Statistics
MalwareBazaar produces detailed statistics on shared malware samples, including associated detections - find the available statistics below.
You can also access Spamhaus's Malware Digest report, based on MalwareBazaar data:
Malware sample shared
The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 30 days.
Top Reporters
It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.
| Rank | Reporter | Last activity | Submissions |
|---|---|---|---|
| 1 |  abuse_ch | 2025-03-27 | 4'071 |
| 2 |  JAMESWT_MHT | 2025-03-27 | 698 |
| 3 |  aachum | 2025-03-27 | 254 |
| 4 |  BastianHein | 2025-03-27 | 242 |
| 5 |  SecuriteInfoCom | 2025-03-27 | 219 |
| 6 |  threatcat_ch | 2025-03-27 | 199 |
| 7 | TornadoAV_dev | 2025-03-22 | 197 |
| 8 |  SquiblydooBlog | 2025-03-22 | 155 |
| 9 |  g0njxa | 2025-03-25 | 132 |
| 10 |  TeamDreier | 2025-03-27 | 121 |
| 11 |  smica83 | 2025-03-27 | 89 |
| 12 |  lowmal3 | 2025-03-27 | 87 |
| 13 |  cocaman | 2025-03-25 | 83 |
| 14 |  elfdigest | 2025-03-26 | 67 |
| 15 |  skocherhan | 2025-03-24 | 60 |
Top Malware Families
Top Tags
Most matching YARA rules
YARA rules that matched most on malware samples in MalwareBazaar.
| Malware Samples | YARA rule | Author | Last match |
|---|---|---|---|
| 1'172 | Sus_Obf_Enc_Spoof_Hide_PE | XiAnzheng | 2025-03-27 |
| 586 | linux_generic_ipv6_catcher | @_lubiedo | 2025-03-26 |
| 527 | golang_bin_JCorn_CSC846 | Justin Cornwell | 2025-03-27 |
| 499 | NET | malware-lu | 2025-03-27 |
| 445 | Skystars_Malware_Imphash | Skystars LightDefender | 2025-03-27 |
| 444 | pe_imphash | None | 2025-03-27 |
| 430 | RANSOMWARE | ToroGuitar | 2025-03-27 |
| 369 | unixredflags3 | Tim Brown @timb_machine | 2025-03-25 |
| 368 | DebuggerCheck__API | None | 2025-03-27 |
| 316 | NETexecutableMicrosoft | malware-lu | 2025-03-27 |
| 310 | MD5_Constants | phoul (@phoul) | 2025-03-27 |
| 261 | pe_detect_tls_callbacks | None | 2025-03-26 |
| 258 | upx_packed_elf_v1 | RandomMalware | 2025-03-26 |
| 252 | RIPEMD160_Constants | phoul (@phoul) | 2025-03-27 |
| 252 | SHA1_Constants | phoul (@phoul) | 2025-03-27 |
Most downloaded Malware Samples
Most downloaded malware samples on MalwareBazaar.
doc
xlsx
ANY.RUN
Top detections by ANY.RUN for malware samples on MalwareBazaar.
ClamAV
Top detections by ClamAV for malware samples on MalwareBazaar.
Intezer
Top detections by Intezer for malware samples on MalwareBazaar.
Joe Sandbox
Top detections by Joe Sandbox for malware samples on MalwareBazaar.
CERT.PL MWDB
Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.
ReversingLabs
Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.
Threatray
Top detections by Threatray for malware samples on MalwareBazaar.
Triage
Top detections by Triage for malware samples on MalwareBazaar.
UnpacMe
Top detections by UnpacMe for malware samples on MalwareBazaar.
VMRay
Top detections by VMRay for malware samples on MalwareBazaar.
FileScan.IO
Top classifications by FileScan.IO for malware samples on MalwareBazaar.
CyberFortress
Top classifications by CyberFortress for malware samples on MalwareBazaar.
ThreatZone
Top classifications by ThreatZone for malware samples on MalwareBazaar.
Top File Types
Most seen file types associated with malware samples on MalwareBazaar.
Top imphashes
Most seen imphashes on MalwareBazaar.
Top ssdeep hashes
Most seen ssdeep hashes on MalwareBazaar.
| Malware Sample | ssdeep | Signature(s) |
|---|---|---|
| 16 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgJ:25WOSACZSV6eKRH5EPiamb4DsDwwcZ | Prometei |
| 14 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgz:25WOSACZSV6eKRH5EPiamb4DsDwwcj | Prometei |
| 14 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgE:25WOSACZSV6eKRH5EPiamb4DsDwwcU | Prometei |
| 13 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgt:25WOSACZSV6eKRH5EPiamb4DsDwwcd | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitga:25WOSACZSV6eKRH5EPiamb4DsDwwcq | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgq:25WOSACZSV6eKRH5EPiamb4DsDwwca | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgF:25WOSACZSV6eKRH5EPiamb4DsDwwcV | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgw:25WOSACZSV6eKRH5EPiamb4DsDwwcg | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgs:25WOSACZSV6eKRH5EPiamb4DsDwwcc | Prometei |
| 12 | 6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitgD:25WOSACZSV6eKRH5EPiamb4DsDwwcT | Prometei |
Top dhash icon
Most seen dhashes of icons from PE32 executables and their signatures.
| Malware Sample | dhash icon | Signature(s) |
|---|---|---|
| 201 | 18b1b1b17068c880 | 1 x KawaiiUnicorn |
| 167 | aae2f3e38383b629 | 53 x Formbook, 35 x MassLogger, 30 x SnakeKeylogger |
| 44 | 19b1b1b17068c880 | n/a |
| 40 | 0000000000000000 | 7 x SnakeKeylogger, 7 x Formbook, 4 x MassLogger |
| 22 | b298acbab2ca7a72 | 5 x Socks5Systemz, 3 x Adware.DealPly, 1 x ValleyRAT |
| 22 | 5050d270cccc82ae | 3 x LummaStealer, 1 x Adware.Generic, 1 x GOBackdoor |
| 21 | c4d48eaa8ad4d4f8 | 20 x RemcosRAT |
| 17 | e0f8fafbc3f3f8d8 | 14 x GCleaner, 3 x Amadey |
| 15 | c6c2ccc4f4e0e0f8 | 1 x Braodo, 1 x CobaltStrike |
| 14 | 9494b494d4aeaeac | 6 x DCRat, 2 x Babadeda, 1 x DiskWriter |
Malware sample shared
The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 12 months.
Top Reporters
It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.
| Rank | Reporter | Last activity | Submissions |
|---|---|---|---|
| 1 | abuse_ch | 2025-03-27 | 210'813 |
| 2 |  zbetcheckin | 2024-11-09 | 78'688 |
| 3 |  lazyactivist192 | 2024-01-17 | 69'729 |
| 4 |  Cryptolaemus1 | 2024-03-20 | 67'837 |
| 5 |  seifreed | 2021-10-19 | 48'947 |
| 6 | SecuriteInfoCom | 2025-03-27 | 37'864 |
| 7 |  andretavare5 | 2024-01-18 | 35'831 |
| 8 | cocaman | 2025-03-25 | 30'133 |
| 9 | JAMESWT_MHT | 2023-04-29 | 26'183 |
| 10 |  Libranalysis | 2024-01-17 | 17'035 |
| 11 |  GovCERT_CH | 2024-10-18 | 15'559 |
| 12 | lowmal3 | 2025-03-27 | 13'631 |
| 13 | JAMESWT_MHT | 2025-03-27 | 13'072 |
| 14 |  adrian__luca | 2025-03-24 | 10'511 |
| 15 |  Bitsight | 2025-03-15 | 9'777 |
Top Malware Families
Top Tags
Most matching YARA rules
YARA rules that matched most on malware samples in MalwareBazaar.
| Malware Samples | YARA rule | Author | Last match |
|---|---|---|---|
| 118'080 | Skystars_Malware_Imphash | Skystars LightDefender | 2025-03-27 |
| 81'304 | pe_imphash | None | 2025-03-27 |
| 78'503 | SharedStrings | Katie Kleemola | 2025-02-17 |
| 76'712 | Email_stealer_bin_mem | James_inthe_box | 2024-06-13 |
| 74'505 | Select_from_enumeration | James_inthe_box | 2025-01-23 |
| 73'333 | UAC_bypass_bin_mem | James_inthe_box | 2023-03-07 |
| 71'651 | IPPort_combo_mem | James_inthe_box | 2025-03-26 |
| 51'921 | unixredflags3 | Tim Brown @timb_machine | 2025-03-25 |
| 51'175 | pe_imphash | 2025-03-27 | |
| 49'446 | linux_generic_ipv6_catcher | @_lubiedo | 2025-03-26 |
| 45'508 | Cobalt_functions | @j0sm1 | 2023-08-23 |
| 42'564 | NET | malware-lu | 2025-03-27 |
| 37'755 | DebuggerCheck__API | None | 2025-03-27 |
| 31'954 | pdb_YARAify | @wowabiy314 | 2025-01-05 |
| 30'306 | BitcoinAddress | Didier Stevens (@DidierStevens) | 2025-02-28 |
Most downloaded Malware Samples
Most downloaded malware samples on MalwareBazaar.
exe
ANY.RUN
Top detections by ANY.RUN for malware samples on MalwareBazaar.
ClamAV
Top detections by ClamAV for malware samples on MalwareBazaar.
Intezer
Top detections by Intezer for malware samples on MalwareBazaar.
Joe Sandbox
Top detections by Joe Sandbox for malware samples on MalwareBazaar.
CERT.PL MWDB
Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.
ReversingLabs
Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.
Threatray
Top detections by Threatray for malware samples on MalwareBazaar.
Triage
Top detections by Triage for malware samples on MalwareBazaar.
UnpacMe
Top detections by UnpacMe for malware samples on MalwareBazaar.
VMRay
Top detections by VMRay for malware samples on MalwareBazaar.
FileScan.IO
Top classifications by FileScan.IO for malware samples on MalwareBazaar.
CyberFortress
Top classifications by CyberFortress for malware samples on MalwareBazaar.
ThreatZone
Top classifications by ThreatZone for malware samples on MalwareBazaar.
Most discussed Malware Samples
Most discussed (commented) malware samples on MalwareBazaar.
htaTop File Types
Most seen file types associated with malware samples on MalwareBazaar.
Top imphashes
Most seen imphashes on MalwareBazaar.
Top ssdeep hashes
Most seen ssdeep hashes on MalwareBazaar.
| Malware Sample | ssdeep | Signature(s) |
|---|---|---|
| 1'124 | 12288:J2+J+l5QvSoOUkQNPRoswLLjfsHJNF05s:AJl5QrrkQFCHspN4 | Quakbot |
| 1'123 | 12288:U2+J+l5QvSoOUkQGPRoswLLjfsHJNF05F:PJl5QrrkQOCHspN4 | Quakbot |
| 1'121 | 12288:l2+J+l5QvSoOUkQiPRoswLLjfsHJNF05h:8Jl5QrrkQaCHspN4 | Quakbot |
| 528 | 1536:1I+Hymsbck3hbdlylKsgqopeJBWhZFGkE+cMLxAAISQ5gQ72IotO6nitSU6U+x:1I+HymsYk3hbdlylKsgqopeJBWhZFGkz | SilentBuilder Heodo |
| 419 | 1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz | SilentBuilder Heodo |
| 416 | 768:0Jlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLd:0rk3hbdlylKsgqopeJBWhZFGkE+cMLx6 | SilentBuilder Heodo |
| 401 | 1536:u8rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAE6yHBEL70drpFk0GX/s2C6ORQYDBhQ:ugk3hbdlylKsgqopeJBWhZFGkE+cL2N8 | SilentBuilder Heodo |
| 373 | 3072:IFNthWQl/rSJ7lvt9filcZritkrINAEYsm2:IBhWQ/mJLflrOAp2 | Gozi Heodo |
| 351 | 3072:zs+Hyms0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIb4UgCEqM5mheHRAjNKnlGIz/:o+Hyms0k3hbdlylKsgqopeJBWhZFVE+P | SilentBuilder Heodo |
| 307 | 12288:xyP2Md2hn+tDKFtKwK5KLK6KYK5KlK3K1aoNl7Mv+lwVwy:grdO+tDKFQoNOml | TrickBot |
Top dhash icon
Most seen dhashes of icons from PE32 executables and their signatures.
| Malware Sample | dhash icon | Signature(s) |
|---|---|---|
| 15'249 | f8f0f4c8c8c8d8f0 | 8'797 x RedLineStealer, 5'027 x Amadey, 288 x Smoke Loader |
| 5'696 | b2a89c96a2cada72 | 2'283 x Formbook, 981 x Loki, 800 x AgentTesla |
| 4'915 | aae2f3e38383b629 | 1'337 x Formbook, 1'131 x CredentialFlusher, 502 x AgentTesla |
| 4'767 | b298acbab2ca7a72 | 2'327 x GCleaner, 1'600 x Socks5Systemz, 67 x RedLineStealer |
| 3'895 | 71b119dcce576333 | 3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT |
| 2'992 | 0000000000000000 | 842 x AgentTesla, 422 x Formbook, 270 x RedLineStealer |
| 2'695 | 848c5454baf47474 | 2'086 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox |
| 1'902 | 9494b494d4aeaeac | 707 x DCRat, 171 x RedLineStealer, 134 x CryptOne |
| 1'150 | fefce49e86c0fcfe | 884 x Socks5Systemz, 259 x RaccoonStealer |
| 1'067 | 399998ecd4d46c0e | 572 x Quakbot, 137 x ArkeiStealer, 54 x RecordBreaker |
Most discussed Malware Samples
Most discussed (commented) malware samples on MalwareBazaar.