Statistics

MalwareBazaar produces various statistics on malware samples shared, including their detections. The available statistics can be found below.

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 30 days.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @zbetcheckin2022-01-241'861
2Twitter @abuse_ch2022-01-241'355
3Twitter @Cryptolaemus12022-01-25372
4Twitter @r3dbU7z2022-01-24335
5Twitter @GovCERT_CH2022-01-25278
6Twitter @tolisec2022-01-25222
7Twitter @cocaman2022-01-25218
8Twitter @JAMESWT_MHT2022-01-24169
9Twitter @SecuriteInfoCom2022-01-24132
10Twitter @pr0xylife2022-01-24105
11Twitter @lowmal32022-01-2497
12Twitter @TeamDreier2022-01-2485
13Twitter @malwarelabnet2022-01-2467
14Twitter @James_inthe_box2022-01-2466
15Twitter @madjack_red2022-01-2456

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleAuthorLast match
1'101pe_imphash2022-01-25
1'101Skystars_Malware_ImphashSkystars LightDefender2022-01-25
752unixredflags3Tim Brown @timb_machine2022-01-24
708linux_generic_ipv6_catcher@_lubiedo2022-01-25
605BitcoinAddressDidier Stevens (@DidierStevens)2022-01-24
488Excel_Hidden_Macro_Sheet2022-01-24
485SUSP_Excel4Macro_AutoOpenJohn Lambert @JohnLaTwC2022-01-24
281QbotDhanunjaya2022-01-24
257MALW_emotetMarc Rivero | McAfee ATR Team2022-01-24
230MALWARE_Win_RedLineditekSHen2022-01-24
182SUSP_XORed_MozillaFlorian Roth2022-01-24
182SUSP_XORed_Mozilla_RID2DB4Florian Roth2022-01-24
179enterpriseapps2Tim Brown @timb_machine2022-01-24
165MALWARE_Win_AgentTeslaV3ditekSHen2022-01-24
163ach_AgentTesla_20200929abuse.ch2022-01-24

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
642677e96c45b7d459b90128c62cea326921fd521e88bfe6b4cd0ebdeb4d099dd21Excel file xlsHeodoTwitter @TeamDreier
58794d896ef290e49071db37de97179eab015471ba6e4e007b39b7755045283c455 rarFormbookTwitter @TeamDreier
582cf14954bed171f8ef80867075b0270de01a7afbfdeeaefe720a4136652bcbcccExcel file xlsHeodoTwitter @TeamDreier
576c50ff73171a44b630603da4098f2807aaba93b2d3ee5dcf6f50fae6357e46c5dExcel file xlsHeodoTwitter @TeamDreier
5753ee83f37586c2ff9351441551fdab1a50b7e2993d13ab30ae2c7a8628951ba96 rarCryptBotTwitter @iam_py_test
5654e568efe3b7b6208a1948ac631958eafd202908b13cc2da77753ae93271e4bd3Excel file xlsHeodoTwitter @TeamDreier
563e33811b4dab432d10d50a8357ec88ab255590ac412e6a386ae3cee55c40df20eExcel file xlsHeodoTwitter @TeamDreier
5617bd1caac9273f146c98bf66f7e1c2194e1aa3076a3a1676e8a5cd18739457e08Excel file xlsHeodoTwitter @TeamDreier
5606486f4730c2041aa4e8c96ecc214d10c1b014e958e85d01c2da7934b984fb42eExcel file xlsHeodoTwitter @TeamDreier
5599ae234d53391aaabe67979636eb96396d92a3efc10efae792c2702488f221b22Excel file xlsHeodoTwitter @TeamDreier
55843c9f9efaf6856547f4d99c31ac8d78dbed381cfd09826b6a1b08efc9b261397Excel file xlsHeodoTwitter @TeamDreier
55565e756cc7cbb530ce22eb343803aad4ce6d6c356dc6db4aa0db139e71485803eExcel file xlsHeodoTwitter @TeamDreier
554b7a9d981f8642bb827622a36da2d8dee83c2505c525891d7a897e73b6c4c32e8 gz Twitter @c0r3dump3d11
551cbbeb47f7b0343ffabb173ed0dbb38ae17477129c5dce9bf866814a4f42e3389Excel file xlsHeodoTwitter @TeamDreier
5501aae4a0ee3da930c656e21a78157065ee57337828611b33ee39ca924e8c8ccfe zip Twitter @r3dbU7z

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

FileScan.IO FileScan.IO


Top classifications by FileScan.IO for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
960f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki RedLineStealer
212099c0646ea7282d232219f8807883be0Formbook Loki AgentTesla SnakeKeylogger
586d1d8c8ae132591dccaaeee10258dcbaHeodo
5490add561a8bf6976696c056c199a41b8Heodo
543773ad24a3d7afbf38a113a01a5bf2a6Heodo
53f30f2b5b65c947eccbf132b668fe3257BazaLoader IcedID
50edc5bede1d4d23eae237013f09324b61Heodo
43c284fa365c4442728ac859c0f9ed4dc5RedLineStealer CoinMiner RaccoonStealer CoinMiner.XMRig
41d7550206da3051d1cc941927ae3a1f09Heodo
40db30434b523187bc6920e9d2dfeaaf26Heodo

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
1163072:4Rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAlhEvN8B/W6X1yxYovrepMUdQ6gSz4iq:Qk3hbdlylKsgqopeJBWhZFVE+W2NdAliHeodo SilentBuilder
731536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2NrHeodo SilentBuilder
583072:Wuk3hbdlylKsgqopeJBWhZFGkE+cL2NdAxEvN8B/W6X1yxYovrepMUdQ6gSz4i:Fk3hbdlylKsgqopeJBWhZFVE+W2NdAmvSilentBuilder Heodo
173072:n/k3hbdlylKsgqopeJBWhZFGkE+cL2NdAFxe53lGvFTQ3IzxgdrvxpU0OKvMB:/k3hbdlylKsgqopeJBWhZFVE+W2NdAOKHeodo SilentBuilder
123072:yW+nBqmsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIXxe53lGvFTQ3IzxgdrvxpU0S:t+nBqmsk3hbdlylKsgqopeJBWhZFVE+SHeodo SilentBuilder
121536:5lNk3hbdlylKsgqopeJBWhZFGkE+cL2NdAfNzMk95+ooipzMk9o+oo:5Hk3hbdlylKsgqopeJBWhZFGkE+cL2NUSilentBuilder Heodo
113072:+5+nBqm9k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIMEvN8B/W6X1yxYovrepMUdQm:i+nBqm9k3hbdlylKsgqopeJBWhZFVE+gHeodo SilentBuilder
93072:bKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgtlyVEdBU6hubsll6UQjvxq:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgjTSilentBuilder Heodo
93072:yKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgQCyVEdBU6hubsll6UQjvxm:yKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgbrSilentBuilder
93072:bKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgtlyVEdBU6hubsll6UQjvxO:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgjvSilentBuilder Heodo

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
26171b119dcce576333241 x Heodo
15879756cecb29999b9157 x Heodo, 1 x BazaLoader
157b2a89c96a2cada7258 x Formbook, 53 x Loki, 22 x AgentTesla
60108480c0e660600847 x Heodo
58a498afacb7b0a88258 x Heodo
44fcfcb4b4b494d9c131 x RedLineStealer, 4 x Smoke Loader, 3 x ArkeiStealer
3102172236860f333331 x Heodo
29fcfcb4b4b4d4d9c120 x RedLineStealer, 4 x RaccoonStealer, 2 x ArkeiStealer
279494b494d4aeaeac9 x DCRat, 2 x RedLineStealer, 1 x AsyncRAT
261efef2c2e4a0e0e015 x AgentTesla, 3 x Formbook, 2 x Loki

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 12 months.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @abuse_ch2022-01-2492'315
2Twitter @lazyactivist1922021-04-2669'725
3Twitter @Cryptolaemus12022-01-2555'316
4Twitter @Seifreed2021-10-1948'947
5Twitter @c4llsec2021-05-1923'982
6Twitter @zbetcheckin2022-01-2420'770
7Twitter @JAMESWT_MHT2022-01-2418'374
8Twitter @Libranalysis2022-01-2117'025
9Twitter @cocaman2022-01-2512'191
10Twitter @SecuriteInfoCom2022-01-2411'129
11Twitter @GovCERT_CH2022-01-259'158
12Twitter @FORMALITYDE2021-12-075'555
13Twitter @jarumlus2021-09-285'360
14Twitter @James_inthe_box2022-01-245'360
15Twitter @lowmal32022-01-243'535

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleAuthorLast match
78'468SharedStringsKatie Kleemola2021-12-26
76'694Email_stealer_bin_memJames_inthe_box2021-12-26
74'496Select_from_enumerationJames_inthe_box2021-12-26
73'328UAC_bypass_bin_memJames_inthe_box2022-01-06
71'636IPPort_combo_memJames_inthe_box2022-01-17
45'492Cobalt_functions@j0sm12021-07-13
29'563MALWARE_Win_DLLLoaderditekSHen2021-12-26
28'408DridexV4kevoreilly2021-12-26
28'071ach_Dridex_xls_20200528abuse.ch2021-12-09
25'931Skystars_Malware_ImphashSkystars LightDefender2022-01-25
25'431Win32_Trojan_EmotetReversingLabs2022-01-04
25'034DridexLoaderkevoreilly2021-12-31
23'581win_dridex_autoFelix Bilstein2021-12-26
23'079ach_Quakbot_xlsb_20201023abuse.ch2022-01-12
22'029win_sisfader_autoFelix Bilstein2021-05-07

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
72'03670ab26000929d26e0e4e567bd0dc4158054538485fcfd51dd4b60a534967814b lzhFirebirdRATTwitter @GovCERT_CH
3'395759ef75e133383af768b2be302dc256ad4e6720fb64eda70af76954dd29caf73Word file docPonyTwitter @abuse_ch
2'95710547fbcab56e5eeced75b4db50aac92a2eafe3581ad35018e27ea840b6abcb6Excel file xlsGet2Twitter @ffforward
2'94147b9b9ddc9f9e6c66cd6ea322a51bec7b843502b30db19f119fa59794ee19cd6Excel file xlsTA505Twitter @erdbaerkuchen
2'9419ad7ce27ce7da3c4b2639771869b20b78fff34f32dab3355c2be2980e708ab07DLL dllGet2Twitter @ffforward
2'907d4b6920e28ddba697f8e2e33f6479d16c9b92fefdc36894e3c594e3f71095e4dExecutable exeDharmaTwitter @JAMESWT_MHT
2'882085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1Executable exeDharmaTwitter @JAMESWT_MHT
2'8764d8ffa30554984f32eabbcb7a99699dd833ea85a8483db8753cc40bde7cee923Executable exeDharmaTwitter @JAMESWT_MHT
2'876553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccbExecutable exeDharmaTwitter @JAMESWT_MHT
2'8750a40acb8ddbc2ed8f8b703681fadf9fcb2672fdb75d93c150b45c6465cc9b1b4Executable exeDharmaTwitter @JAMESWT_MHT
2'87590c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2Executable exeDharmaTwitter @JAMESWT_MHT
2'8755837daaf4f7cf7280ec0a749e161015c1de39b35fa26710ce7bb22e352725ed4Executable exeDharmaTwitter @JAMESWT_MHT
2'874553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772dExecutable exeDharmaTwitter @JAMESWT_MHT
2'8744708750c9a6fdeaec5f499a3cd26bb5f61db4f82e66484dc7b44118effbb246fExecutable exeDharmaTwitter @JAMESWT_MHT
2'873ad14312e134f8b9483b2d701b1470758e8944764ec803252efede6b1c49e9485Executable exeDharmaTwitter @JAMESWT_MHT

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

FileScan.IO FileScan.IO


Top classifications by FileScan.IO for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
61'597f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki RedLineStealer
9'777c9f7e018b269f1b5fe81cf757d6f8e93Heodo
8'608987b9d7dc84d935c3675da82d40e06f2Dridex Gozi Tofsee VelvetSweatshopDridex
3'22787bed5a7cba00c7e1f4015f1bdae2183IcedID TrickBot Netsky Rapid
2'180433637d5d88b1ab11a7e5bfc30abfe93Dridex
1'95850f8a2255c4baf188eb0098c86160f78Heodo
1'723d20e8b584b1e294911b88a699c987910Dridex
1'607afcdf79be1557326c854b6e20cb900a7AgentTesla RemcosRAT NanoCore QuasarRAT
1'586f71b9cb9891e9cf4bae79d2b5aa115c6Dridex
1'506015974618e9105226f001019d35e62e5Quakbot

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
1'12412288:J2+J+l5QvSoOUkQNPRoswLLjfsHJNF05s:AJl5QrrkQFCHspN4Quakbot
1'12312288:U2+J+l5QvSoOUkQGPRoswLLjfsHJNF05F:PJl5QrrkQOCHspN4Quakbot
1'12112288:l2+J+l5QvSoOUkQiPRoswLLjfsHJNF05h:8Jl5QrrkQaCHspN4Quakbot
3733072:IFNthWQl/rSJ7lvt9filcZritkrINAEYsm2:IBhWQ/mJLflrOAp2Gozi Heodo
30712288:xyP2Md2hn+tDKFtKwK5KLK6KYK5KlK3K1aoNl7Mv+lwVwy:grdO+tDKFQoNOmlTrickBot
180384:PnqmQF9b8PdvtUuiyaFwrEnO2/7vUyV2aGcuFjqZUb:Cme9bodlpkqkOOjU/aGciqUbQuakbot
180384:fnqmQF9b8PdvtUuiyaFwrEnO2/7vUU2aGcuFjqZ5g:yme9bodlpkqkOOjUdaGciq5gQuakbot
180384:/nqmQF9b8PdvtUuiyaFwrEnO2/7vUU2aGcuFjqZ5g:Sme9bodlpkqkOOjUdaGciq5gQuakbot
179384:jnqmQF9b8PdvtUuiyaFwrEnO2/7vUjqN2aGcuFjqZM:eme9bodlpkqkOOjUjqgaGciqMQuakbot
179384:/nqmQF9b8PdvtUuiyaFwrEnO2/7vUjqN2aGcuFjqZM:Sme9bodlpkqkOOjUjqgaGciqMQuakbot

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
1'247b2a89c96a2cada72533 x Formbook, 241 x Loki, 105 x AgentTesla
50871b119dcce576333260 x Heodo, 200 x TrickBot, 8 x BazaLoader
388ead8ac9cc6e68ee0118 x RaccoonStealer, 102 x RedLineStealer, 45 x Smoke Loader
292399998ecd4d46c0e136 x ArkeiStealer, 115 x Quakbot, 15 x Matanbuchus
2764839b2b4e8c38890137 x RaccoonStealer, 37 x Smoke Loader, 30 x RedLineStealer
2724839b234e8c38890104 x RaccoonStealer, 53 x RedLineStealer, 46 x ArkeiStealer
2644839b2b0e8c38890105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer
243000000000000000043 x RedLineStealer, 36 x AgentTesla, 27 x TrickBot
225fcfcd4d4d4d4d8c074 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader
214ead8ac9cc6a68ee093 x RedLineStealer, 50 x RaccoonStealer, 15 x Smoke Loader