Fantastic Malware and Where to Find Them


We, as malware analysts, are always in need of new samples to analyze in order to learn, train or develop new techniques and defenses. One of the most common questions I get is “Where to find malware to analyze?” so I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.

If you want to add another resource to the list please inform me in the comments.

Please, be careful when using these sites. Almost all of them contain malicious files. Use with caution!

General Samples

theZoo is a project created to make the possibility of malware analysis open and available to the public.

Contagio is a collection of the latest malware samples, threats, observations, and analyses.

Hybrid Analysis
Free malware analysis service powered by Payload Security. Using this service you can submit files for in-depth static and dynamic analysis. You can also download samples from analysis submitted by others.

AVCaesar is a malware analysis engine and repository, developed by

Das Malwerk
DAS MALWERK collects executable malware from all kinds of shady places on the internet
An active community devoted to malware analysis and kernel development

The MalShare Project is a collaborative effort to create a community-driven public malware repository that works to build additional tools to benefit the security community at large.



VirusBay is a web-based, collaboration platform where researchers can put their hands on malicious samples uploaded by colleagues and SOC professionals.

FreeTrojanBotnet’s goal is to gather submissions from operators and various mailing lists and concentrate them in a database easy to navigate

Virusign downloads malware and sort files in order of relevance, for researchers to download samples and analyze them to create new signatures.
A binary substring searchable malware catalog containing terabytes of malicious code. (Samples are not downloadable)

A repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of malicious code.

Malwarebytes Research Center
Forums to post new threats and URLs

Mobile Malware (Google Group)
A mailing list for researching mobile malware. This group allows material related to new mobile malware samples, analysis, new techniques, questions pertaining to the field, and other related material.

Search And RetrieVAl of Malware contains a database with tons of malicious samples.

Malekal’s collection of malware

An updated database of domains hosting malicious executables.

VX Vault
S!Ri.URZ Collection of malware and URLs

Providing access to a database which contains data such as: URL, MD5, IP, TLD, etc

Sucuri Malware Labs
Latest findings that Sucuri Labs seeing in the “wild” is running a couple of projects helping internet service providers and network operators protecting their infrastructure from malware. It includes several malware trackers.

Cybercrime Tracker
Lists the C&C panels of certain in-the-wild botnets.

Android Samples

Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository.

AndroMalShare is a project to share Android malware samples

Android-Malware (Github)
Collection of Android malware samples collected from several sources/mailing lists

OSX Samples

Objective-See Mac Malware
Objective-See was created to provide simple, yet effective OS X security tools. Always free of charge. This repository contains malware samples for MAC.

Manwe MAC Malware Samples
Regularly updated fresh MAC malware feed

Linux Samples

Linux Sandbox
Linux Sandbox is a Cuckoo-based sandboxing system specifically crafted and tuned for Linux malware samples analysis.

Detux – The Linux Sandbox
Multiplatform Linux Sandbox. The samples are available to download.

Not working anymore or under maintenance:

Open Malware Project by Danny Quis

Malwr is a free malware analysis service and community launched in January 2011. You can submit files to it and receive the results of a complete dynamic analysis back. You can also download samples from analysis submitted by others.

Repository of Malware URLs and Samples


Again, please be careful when using these sites. Almost all of them contain malicious files. Use with caution!



[Pragyan CTF] The Karaboudjan



The Karaboudjan | Forensics 150 pts

Captain Haddock is on one of his ship sailing journeys when he gets stranded off the coast of North Korea. He finds shelter off a used nuke and decides to use the seashells to engrave a message on a piece of paper. Decrypt the message and save Captain Haddock.





This was funny challenge, I struggled with that Brainfuck but all it was is just brainfuck. Nothing more, we don’t need it to solve the challenge. Sorry guys.

I downloaded the zip file which was encrypted, I then cracked it using “fcrakzip” and dictionary attack. And found that the password is “dissect“. Inside the zip was a pcap file with one packet:


That’s it, we got the flag 🙂

The flag was pragyanctf{5n00p_d099}


[Pragyan CTF] New Avenger



New Avenger | Stego 300 pts
The Avengers are scouting for a new member. They have travelled all around the world, looking for suitable candidates for the new position.
Finally, they have found the perfect candidate. But, they are in a bad situation. They do not know who the guy is behind the mask.
Can you help the Avengers to uncover the identity of the person behind the mask ?
Those of you who read my blog frequently are already know how much I’m into superheroes. Give me a challenge with superheroes and you bought me. Although I’m more DC guy, this challenge was with the Marvels and still it was awesome! We’re given with a gif file. I ran `binwalk` on it to find whether it contains another files within.
Megabeets$ binwalk avengers.gif

DECIMAL         HEX             DESCRIPTION
0               0x0             GIF image data, version 8"9a", 500 x 272
885278          0xD821E         Zip archive data, at least v2.0 to extract, compressed size: 13422, uncompressed size: 13780, name: "1_image.jpg"
898769          0xDB6D1         Zip archive data, at least v1.0 to extract, compressed size: 1796904, uncompressed size: 1796904, name: ""

Yep, the gif file contains two more files within, lets unzip the image:

Megabeets$ unzip ./avengers.gif
Archive:  avengers.gif
warning [avengers.gif]:  885278 extra bytes at beginning or within zipfile
  (attempting to process anyway)
  inflating: 1_image.jpg

Nice! We now have two more files: and 1_image.jpg. Now lets try to unzip

Megabeets$ unzip ./
[] 2_image.jpg password:

Oh-no, it requires a password. Lets have a look at 1_image.jpg.
Haha, funny image. Now I want to have a deeper look at this picture, I opened it in hex editor and found the password:

So the password is “sgtgFhswhfrighaulmvCavmpsb”, lets unzip the file:

Megabeets$ unzip ./
[] 2_image.jpg password: <em>sgtgFhswhfrighaulmvCavmpsb</em>
  inflating: 2_image.jpg

Again?! We got 2 more files, and the password to the new zip was at the end of the new image, and the new zip contained another zip and an image. Well, I see where it going to, so I opened python and automate the process:

from zipfile import ZipFile
import string

# list storing the passwords, it might help 
passwords =[]
i = 1

while True:
    # read the last line of the file
    f = reversed(open("%s_image.jpg"%i).readlines())
    passw =
        # extract the password from the last line, if failed - it's the last zip.
        passw = passw[passw.index(':- ')+3:passw.index(' \n')]
    # extract the zip file using the password
    with ZipFile(''%(i+1)) as zf:
    i+=1    # add the password to the list of passwords

Ta-dah! We extracted all the zip files and gםt 16 images and 15 passwords. This was the last image:


So now we have 15 passwords, each contains 26 characters:


The password looks like garbage, it’s not Base64 or some known encoding. The first thing to pop up is the capital letter inside each password. Every password contains one or two capital letters. I know that the English alphabet contains 26 letters, so maybe I can map the location of each capital to the matching letter in the alphabet. i.e, if ‘F’ is in passw[4] i’ll take alphabet[4] which is ‘e’ and so on. I added this code to my script:

locations = []
for p in passwords:
    for c in range(26):
        if p[c] in string.uppercase:

map_result = ''
for l in locations:
    map_result += string.lowercase[l]

print "Result: ", map_result
#Result:  etitgepgztgxhiwthexstgbpc

I ran the script and got meaningless string: “etitgepgztgxhiwthexstgbpc”. Damn! I was so sure that the mapping is the solution, how can’t it be?! All the facts point towards mapping the alphabet. I decided not to give up and ran Caesar Cipher on the string:

YAY! I was so happy to find Spidey is the new Avenger!

Here’s the full script:

The flag was: pragyanctf{peterparkeristhespiderman}


[Pragyan CTF] The Vault



[!@# a-z $%^ A-Z &* 0-9] [1,3]
All we got is a file and regular expression.
Lets run file command on the file to determine its type:
$ file ./file.kdb
file: Keepass password database 1.x KDB, 3 groups, 4 entries, 50000 key transformation rounds

The file is KDB file which is Keepass password database. Keepass is a famous opensource password manager.

I tried open it using KeePassX for windows, but we need a password to open the database. The password probably should match the regex, so I generated a dictionary with all the possible passwords (more then 300,000 words).

import string
import itertools

# strings match the regex
chars = string.lowercase + string.uppercase + string.digits + '!@#$%^&*'
f = open('dict.txt','a')

all_permutations = list(itertools.permutations(chars,1))+ list(itertools.permutations(chars,2))+ list(itertools.permutations(chars,3))

for p in all_permutations:


And I the ran John the Ripper to crack the password and went to eat lunch.

$ keepass2john file.kdb > kp
$ john  --wordlist=dict.txt -format:keepass kp
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
k18              (file.kdb)

When I came back I saw that John found the password, now lets open the file:


The flag was pragyanctf{closed_no_more}


[Pragyan CTF] Lost Friends



Lost Friends Stego 300

Moana and her friends were out on a sea voyage, spending their summer joyously.
Unfortnately, they came across Charybdis, the sea monster. Charybdis, furious over having
unknown visitors, wreaked havoc on their ship. The ship was lost.

Luckily, Moana survived, and she was swept to a nearby island. But, since then, she has not seen her
friends. Moana has come to you for help. She believes that her friends are still alive, and that you are the
only one who can help her find them


Moana has lost her friends and we need to help her find them. We are given with an image which is absolutely blank. I opened it in Photoshop and saw that it’s completely transparent. So I grabbed python and Pillow and canceled the alpha channel (which is responsible for transparency).

from PIL import Image
# convert from RGBA to RGB will cancel transparency'lost_friends.png').convert('RGB').save('output.png')

I got this image:

Wooho, Chipmunks! It seems like every chipmunk is on another channel, lets split the channels:

import cv2
import numpy as n
img = cv2.imread('lost_friends.png',cv2.IMREAD_UNCHANGED)
b,g,r = cv2.split(img)

Now we have three images of chipmunks:

I played with them, trying to find the flag but found nothing. So I got back to the original image and opened it with Hex Editor. At the bottom of the file I found this hint: “Psssst, Director, maybe ??”. So the flag is probably the name of the director of chipmunks. According to Wikipedia, Chipmunks has 4 movies, I tried to submit with each director and found that the director of the third movie is the flag.

The flag was praganctf{MikeMitchell}