR_TOOL_EXP_EternalBlue

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

Parent samples :

44c11f2419a7650053168843f0c092a45187920bec71ede3d26473472575ee6a
f2af31b74bfe1648b8c06ce5b3869e81ce8caafe4a265e007af4036af3448ae7
c751d97251cd67604c0256b779fabac87d4ed2d647ce0d830e2a1670cd3616c6
7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

SH256 hash:

b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68

MD5 hash:

5b72ccfa122e403919a613785779af49

SHA1 hash:

f560ea0a109772be2b62c539b0bb67c46279abd1

Link:

https://www.unpac.me/results/cfe0b755-aeec-495a-8bcb-4adf3732b8a8/

Malware family:

NanoCore

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7d17ba41ab2d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d17ba41ab2d4cd013658e2d46d40ead827b2b33be55f038fad1fc188f08ef7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/27535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample