Published: 2020-04-25
Last Updated: 2020-04-25 15:30:28 UTC
by Didier Stevens (Version: 1)
3 comment(s)

When we publish diary entries covering malware, we almost always share the hash of the malware sample.

I prefer posting the MD5 hash because it is short, together with a link to the VirusTotal entry for said malware sample. VirusTotal reports different hashes, so that you can find your preferred hash. And if you have a VT subscription, you can also download the sample itself.

A new, free malware sharing service is available now: MALWARE Bazaar.

I will make sure that every public malware sample that I blog about from now on, will be available on MALWARE bazaar. Like this sample, for example, that I extracted from a malicious document I wrote recent diaries about.

Didier Stevens
Senior handler
Microsoft MVP

Keywords: malware
3 comment(s)



trying to have a look to the samples, I failed to open the zip-file with several Debian tools and your as well. Here the error message was "bad password".

Any hint?

I took a look, and the ZIP file you download from Malware Bazaar is encrypted with password "infected" (as mentioned on the download page), but they use modern AES encryption in stead of the old ZipCrypto encryption.

So make sure you use a ZIP tool that supports AES encryption. Tomorrow I'll release a new version of that supports module pyzipper (pyzipper supports AES).

the keyword "AES" lead to 7zip.

Having a look to some xlsm there were 3 versions of the same author. The first 32 bytes of the files might reveal something, but I can't interpret it.

Diary Archives