mun-r/malware-samples

Malware samples, analysis exercises and other interesting resources.

Malware Samples

This repository is intended to provide access to a wide variety of malicious files and other artifacts. Please keep in mind that most of these samples will not be archived or password protected. For those that are, consult the additional README but the use of the standard password 'infected' will normally be utilized.

All of the samples are in a password protected ZIP archive using a password of: infected

Malware Analysis Exercises

In addition to providing artifacts from samples, I will regularly post malware anlaysis exercises. These exercises will cover a wide range of malware analysis topics and come with detailed solutions and walk-throughs.

2021

• February: Maldocs - Getting Started with Excel 4 Macros (XLM Macros)

2020

• December: Maldocs - Living Off The Land with Powershell

Summary of Samples

• 2021-02-06: Maldoc templates for Feb 01 - 05, 3 groups: SilentBuilder and Emotet
  
  
• 2021-01-30: Maldoc templates for Jan 25 - 29, 2 groups: Emotet, Unknown
• 2021-01-30: Maldoc templates for Jan 18 - 22, 4 groups: Emotet, Dridex
• 2021-01-23: Maldoc templates for Jan 11 - 15, 8 groups: Emotet, Dridex
• 2021-01-15: Excel drops Qakbot (qbot) DLL
• 2021-01-15: Word doc w/ embedded Hancitor loader, IP check and C2 activity
• 2021-01-09: Maldoc templates for Jan 04 - 08, 6 groups: Emotet, Trickbot, Dridex
• 2021-01-07: Excel doc drops Raccoon
• 2021-01-02: Maldoc templates for Dec 28 - Jan 01, 3 groups: Emotet, Dridex, Emotet
  
  
• 2020-12-26: Maldoc templates Dec 21 - Dec 25, 11 groups: Emotet, Dridex and 1 unknown
• 2020-12-19: Maldoc templates Dec 14 - Dec 18. 17 groups: Dridex, TA505 and Emotet
• 2020-12-15: Maldoc templates Dec 07 - Dec 11. 7 groups: 1 - 5 Dridex, 6 BitRat, 7 Emotet
• 2020-12-15: Excel Decodes DLL w/ Certutil for next stage retrieval - includes analysis on YouTube and IDA Plugin for String Deobfuscation
• 2020-12-05: Maldoc templates for the week of Nov 30 - Dec 04
  
  
• 2020-11-28: Maldoc templates for the week of Nov 23 - Nov 27
• 2020-11-27: Excel drops Qakbot (qbot) DLL
• 2020-11-24: FickerStealer w/ IP check
• 2020-11-24: Word document drops Smokeloader
• 2020-11-24: Word document drops Dridex DLL w/ Check-In
• 2020-11-21: Maldoc templates for the week of Nov 16 - Nov 20
• 2020-11-14: Maldoc templates for the week of Nov 09 - Nov 13
• 2020-11-10: Emotet maldoc - Embedded DLL and CertUtil for Base64 Decoding, includes analysis on YouTube
• 2020-11-07: Maldoc templates for the week of Nov 02 - Nov 06
  
  
• 2020-10-31: Maldoc templates for the week of Oct 26 - Oct 30
• 2020-10-29: Excel doc drops Qakbot
• 2020-10-24: Maldoc templates for the week of Oct 19 - Oct 23
• 2020-10-16: Emotet templates for the week of Oct 12 - Oct 16
• 2020-10-09: Emotet templates for the week of Oct 05 - Oct 09
• 2020-10-02: Emotet templates for the week of Sept 28 - Oct 02
• 2020-10-05: Word doc uses Lua for follow-on activity
  
  
• 2020-09-17: Word doc drops Betabot (Uses CVE-2017-11882)
  
  
• 2020-08-29: ArkeiStealer sample with data exfil
• 2020-08-21: Azorult drops AsyncRat, REMCOS possible others
• 2020-08-15: Cerber ransomware with check-in
• 2020-08-02: Raccoon stealer drops crypto-currency miner
  
  
• 2020-07-24: Amadey bot with payloads and check-in
• 2020-07-24: Raccoon stealer w/ CnC check-in
• 2020-07-19: Excel doc drops GuLoader
• 2020-07-13: Word doc drops Hancitor loader
  
  
• 2020-06-29: Trickbot version 1000512 and gtag ono51, drops new nwormDll64 module - includes 12hour PCAP
• 2020-06-29: Two Excel docs that drop Netwire, includes C2 check-ins
• 2020-06-20: ZLoader with chekc-in
• 2020-06-01: Excel doc drops Guloader
• 2020-06-01: IcedID with Image used for Steganography
  
  
• 2020-05-29: Maldoc uses template injection for macro execution
• 2020-05-13: Gamma Ransomware with HTTP check-in
• 2020-05-13: Cryptbot sample
• 2020-05-13: Danabot sample with beaconing
• 2020-05-04: Trickbot w/ GTAG tt002 and version 1000509, 12 hour PCAP w/ beacons
  
  
• 2020-04-26: Gomorrah stealer (.NET binary)
• 2020-04-16: Trickbot w/ GTAG MAN6 and version 1000507 - Uses revocation.txt config
• 2020-04-16: AgentTesla data exfil through SMTP
• 2020-04-14: Vidar sample with data exfil via ZIP file
• 2020-04-13: Azorult drops Blackout Ransomware
• 2020-04-04: Ave-Maria/Warzon RAT
  
  
• 2020-03-27: Word drops Ursnif through MSHTA.exe
• 2020-03-26: Word drops Banload banking trojan
• 2020-03-26: Excel drops AgentTesla
• 2020-03-26: Word drops IcedId
• 2020-03-25: NanoCore sample with dumped plugins (.NET assemblies)
• 2020-03-24: Blue Botnet
• 2020-03-19: Formbook
• 2020-03-14: Excel drops LokiBot
  
  
• 2020-02-29: Buer loader
• 2020-02-18: Remcos
• 2020-02-13: Turkojan

Samples from Trainings and Workshops

Sample files and other artifacts from public trainings, talks and workshops.

2021

• 2021-01-13: FloCon - Workshop: Intrusion Analysis and Threat Hunting with Open Source Tools - Demo files and Workshop on YouTube

2020

• 2020-11-19: Hack-in-the-Box Cyber Week Workshop: Analyzing Malicious Word and Excel Documents - Demo files and Workshop on YouTube

Maldocs

Will contain Office documents identified to be used to distribute malware based on organizing folder structure. For example, the emotet folder will contain maldocs identified to have dropped Emotet. These samples are organized by year/month that I obtained and executed them - this may deviate slightly from when they were first discovered in the wild (for example, first submission date on VirusTotal).

To the max extend possible I will also include associated PCAPs. PCAPs may contain the resuling Emotet binary that was dropped, as well as follow-on C2 communication. However, I can not guarantee that each PCAP will contain this full sequence of events.

Current maldocs include:

• AgentTesla
• Banload
• Emotet
• Hancitor
• IcedId
• Lokibot
• Trickbot
• Unknown

Maldoc Templates

The image analysis script used to generate maldoc image graphs can be found at: https://github.com/jstrosch/graph-maldoc-similar-images

Memory Dumps

Will contain full VM memory and individual process memory dumps from malware samples. Most will come from dumpming memory via Cuckoo Sandox. Due to the size of the memory dumps, links to an archived version of them are provided for download. Current memory dumps include:

• Emotet
• LokiBot

Binaries

This will contain binaries (i.e. PE/.NET, Java, etc) from known malware families. Currently, this archive contains samples from:

• Agenttesla
• Ave Maria / Warzone RAT
• Azorult
• Blue Botnet
• Buer Loader
• Dridex
• Emotet
• Gandcrab
• Lokibot
• Nanocore
• Remcos
• Socelars
• Trickbot
• Troldesh
• Turkojan
• Vidar

Warnings and Disclaimers

This repository is intended for educational and research purposes. The samples provided here are all real-world malware, please handle with all of the necessary caution.

Please note, all samples/artifacts will be in a password-protected archive using a password of: infected