Statistics

MalwareBazaar produces various statistics on malware samples shared, including their detections. The available statistics can be found below.

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 30 days.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @zbetcheckin2022-05-262'226
2Twitter @abuse_ch2022-05-261'033
3Twitter @SecuriteInfoCom2022-05-26465
4Twitter @GovCERT_CH2022-05-26298
5Twitter @tolisec2022-05-25294
6Twitter @JAMESWT_MHT2022-05-26283
7Twitter @cocaman2022-05-26258
8Twitter @pr0xylife2022-05-26211
9Twitter @TeamDreier2022-05-24177
10Twitter @httsmvkcom2022-05-23162
11Twitter @lowmal32022-05-25158
12Twitter @obfusor2022-05-26136
13Twitter @malwarelabnet2022-05-2678
14Twitter @James_inthe_box2022-05-2676
15Twitter @JaffaCakes1182022-05-2460

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleAuthorLast match
1'485pe_imphash2022-05-26
1'485Skystars_Malware_ImphashSkystars LightDefender2022-05-26
822crime_win64_emotet_unpackedRony (r0ny_123)2022-05-26
517linux_generic_ipv6_catcher@_lubiedo2022-05-25
512myMirai2022-05-26
392unixredflags3Tim Brown @timb_machine2022-05-25
274BitcoinAddressDidier Stevens (@DidierStevens)2022-05-26
272MALWARE_Win_RedLineditekSHen2022-05-26
220SUSP_XORed_MozillaFlorian Roth2022-05-25
220SUSP_XORed_Mozilla_RID2DB4Florian Roth2022-05-25
188INDICATOR_SUSPICIOUS_Binary_References_BrowsersditekSHen2022-05-26
182MAL_Lokibot_Stealer2022-05-26
173MALWARE_Win_AgentTeslaV3ditekSHen2022-05-26
145SUSP_ELF_LNX_UPX_Compressed_FileFlorian Roth2022-05-25
140Excel_Hidden_Macro_Sheet2022-05-26

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
1'343913db6d757a6f498a23cb1bbe7f8aa7f622bac41e86e52b698c9139be59fafc1Executable exeHeodoTwitter @zbetcheckin
990788d36f9a89dc8f29496a8898a14f610cf2f93fe87c4267577dcf2c9be62ab7cExecutable exenjratTwitter @abuse_ch
972a8f75cb7dfd647fc6a6afb6620abfcf3877cb47902dc16a653388cca05f20e24Executable exeRedLineStealerTwitter @abuse_ch
6070285ce41301dcc6dfcf076c3a5897010a2c3c52f24016c2464a52d9124d5467bExecutable exeFormbookTwitter @cocaman
529b7dfe331c6260d43efacb7ca54ce480d64c832209d4c013371d76590bedc0ba4Executable exeLokiTwitter @zbetcheckin
5213caaa84ffcbd28e8f6a95a11a8101508c06ee47dd00a93b0d52960e351e4a97cExecutable exeFormbookTwitter @zbetcheckin
509a1b424af1a1f0c7b572adb406b39914beca20139fb88b6e3b8161ed591cb78c8Executable exeLokiTwitter @zbetcheckin
508b0773d0dcca492d5ac179ef976c7e8dbd2f8c251edd30ab02d89c7850b85d858Executable exeAveMariaRATTwitter @zbetcheckin
5064248e3a85f2ba76bb7757f263937e9e4f1bc1a26c3287464d146a96667a13e3aExecutable exeNitolTwitter @zbetcheckin
502c34db222388b0ac3b10e12c1e05f170582d4c62432a1eda3bf50cb72dd5cfac6Executable exeLokiTwitter @zbetcheckin
495a3ea19994f6afe8d3695fce60d60b7cfef4acb73bd71136433681d6d4f2e95edExecutable exeRedLineStealerTwitter @zbetcheckin
49415e95bdb90694a66e3e5511d97120d46a5538778525933a967cb64728b9ebb39Java Script (JS) js Twitter @MichaelGalde
493864448901d066f7fa4835e4c12341d60bf7f610d8c45577ac5749267535c243cExecutable exeAZORultTwitter @abuse_ch
493417b629a47d80e02ff1303a7582cd8ef8baba3ce6e1c1877bc1e0385bc76110cExecutable exeLokiTwitter @zbetcheckin
4928128437ec7c345a0ac4cc52ea079c0319c35b8da755955948f84579d87e87d61Executable exeRedLineStealerTwitter @zbetcheckin

ANY.RUN ANY.RUN


Top detections by ANY.RUN for malware samples on MalwareBazaar.

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

FileScan.IO FileScan.IO


Top classifications by FileScan.IO for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
1'419f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki SnakeKeylogger
17261259b55b8912888e90f516ca08dc514GuLoader Formbook Loki RemcosRAT
151b268dbaa2e6eb6acd16e04d482356598Heodo
133ad5c5b0f3e2e211c551f3b5059e614d7Heodo
125dbde2cec49d02964ab0aa40b1f723affHeodo
1125c49ce3660f3f487a221bd7888983b24Heodo
84476d7c7f89dda8defebbeac0d5307181Heodo
78dfaffb91ffd6ccb2db2dd7341b2d718fHeodo
7055f3dfd13c0557d3e32bcbc604441dd3Formbook Loki SnakeKeylogger RemcosRAT
66073e9094df66da2c3d6e17b86c2a33ecHeodo

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
10768:pkZKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAdCBn9kC+xbqc6q+otrvEVLcAo:p+Kpb8rGYrMPe3q7Q0XV5xtezEsi8/d5Heodo SilentBuilder
912288:3sGDrsy7QD25IMRgmDBJzd4+vZiy80LlMXuuLp0rTXNlgPgBuLq:3sGnPIM9LpHVLspMQ4MLFormbook AveMariaRAT RemcosRAT NetWire
796:gRYZxQOBpLyxIcymLKY8M991wuIaQPYPW:gRJObLyxIIYMdwuwPYPW
612288:TEujXx7EZyZCW10lLz/UzWxXhdzHbFsFKa9hAUsifQuVL:YOFEV8KvHe5hYiJ1Quakbot
696:2RYZxQOBpLyxIcymLKY8M991wuIaQPYPW:2RJObLyxIIYMdwuwPYPW
612288:zWijNHVkFTo0x5H1ZWJZPcyhiX5qPdRJgb4RmIggE6gPgBuLq:zWixYT35H1485XITJgcRSv4MLFormBook RemcosRAT DBatLoader
56144:EbmRW/X22TR72tKbxGeYkesyj1BQr6blJLUDblVpM54WWBKWuSIZ5ib0wj:E42Gi7/YpRBQrgI5M54riZYbfHeodo
524576:bVo3aqHftvs0S8n4NAmqDq7GYdd0/yW6wJI8OMk2CcxiYFpD3:bQuakbot
524576:8guIsJAkkCasjr6+aCuT8kt7fyIkd73h5:fWAVLTRhkRhAveMariaRAT RemcosRAT BitRAT Formbook
596:oRYZxQOBpLyxIcymLKY8M991wuIaQPYPW:oRJObLyxIIYMdwuwPYPW

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
134b2a89c96a2cada7270 x Formbook, 47 x Loki, 7 x SnakeKeylogger
127000000000000000045 x AgentTesla, 27 x Formbook, 18 x Loki
96818da080a0a0a0a293 x Heodo, 1 x AsyncRAT
7371b119dcce57633370 x Heodo, 1 x Worm.Ramnit, 1 x YoungLotus
68d2961d3133038ee822 x AgentTesla, 17 x FormBook, 8 x Loki
64c0b0c6c8a896a0c020 x AgentTesla, 19 x Formbook, 12 x Loki
43d4d4b2f2f0dcd4e843 x Heodo
4265e4d2eaecc4d85916 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki
40399998ecd4d46c0e37 x Quakbot, 2 x SystemBC, 1 x Smoke Loader
3010808a8c8c8a801012 x Formbook, 8 x RemcosRAT, 4 x AveMariaRAT

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 12 months.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @abuse_ch2022-05-26104'575
2Twitter @lazyactivist1922022-05-1869'727
3Twitter @Cryptolaemus12022-05-0467'812
4Twitter @Seifreed2021-10-1948'947
5Twitter @zbetcheckin2022-05-2632'567
6Twitter @JAMESWT_MHT2022-05-2622'587
7Twitter @Libranalysis2022-03-2917'029
8Twitter @cocaman2022-05-2614'350
9Twitter @SecuriteInfoCom2022-05-2612'636
10Twitter @GovCERT_CH2022-05-2612'281
11Twitter @James_inthe_box2022-05-266'066
12Twitter @FORMALITYDE2022-05-195'633
13Twitter @jarumlus2021-09-285'360
14Twitter @tolisec2022-05-254'997
15Twitter @lowmal32022-05-254'960

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleAuthorLast match
78'468SharedStringsKatie Kleemola2021-12-26
76'696Email_stealer_bin_memJames_inthe_box2022-05-16
74'496Select_from_enumerationJames_inthe_box2021-12-26
73'329UAC_bypass_bin_memJames_inthe_box2022-04-20
71'638IPPort_combo_memJames_inthe_box2022-05-19
45'498Cobalt_functions@j0sm12022-05-19
38'440Skystars_Malware_ImphashSkystars LightDefender2022-05-26
31'017pe_imphash2022-05-26
29'565MALWARE_Win_DLLLoaderditekSHen2022-04-09
28'410DridexV4kevoreilly2022-04-09
28'072ach_Dridex_xls_20200528abuse.ch2022-05-06
25'452Win32_Trojan_EmotetReversingLabs2022-03-29
25'036DridexLoaderkevoreilly2022-04-09
23'584win_dridex_autoFelix Bilstein2022-04-09
23'141ach_Quakbot_xlsb_20201023abuse.ch2022-05-25

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
72'04370ab26000929d26e0e4e567bd0dc4158054538485fcfd51dd4b60a534967814b lzhFirebirdRATTwitter @GovCERT_CH
3'894759ef75e133383af768b2be302dc256ad4e6720fb64eda70af76954dd29caf73Word file docPonyTwitter @abuse_ch
3'440d4b6920e28ddba697f8e2e33f6479d16c9b92fefdc36894e3c594e3f71095e4dExecutable exeDharmaTwitter @JAMESWT_MHT
3'405085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1Executable exeDharmaTwitter @JAMESWT_MHT
3'4000a40acb8ddbc2ed8f8b703681fadf9fcb2672fdb75d93c150b45c6465cc9b1b4Executable exeDharmaTwitter @JAMESWT_MHT
3'3995837daaf4f7cf7280ec0a749e161015c1de39b35fa26710ce7bb22e352725ed4Executable exeDharmaTwitter @JAMESWT_MHT
3'398553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccbExecutable exeDharmaTwitter @JAMESWT_MHT
3'398ad14312e134f8b9483b2d701b1470758e8944764ec803252efede6b1c49e9485Executable exeDharmaTwitter @JAMESWT_MHT
3'397038e577d25d5b9237fbbef6080f53f462b01e75f83449bf0020ef0b14f371ac6Executable exeDharmaTwitter @JAMESWT_MHT
3'3974708750c9a6fdeaec5f499a3cd26bb5f61db4f82e66484dc7b44118effbb246fExecutable exeDharmaTwitter @JAMESWT_MHT
3'39556f1a65ab205548d7cc50c044c510210f084d7c7a381be7e3dd6530da1ce6affExecutable exeDharmaTwitter @JAMESWT_MHT
3'39590c54543aaf085e00879d4fe98a6dfb8148548f374828d50b6e3ac44668138b2Executable exeDharmaTwitter @JAMESWT_MHT
3'3944d8ffa30554984f32eabbcb7a99699dd833ea85a8483db8753cc40bde7cee923Executable exeDharmaTwitter @JAMESWT_MHT
3'39417227020b2f5ca57f2d632d0d37de8d0ffcdef142e98a6af591e8180963cd3ccExecutable exeDharmaTwitter @JAMESWT_MHT
3'393307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3Executable exeDharmaTwitter @JAMESWT_MHT

ANY.RUN ANY.RUN


Top detections by ANY.RUN for malware samples on MalwareBazaar.

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

FileScan.IO FileScan.IO


Top classifications by FileScan.IO for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
73'139f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki SnakeKeylogger
9'777c9f7e018b269f1b5fe81cf757d6f8e93Heodo
8'608987b9d7dc84d935c3675da82d40e06f2Dridex Gozi Tofsee VelvetSweatshopDridex
3'23287bed5a7cba00c7e1f4015f1bdae2183IcedID TrickBot Netsky Rapid
2'180433637d5d88b1ab11a7e5bfc30abfe93Dridex
1'95850f8a2255c4baf188eb0098c86160f78Heodo
1'9567fa974366048f9c551ef45714595665eFormbook Loki AgentTesla SnakeKeylogger
1'723d20e8b584b1e294911b88a699c987910Dridex
1'670afcdf79be1557326c854b6e20cb900a7AgentTesla RemcosRAT NanoCore QuasarRAT
1'586f71b9cb9891e9cf4bae79d2b5aa115c6Dridex

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
1'12412288:J2+J+l5QvSoOUkQNPRoswLLjfsHJNF05s:AJl5QrrkQFCHspN4Quakbot
1'12312288:U2+J+l5QvSoOUkQGPRoswLLjfsHJNF05F:PJl5QrrkQOCHspN4Quakbot
1'12112288:l2+J+l5QvSoOUkQiPRoswLLjfsHJNF05h:8Jl5QrrkQaCHspN4Quakbot
5281536:1I+Hymsbck3hbdlylKsgqopeJBWhZFGkE+cMLxAAISQ5gQ72IotO6nitSU6U+x:1I+HymsYk3hbdlylKsgqopeJBWhZFGkzSilentBuilder Heodo
4191536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxzSilentBuilder Heodo
416768:0Jlk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZEtm/piJaiyH5YnJe+eO+8WoFYpLd:0rk3hbdlylKsgqopeJBWhZFGkE+cMLx6SilentBuilder Heodo
4011536:u8rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAE6yHBEL70drpFk0GX/s2C6ORQYDBhQ:ugk3hbdlylKsgqopeJBWhZFGkE+cL2N8SilentBuilder Heodo
3733072:IFNthWQl/rSJ7lvt9filcZritkrINAEYsm2:IBhWQ/mJLflrOAp2Gozi Heodo
3513072:zs+Hyms0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIb4UgCEqM5mheHRAjNKnlGIz/:o+Hyms0k3hbdlylKsgqopeJBWhZFVE+PSilentBuilder Heodo
30712288:xyP2Md2hn+tDKFtKwK5KLK6KYK5KlK3K1aoNl7Mv+lwVwy:grdO+tDKFQoNOmlTrickBot

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
3'62071b119dcce5763333'380 x Heodo, 200 x TrickBot, 9 x BazaLoader
2'801b2a89c96a2cada721'240 x Formbook, 766 x Loki, 246 x AgentTesla
76679756cecb29999b9729 x Heodo, 16 x CobaltStrike, 12 x Nitol
587399998ecd4d46c0e356 x Quakbot, 137 x ArkeiStealer, 16 x Matanbuchus
5650000000000000000130 x AgentTesla, 97 x Formbook, 52 x RedLineStealer
388ead8ac9cc6e68ee0118 x RaccoonStealer, 102 x RedLineStealer, 45 x Smoke Loader
371b2dacabecee6baa6113 x RedLineStealer, 58 x RaccoonStealer, 53 x Stop
33171e87c746071f0ec324 x Heodo, 6 x BazaLoader, 1 x TrickBot
3104839b234e8c38890121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer
301102636b4b4343434300 x Heodo, 1 x CobaltStrike