Searching samples

The goal when searching for a sample is different each time. With that in mind, a small description with information is given regarding the functionality and accessibility of each site.

General platforms

These platforms contain samples for multiple operating systems, as their focus is to collect and share malware. In other sections, operating system specific platforms are described.

VirusBay

As stated on the ‘About‘ page, VirusBay is a collaboration platform that connects malware researchers. When searching for samples, one can use keywords, tags or hashes. This makes searching easy, especially when aiming for a specific target. The tags are added by those who upload the samples. Additionally, the file type is automatically added to the tags. Searching for malware that is made in a language that one still needs to practice (or has already mastered) is also a possibility.

Besides the options to search for samples, one can request a sample based on the hash. Every researcher can post information, on which others can comment as well. Especially during a global malware outbreak, such as WannaCry, this is useful.

To access the platform, one requires an invitation. Every once in a while a new code is sent out to those who enlisted. Keeping an eye out on their Twitter has also proven to be useful to obtain an invite code!

MalShare

MalShare is a community driven and public malware repository that can be accessed via an API key. The API key can be obtained by registering yourself on the site. One can search through the samples using hashes, file names, Yara rule names or sources.

VirusShare

VirusShare contains over 33 million malware samples, all of which can be accessed when searched for. One can search for the hash of a sample (MD-5, SHA-1 or SHA-256) or a virus name. Additionally, one can download the complete malware data set with the use of torrents.

An account can be obtained by e-mailing admin[at]virusshare[dot]com with an explanation who you are and why you want access.

Malpedia

Malpedia provides information to the public, but it is only a small part of all the information that is kept within. Information about families and actors is publicly available.

The registration process is invite only, where other users have to vouch for new applicants.

VxVault

On VxVault, numerous samples are visible, as well as the IP they’re originally from. Searching can be done using the MD-5 hash and is possible without registering.

Abuse.ch

Abuse.ch has multiple projects: a Feodo tracker, a ransomware tracker, an SSL blacklist and URL Haus.

The Feodo tracker is used to track all kinds of malware such as Emotet. The ransomware tracker does exactly what its name suggests: it tracks ransomware. The SSL blacklist is helpful to network administrators. Lastly, URL Haus is used to list URLs which are used to serve malware. This is the area that is most helpful with regards to this article, but the other projects are worth investigating as well.

The URL Haus database provides information about the age, URL, status, tags and the reporter of the malware. Based on this information, one can download a sample to analyse. Searching is also possible and can be done based on the domain, URL, MD-5, or SHA-256 hash.

Online dynamic analysis platforms

A sandbox, such as Cuckoo Sandbox, is useful during dynamic malware analysis. In this segment, online sandboxes are given. From here, one can also download the public samples. The given analysis already provides information about the behaviour of the malware.

Any.run

As the name implies, Any.run can run anything. A free account provides the user with 60 seconds to execute the malware. Within the browser, one can click on the screen of the VM to perform additional actions and to investigate whatever happens. During (and after) the analysis, all network traffic, system calls, file changes, and registry alterations are shown.

Note that all samples are public unless you have a paid subscription and select the private mode. Reports that can be viewed, have downloadable samples. To download a sample, one should be logged in with a free account.

Hybrid-Analysis

Uploading a sample is simple, and instantly shares the report with the community. Based on the recent submissions, one can find a sample that fulfills the search’s requirements. The additional data from the report (such as network traffic, API calls, registry changes and much more) is helpful to determine if the sample is actually malicious, before starting the analysis.

Malware trackers

Tracking malware campaigns for new samples, changes in the modus operandi and seeing if the malware is still actively used, is of great use within threat hunting. It is also a great way to collect one (or more) samples from a specific family to analyse.

Cyber Crime Tracker

On Cyber Crime Tracker, one can find malware families that are tracked. The age, URL, IP and type are given of each entry. The type is equal to the family name. The data that is provided on this site does not link to samples, but to command & control servers instead. Using these, one can obtain samples using Google or one of the other listed services.

Additionally, this sites hosts an ATM Cyber Crime Tracker that is not directly listed on the front page. This malware is generally harder to come by, which makes this tracker rather useful!

Fumik0’s tracker

This tracker provides information about samples. Additionally, it provides detailed information whenever one clicks on a sample. The hash is given in multiple types, as well as information about the server.

Android based platforms

The other platforms might contain Android malware, but there are also some dedicated platforms on which malicious samples are shared.

Apk.io

This platform is powered by Avast and has numerous possibilities. Searching is done based upon keywords, which are explained in the search menu. One can search through package names and certificates, but also through the more inner workings of an APK, such as the activities of the application.

The dynamic analysis provides the network traffic and displays odd or malicious behaviour of applications. Each of these files can be downloaded separately when the analysis is over. This overview provides a lot of information, especially on heavily obfuscated samples. The more obfuscation that is used, the more time static code analysis will take. With this overview, based on dynamic analysis, it only takes a couple of minutes to figure out if the application is malicious. Before uploading a sample, one can specify the required settings for the environment.

The upload limit is set to 100 samples per day, with a download limit of 10 samples per day. The access is limited to a select group of researchers at first. A submission for the platform can be made here.

Koodous

On Koodous, new malware is uploaded daily. One can create Yara rules to match new uploads and download samples. Additionally, one can comment and vote on uploaded APKs. The tags that are given to files are also searchable. Without any Yara rules it might be hard to find a sample using the search capabilities, but following other active analysts helps a lot.

An account is needed to download samples and to add Yara rules. A free account has a download limit of 50 samples per day.

Other

In this segment, paid platforms are listed. Their capability might exceed those of the free ones, but the goal of this course is to work with free and (preferably) open-source software.

VirusTotal

Commonly known as the industry standard, VirusTotal could not be left out of this list. With numerous anti-virus scanners that judge an uploaded file, users can quickly predict if a file is malicious or not. Within the platform, one can use Yara rules that are triggered based upon new uploads.
Additionally, one can scan the material of the past 3 months to see if samples were uploaded before that. This method, called retrohunting, can only be done a few times per month, depending on the subscription.

As stated before, this platform is paid, although it can be used by students upon request. This requires a formal and written statement from the guiding professor for a maximum of six months.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.