Malware Samples

This repository is intended to provide access to a wide variety of malicious files and other artifacts.

All of the samples are in a password protected ZIP archive using a password of: infected

Malware Analysis Exercises

In addition to providing artifacts from samples, I will regularly post malware anlaysis exercises. These exercises will cover a wide range of malware analysis topics and come with detailed solutions and walk-throughs.

2022

• October: Tracing Shellcode Execution from VBA Macros

2021

• December: Maldocs - Automating Download URL Extraction with Python
• February: Maldocs - Getting Started with Excel 4 Macros (XLM Macros)
• August: Javascript - Deobfuscating a Turla JS Backdoor

2020

• December: Maldocs - Living Off The Land with Powershell

Training PCAPs

PCAP files that exhibit specific network activity, to help with analysis, rule writing or whatever comes your way! Relevant capture filters are applied to help limit the scope of what is in the PCAP file.

-> Training PCAPs

Summary of Samples

• 2023-02-17: YouTube Video: OneNote Malware Trends - Investigating Script Execution that Leads to QuakBot
• 2023-02-07: YouTube Video: A .NET Downloader and an Open Directory - Unraveling the Encrypted Payload That Leads to CryptBot
• 2023-02-04: YouTube Video Series: Investigating NullMixer - Identifying Packing Techniques, Identifying and Unraveling ASPack, and Investigating Network Traffic with Suricata and Evebox
• 2023-01-23: YouTube Video: OneNote Malware - Tips and Tricks for Investigating OneNote Malware Used to Deliver AsyncRAT
• 2023-01-12: YouTube Video Series: Getting Started with Detect-It-Easy, Identifying Signs of Packing, Unpacking Vidar Stealer with Time-Travel Debugging
• 2023-01-02: YouTube Video: The Basics of Overlays in PE Files w/ DCRat
  
  
• 2022-12-15: YouTube: Getting Started with dnSpyEx - Unraveling a .NET Formbook Dropper
• 2022-03-26: Maldoc Templates - Heodo, AgentTesla, NanoCore, Loki, SilentBuilder, Hancitor, NONE, Quakbot
• 2022-03-12: Maldoc Templates - Heodo, Formbook, AgentTesla, Loki, NanoCore, NONE, Quakbot
• 2022-03-05: Maldoc Templates - OskiStealer, RemcosRAT, Loki, NONE, NanoCore, Quakbot, SnakeKeylogger, Formbook, Heodo
• 2022-02-26: Maldoc Templates - SilentBuilder, Heodo, Quakbot, NanoCore, NONE, Loki
  
  
• 2022-01-22: Maldoc Templates - QuasarRAT, SnakeKeylogger, NONE, Formbook, Loki, AveMariaRAT, AsyncRAT, SilentBuilder, GuLoader, Heodo
  
  
• 2021-12-31: Maldoc Templates - NONE, SnakeKeylogger, QuasarRAT, Quakbot, IcedID
• 2021-12-25: Maldoc Templates - TrickBot, Dridex, AsyncRAT, SnakeKeylogger, QuasarRAT, RemcosRAT, SilentBuilder, Quakbot, AveMariaRAT, NONE, Heodo, BitRAT, BazaLoader
• 2021-12-22: Excel document uses VBA macros to execute cmd.exe to run Powershell script -> Downloads WarzoneRAT over HTTPS
• 2021-12-17: Maldoc Templates - Maldoc Templates - Quakbot, Formbook, IcedID, SilentBuilder, Dridex, Loki, AgentTesla, AsyncRAT, QuasarRAT, NONE
• 2021-12-16: Excel document uses XLM macros to execute cmd.exe to download/run MSHTA script -> Downloads Powershell script -> Downloads Emotet DLL
• 2021-12-11: Maldoc Templates - Heodo, Loki, BluStealer, Dridex, Quakbot, NONE, IcedID, AgentTesla, TrickBot
• 2021-12-04: Maldoc Templates - Heodo, Quakbot, Loki, Hancitor, SilentBuilder, NONE, Formbook, Dridex, BitRAT, IcedID
  
  
• 2021-11-17: BlackNET 3.7.0.0 source code found in an opendir
• 2021-11-13: Word Document uses Packager Shell Object to Execute VBScript, Run Powershell to Download AgentTesla
  
  
• 2021-10-30: Maldoc Templates - AsyncRAT, Quakbot, AveMariaRAT, Formbook, Loki, TrickBot, AgentTesla, SnakeKeylogger, ArkeiStealer, Hancitor, NONE, Dridex
• 2021-10-15: Word downloads Formbook EXE
  
  
• 2021-09-27: Excel drops Qakbot (qbot) EXE
  
  
• 2021-08-28: Maldoc Templates - BazaLoader, Loki, NONE, Hancitor, CobaltStrike, Dridex, RedLineStealer
• 2021-08-07: Maldoc Templates - a310Logger, NONE, AZORult, BuerLoader, Loki, Formbook, TrickBot, Hancitor
  
  
• 2021-07-17: Maldoc Templates - IcedID, Gozi, RustyLoader, NONE, njrat, Loki, CobaltStrike, Formbook, Dridex, TrickBot
• 2021-07-03: Maldoc Templates - Quakbot, TrickBot, FickerStealer, Dridex, AgentTesla, NONE
  
  
• 2021-06-19: Maldoc Templates - NONE, Adwind, Quakbot, AgentTesla, IcedID, Formbook, Gozi, TrickBot, SnakeKeylogger, Dridex
• 2021-06-12: Maldoc Templates - NONE, Dridex, TrickBot, BazaLoader, NanoCore, Loki, AsyncRAT, IcedID, SnakeKeylogger, njrat, SilentBuilder, Formbook, RemcosRAT, OskiStealer, Gozi, Quakbot
• 2021-06-12: Excel drops TransparentTribe (.NET) with CNC Check-in
• 2021-06-09: Excel downloads AsyncRAT
• 2021-06-05: Maldoc Templates - Adwind, NONE, Formbook, IcedID, Dridex, RemcosRAT, Loki, DoubleBack, AgentTesla, SnakeKeylogger, Gozi, Quakbot, njrat
  
  
• 2021-05-22: Maldoc Templates - Dridex, NONE, Adwind, RemcosRAT, TrickBot, AgentTesla, FickerStealer, IcedID, Loki, BazaLoader, SilentBuilder, Hancitor, Quakbot
• 2021-05-17: Diamondfox opendir w/ several modules and documentation
• 2021-05-15: Maldoc Templates - NONE, njrat, TrickBot, ArkeiStealer, CrimsonRAT, SilentBuilder, Quakbot, Dridex, SnakeKeylogger, IcedID, Adwind, RedLineStealer, AZORult, Hancitor, AgentTesla, Loki
• 2021-05-08: Maldoc Templates - IcedID, SilentBuilder, AgentTesla, BuerLoader, TrickBot, Loki, ArkeiStealer, RaccoonStealer, AsyncRAT, NONE, Quakbot, Dridex, Hancitor
  
  
• 2021-04-30: Maldoc Templates - SnakeKeylogger, Dridex, Quakbot, AgentTesla, NONE, Hancitor, Loki, TrickBot, SilentBuilder, Heodo, njrat, Formbook, Gozi, AZORult
• 2021-04-24: Maldoc Templates - April 19 - April 23: Dridex, AgentTesla, IcedID, NONE, Quakbot, RedLineStealer, Loki, Gozi, TrickBot
• 2021-04-21: Java Network Launch Protocol (jnlp) / JAR, Downloads Gozi DLL
• 2021-04-20: Word Document Uses Template Injection that downloads an RTF Document, Exploits CVE-2017-11882 to Drop Nanocore
• 2021-04-17: Maldoc Templates - April 12 - April 16: Formbook, TrickBot, Dridex, SilentBuilder, AgentTesla, SnakeKeylogger, njrat, Quakbot, AZORult, Hancitor, Heodo, Loki, Gozi
• 2021-04-10: Maldoc Templates - April 05 - April 09: TrickBot, IcedID, NONE, BuerLoader, Formbook, Heodo, Hancitor, SilentBuilder, Dridex, Gozi
• 2021-04-08: Purple Fox Exploit Kit Activity - Landing Page and Other Artifacts
• 2021-04-03: Maldoc Templates - March 29 - April 02: Gozi, BuerLoader, AgentTesla, BitRAT, IcedID, Loki, SilentBuilder, NONE, gozi, Dridex, Quakbot
• 2021-04-01: Excel drops IcedId - Uses VBA macros to execute Excel 4 macros in hidden sheet/hidden columns
  
  
• 2021-03-31: QBot Open directory w/ Access to Proxy Scripts, .HTACCESS File
• 2021-03-26: Rig EK, unalbe to obtain payload(s)
• 2021-03-27: Maldoc Templates - March 22 - 22, 2021: AgentTesla, SilentBuilder, IcedID, AsyncRAT, Loki, Dridex, Formbook, NanoCore, TrickBot, BazaLoader, Quakbot, LemonDuck
• 2021-03-16: Maldoc Templates - March 15 - 19, 2021: Dridex, TrickBot, QuakBot, AgentTesla, SilentBuilder, Gozi, IcedID, Hancitor
• 2021-03-13: Maldoc Templates - March 08 - 12, 2021: BuerLoader, SilentBuilder, TrickBot, Gozi, AgentTesla, BazaLoader, NetWire, AveMariaRAT, Loki, NONE, Quakbot, IcedID, ZLoader, Dridex, BazarCall
• 2021-03-06: Maldoc Templates - March 01 - 05 - Gozi, BazarCall, SilentBuilder, Quakbot, Loki, CobaltStrike, SnakeKeylogger, TrickBot, AgentTesla, Dridex, NONE, Hancitor
  
  
• 2021-02-27: Maldoc Templates for February 22 - 26, 2021: SilentBuilder, TrickBot, Hancitor, Dridex, AsyncRAT, Quakbot, MassLogger, Formbook
• 2021-02-20: Maldoct Templates for February 15 - 19: NetWire, TrickBot, SilentBuilder, AgentTesla, AveMariaRAT, SnakeKeylogger, njrat, NONE, ZLoader, Dridex, Loki, Quakbot, RemcosRAT, FickerStealer
• 2021-02-13: Maldoc Templates for February 08 - 12, 4 groups: Dridex, Heodo/Emotet, Unknown
• 2021-02-06: Maldoc templates for Feb 01 - 05, 3 groups: SilentBuilder and Emotet
  
  
• 2021-01-30: Maldoc templates for Jan 25 - 29, 2 groups: Emotet, Unknown
• 2021-01-30: Maldoc templates for Jan 18 - 22, 4 groups: Emotet, Dridex
• 2021-01-23: Maldoc templates for Jan 11 - 15, 8 groups: Emotet, Dridex
• 2021-01-15: Excel drops Qakbot (qbot) DLL
• 2021-01-15: Word doc w/ embedded Hancitor loader, IP check and C2 activity
• 2021-01-09: Maldoc templates for Jan 04 - 08, 6 groups: Emotet, Trickbot, Dridex
• 2021-01-07: Excel doc drops Raccoon
• 2021-01-02: Maldoc templates for Dec 28 - Jan 01, 3 groups: Emotet, Dridex, Emotet
  
  
• 2020-12-26: Maldoc templates Dec 21 - Dec 25, 11 groups: Emotet, Dridex and 1 unknown
• 2020-12-19: Maldoc templates Dec 14 - Dec 18. 17 groups: Dridex, TA505 and Emotet
• 2020-12-15: Maldoc templates Dec 07 - Dec 11. 7 groups: 1 - 5 Dridex, 6 BitRat, 7 Emotet
• 2020-12-15: Excel Decodes DLL (Campo Loader) w/ Certutil for next stage retrieval - includes analysis on YouTube and IDA Plugin for String Deobfuscation
• 2020-12-05: Maldoc templates for the week of Nov 30 - Dec 04
  
  
• 2020-11-28: Maldoc templates for the week of Nov 23 - Nov 27
• 2020-11-27: Excel drops Qakbot (qbot) DLL
• 2020-11-24: FickerStealer w/ IP check
• 2020-11-24: Word document drops Smokeloader
• 2020-11-24: Word document drops Dridex DLL w/ Check-In
• 2020-11-21: Maldoc templates for the week of Nov 16 - Nov 20
• 2020-11-14: Maldoc templates for the week of Nov 09 - Nov 13
• 2020-11-10: Emotet maldoc - Embedded DLL and CertUtil for Base64 Decoding, includes analysis on YouTube
• 2020-11-07: Maldoc templates for the week of Nov 02 - Nov 06
  
  
• 2020-10-31: Maldoc templates for the week of Oct 26 - Oct 30
• 2020-10-29: Excel doc drops Qakbot
• 2020-10-24: Maldoc templates for the week of Oct 19 - Oct 23
• 2020-10-16: Emotet templates for the week of Oct 12 - Oct 16
• 2020-10-09: Emotet templates for the week of Oct 05 - Oct 09
• 2020-10-02: Emotet templates for the week of Sept 28 - Oct 02
• 2020-10-05: Word doc uses Lua for follow-on activity
  
  
• 2020-09-17: Word doc drops Betabot (Uses CVE-2017-11882)
  
  
• 2020-08-29: ArkeiStealer sample with data exfil
• 2020-08-21: Azorult drops AsyncRat, REMCOS possible others
• 2020-08-15: Cerber ransomware with check-in
• 2020-08-02: Raccoon stealer drops crypto-currency miner
  
  
• 2020-07-24: Amadey bot with payloads and check-in
• 2020-07-24: Raccoon stealer w/ CnC check-in
• 2020-07-19: Excel doc drops GuLoader
• 2020-07-13: Word doc drops Hancitor loader
  
  
• 2020-06-29: Trickbot version 1000512 and gtag ono51, drops new nwormDll64 module - includes 12hour PCAP
• 2020-06-29: Two Excel docs that drop Netwire, includes C2 check-ins
• 2020-06-20: ZLoader with chekc-in
• 2020-06-01: Excel doc drops Guloader
• 2020-06-01: IcedID with Image used for Steganography
  
  
• 2020-05-29: Maldoc uses template injection for macro execution
• 2020-05-13: Gamma Ransomware with HTTP check-in
• 2020-05-13: Cryptbot sample
• 2020-05-13: Danabot sample with beaconing
• 2020-05-04: Trickbot w/ GTAG tt002 and version 1000509, 12 hour PCAP w/ beacons
  
  
• 2020-04-26: Gomorrah stealer (.NET binary)
• 2020-04-16: Trickbot w/ GTAG MAN6 and version 1000507 - Uses revocation.txt config
• 2020-04-16: AgentTesla data exfil through SMTP
• 2020-04-14: Vidar sample with data exfil via ZIP file
• 2020-04-13: Azorult drops Blackout Ransomware
• 2020-04-04: Ave-Maria/Warzon RAT
  
  
• 2020-03-27: Word drops Ursnif through MSHTA.exe
• 2020-03-26: Word drops Banload banking trojan
• 2020-03-26: Excel drops AgentTesla
• 2020-03-26: Word drops IcedId
• 2020-03-25: NanoCore sample with dumped plugins (.NET assemblies)
• 2020-03-24: Blue Botnet
• 2020-03-19: Formbook
• 2020-03-14: Excel drops LokiBot
  
  
• 2020-02-29: Buer loader
• 2020-02-18: Remcos
• 2020-02-13: Turkojan
  
  
• 2016-02-28: Angler EK from Alexu.edu.eg

Samples from Trainings and Workshops

Sample files and other artifacts from public trainings, talks and workshops.

2021

• 2021-01-13: FloCon - Workshop: Intrusion Analysis and Threat Hunting with Open Source Tools - Demo files and Workshop on YouTube
• 2021-08-08: DefCon 29 Workshop - Modern Malware Analysis for Threat Hunters
• 2021-06: R0 Virtual Vegas: Malware Unpacking
• 2021-08-26: HITBLab: Modern Malware Analysis for Threat Hunters (HITB Singapore)

2020

• 2020-11-19: Hack-in-the-Box Cyber Week Workshop: Analyzing Malicious Word and Excel Documents - Demo files and Workshop on YouTube

Maldocs

Will contain Office documents identified to be used to distribute malware based on organizing folder structure. For example, the emotet folder will contain maldocs identified to have dropped Emotet. These samples are organized by year/month that I obtained and executed them - this may deviate slightly from when they were first discovered in the wild (for example, first submission date on VirusTotal).

To the max extend possible I will also include associated PCAPs. PCAPs may contain the resuling Emotet binary that was dropped, as well as follow-on C2 communication. However, I can not guarantee that each PCAP will contain this full sequence of events.

Current maldocs include:

• AgentTesla
• Banload
• Emotet
• Hancitor
• IcedId
• Lokibot
• Trickbot
• Unknown

Maldoc Templates

The image analysis script used to generate maldoc image graphs can be found at: https://github.com/jstrosch/graph-maldoc-similar-images

Memory Dumps

Will contain full VM memory and individual process memory dumps from malware samples. Most will come from dumpming memory via Cuckoo Sandox. Due to the size of the memory dumps, links to an archived version of them are provided for download. Current memory dumps include:

• Emotet
• LokiBot

Binaries

This will contain binaries (i.e. PE/.NET, Java, etc) from known malware families. Currently, this archive contains samples from:

• Agenttesla
• Ave Maria / Warzone RAT
• Azorult
• Blue Botnet
• Buer Loader
• Dridex
• Emotet
• Gandcrab
• Lokibot
• Nanocore
• Remcos
• Socelars
• Trickbot
• Troldesh
• Turkojan
• Vidar

Warnings and Disclaimers

This repository is intended for educational and research purposes. The samples provided here are all real-world malware, please handle with all of the necessary caution.

Please note, all samples/artifacts will be in a password-protected archive using a password of: infected