• Stars
    star
    1,214
  • Rank 38,600 (Top 0.8 %)
  • Language
    HTML
  • Created almost 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Malware samples, analysis exercises and other interesting resources.

Tweet  Github Discussions

Malware Samples

This repository is intended to provide access to a wide variety of malicious files and other artifacts.

All of the samples are in a password protected ZIP archive using a password of: infected

Malware Analysis Exercises

In addition to providing artifacts from samples, I will regularly post malware anlaysis exercises. These exercises will cover a wide range of malware analysis topics and come with detailed solutions and walk-throughs.

2022

2021

2020

Training PCAPs

PCAP files that exhibit specific network activity, to help with analysis, rule writing or whatever comes your way! Relevant capture filters are applied to help limit the scope of what is in the PCAP file.

-> Training PCAPs

Summary of Samples

Samples from Trainings and Workshops

Sample files and other artifacts from public trainings, talks and workshops.

2021

2020

Maldocs

Will contain Office documents identified to be used to distribute malware based on organizing folder structure. For example, the emotet folder will contain maldocs identified to have dropped Emotet. These samples are organized by year/month that I obtained and executed them - this may deviate slightly from when they were first discovered in the wild (for example, first submission date on VirusTotal).

To the max extend possible I will also include associated PCAPs. PCAPs may contain the resuling Emotet binary that was dropped, as well as follow-on C2 communication. However, I can not guarantee that each PCAP will contain this full sequence of events.

Current maldocs include:

  • AgentTesla
  • Banload
  • Emotet
  • Hancitor
  • IcedId
  • Lokibot
  • Trickbot
  • Unknown

Maldoc Templates

The image analysis script used to generate maldoc image graphs can be found at: https://github.com/jstrosch/graph-maldoc-similar-images

Memory Dumps

Will contain full VM memory and individual process memory dumps from malware samples. Most will come from dumpming memory via Cuckoo Sandox. Due to the size of the memory dumps, links to an archived version of them are provided for download. Current memory dumps include:

  • Emotet
  • LokiBot

Binaries

This will contain binaries (i.e. PE/.NET, Java, etc) from known malware families. Currently, this archive contains samples from:

  • Agenttesla
  • Ave Maria / Warzone RAT
  • Azorult
  • Blue Botnet
  • Buer Loader
  • Dridex
  • Emotet
  • Gandcrab
  • Lokibot
  • Nanocore
  • Remcos
  • Socelars
  • Trickbot
  • Troldesh
  • Turkojan
  • Vidar

Warnings and Disclaimers

This repository is intended for educational and research purposes. The samples provided here are all real-world malware, please handle with all of the necessary caution.

Please note, all samples/artifacts will be in a password-protected archive using a password of: infected

More Repositories

1

learning-reverse-engineering

This repository contains sample programs written primarily in C and C++ for learning native code reverse engineering.
C
163
star
2

learning-malware-analysis

This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to worry about handling live malware.
C#
161
star
3

subparse

Modular malware analysis artifact collection and correlation framework
Python
52
star
4

XOR-Decode-Strings-IDA-Plugin

This IDA Python plugin is intended to get you started creating IDA Plugins with Python, recognize the importance of deobfuscating strings and work on translating assembly to a higher-level language (i.e. Python).
Python
25
star
5

graph-maldoc-similar-images

A script that extracts embedded images from Office Open XML (OOXML) documents and generates image hash similarity graphs that cluster visually similar images together. The script computes the Average Hash of each extracted image, then graphs the images if they meet the similarity threshold. The script can be used as a technique for visually identifying malware campaigns involving documents. To use the script, supply a directory containing OOXML files. If LibreOffice is in your PATH you can optionally convert non-OOXML Word, Excel, PowerPoint and Rich Text File documents to OOXML. The script outputs DOT files that can be exported as images using Graphviz. If Graphviz is in your PATH you can also export to an SVG (preferred) or PNG image.
Python
18
star
6

search-abuse.ch

Python3 script that can download samples directly from Abuse.CH or via submitted URLs
Python
15
star
7

Username_Generator

A Burp Extension that parses emails from HTTP content and can optionally generate usernames.
Python
8
star
8

shodan-scan-wrapper

Python3 script that wraps Shodan CLI - it resolves a domain to an IP and then performs a scan
Python
8
star
9

hybrid-analysis-api

This is a small Python3 script that allows you to search and download samples from Hybrid Analysis' v2 API
Python
7
star
10

malware-signatures

A collection of various signatures that I have either found or created, useful for malware analysis.
YARA
5
star
11

Rapid-Tool-Development

This repository contains programs for CSC 842.
Python
4
star
12

Academic

This is a repository for a variety of academic projects
C
4
star
13

ps-suricata-lab

3
star
14

emotet-droppers-fall2019

Python3 script that deobfuscates and then decodes base64 string that contains PowerShell script and extracts the URLs used to download Emotet binaries
Python
2
star
15

learning-software-exploitation

This repository contains sample code, projects and lab walk-throughs to help learn software exploitation.
2
star
16

CSC-840

C++
1
star