Malware Resources#
Sample sources, classification corpora, and C2-framework catalogues the operator pulls open during triage. Some require accounts; several rate-limit aggressive scraping. Operators handling live samples should isolate the analysis host (VM, network namespace, or an air-gapped jump box) before pulling anything from these indices.
Sample sources#
MalwareBazaar at https://bazaar.abuse.ch/, the abuse.ch feed; free, API-keyed, well-tagged.
VirusShare at https://virusshare.com/, the long-running archive; registration required.
Malshare at https://malshare.com/, daily scrape of malicious URLs; free with API key.
vx-underground at https://vx-underground.org/, mirrored papers, samples, and APT corpora.
Hybrid Analysis at https://www.hybrid-analysis.com/, sandbox + sample search.
theZoo at ytisf/theZoo, live-malware repo for offline analysis.
Objective-See at https://objective-see.org/malware.html, the canonical macOS-malware archive.
InQuest Labs at https://labs.inquest.net/, searchable corpus of malicious Microsoft Office documents.
Contagio at http://contagiodump.blogspot.com/, the long-standing analyst blog with attached samples.
Classification#
Malpedia at https://malpedia.caad.fkie.fraunhofer.de/, Fraunhofer FKIE’s curated family taxonomy. The operator’s first stop after a YARA hit.
MITRE ATT&CK at https://attack.mitre.org/, TTP and group-to-software graph the operator pivots through.
MISP galaxy at MISP/misp-galaxy, community vocabulary the operator can plug into MISP, OpenCTI, or a SIEM.
C2#
The C2 Matrix at https://www.thec2matrix.com/, the comparison grid the operator uses when picking a C2 framework for an adversary-emulation plan.
References#
YARA for the rule language that drives classification.
Volatility for memory-side triage.