Statistics

MalwareBazaar produces various statistics on malware samples shared, including their detections. The available statistics can be found below.

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 30 days.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @abuse_ch2021-09-261'984
2Twitter @JAMESWT_MHT2021-09-241'251
3Twitter @zbetcheckin2021-09-261'138
4Twitter @GovCERT_CH2021-09-24360
5Twitter @tolisec2021-09-26197
6Twitter @cocaman2021-09-24187
7Twitter @SecuriteInfoCom2021-09-26107
8Twitter @malwarelabnet2021-09-2591
9Twitter @James_inthe_box2021-09-2486
10Twitter @r3dbU7z2021-09-2438
11Twitter @adrian__luca2021-09-2438
12Twitter @pr0xylife2021-09-2336
13Twitter @ActorExpose2021-09-2234
14Twitter @0x746f6d66692021-09-2431
15Twitter @pmelson2021-09-2428

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleAuthorLast match
1'504Skystars_Malware_ImphashSkystars LightDefender2021-09-26
1'504pe_imphash2021-09-26
545linux_generic_ipv6_catcher@_lubiedo2021-09-26
496unixredflags3Tim Brown @timb_machine2021-09-26
494INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFutureditekSHen2021-09-26
458MALWARE_Win_RedLineditekSHen2021-09-26
292INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_ClientsditekSHen2021-09-26
228win_raccoon_autoFelix Bilstein2021-09-26
206AgentTeslaV3ditekshen2021-09-26
206ach_AgentTesla_20200929abuse.ch2021-09-26
206win_agent_tesla_v1Johannes Bader @viql2021-09-26
206MALWARE_Win_AgentTeslaV3ditekSHen2021-09-26
174SUSP_XORed_MozillaFlorian Roth2021-09-26
174SUSP_XORed_Mozilla_RID2DB4Florian Roth2021-09-26
144INDICATOR_SUSPICIOUS_Binary_References_BrowsersditekSHen2021-09-26

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
4804c6abb682817fd6093d2edaa821ef0c9c9368db4d6be6dce152a45a9782afa27Visual Basic Script (vbs) vbsNanoCoreTwitter @abuse_ch
47407c88db437007f63707266efdc16363c6ddc6def76cdef5e35674f3e9283e3dfExecutable exeAZORultTwitter @abuse_ch
4630257c2dba216209d6c9ad6e6096755efc9b4961018ebdceae8c931cdb62a650cExecutable exeNetWireTwitter @abuse_ch
460f5237b1e69da3a1f3483c1538311c9a7909fbe704106328921589508a3e3389bExecutable exeHeodoTwitter @zbetcheckin
453f6f17df29850bf734970fd18cc9c8fbf1e7cc901c2f0a823b1743c5866394254Executable exeDanaBotTwitter @zbetcheckin
453c39e53a8a1d7e702ce379ee016e79448798adcc9ecf57854e0dffdf8e12aebd0Executable exenjratTwitter @abuse_ch
452d5cf8749638c96e98d4daae21da684b45da35fc3800247054ea6e8275a51a09dExecutable exenjratTwitter @abuse_ch
450ac2f39e6983592b627cf68f8a4bfce8af561b52b38534581e710718dd4c2e404Executable exeAZORultTwitter @abuse_ch
450dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07Executable exenjratTwitter @abuse_ch
449c190212320707b257c00c6e79da0feb4f59202aab042d690c1ea6e158b5ea0a8Executable exeNanoCoreTwitter @abuse_ch
44782abbdee746d652b3300c458d251e3b858dfa66b287049608cd4eb3d6cf3b3f8Executable exeDanaBotTwitter @zbetcheckin
444dd3ef1d4374dd7dc49463c38c92376a9f88e795c00a59bb33c28bc9513e50940Word file docHancitorTwitter @JAMESWT_MHT
442cae812a6b8075600f07a4961f64478a269a03963914d161365f3c13083406214Executable exeNanoCoreTwitter @abuse_ch
438d3ead488ec0b44a97df99a563ee547a7ea505b2c26ccd03474a8d8493c359b84Executable exeHeodoTwitter @JAMESWT_MHT
433e0ff6c10a2da6041b7e95a2de568382c964dd452130a1eb623fae64c7f480ba6Executable exeHeodoTwitter @JAMESWT_MHT

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
1'323f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki njrat
6436668be91e2c948b183827f040944057fDridex
105b76363e9cb88bf9390860da8e50999d2Formbook SnakeKeylogger AgentTesla Loki
584328f7206db519cd4e82283211d98e83RedLineStealer RaccoonStealer LegionLocker AgentTesla
50cff62fa5d60c26268b201fcb5b9dc813RedLineStealer RaccoonStealer CoinMiner ArkeiStealer
43062d438af0a5427d47d2119e831026d3RedLineStealer RaccoonStealer ArkeiStealer CoinMiner
4213d097bc679769118a9ca1658020024cRedLineStealer RaccoonStealer DanaBot Smoke Loader
33dae02f32a21e03ce65412f6e56942daaCobaltStrike YellowCockatoo SUNBURST MassLogger
324243f00363439be8c6e25a231537571bRedLineStealer RaccoonStealer CoinMiner DanaBot
31c32368f78c61cf2d9d6654d89861a9feArkeiStealer

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
1512288:9VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:kfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1512288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1512288:QVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:VfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1412288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1412288:HVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ufP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1312288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1212288:uVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:zfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1212288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1212288:WVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:LfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex
1112288:LVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:KfP7fWsK5z9A+WGAW+V5SB6Ct4bnbDridex

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
103ead8ac9cc6a68ee042 x RedLineStealer, 33 x RaccoonStealer, 6 x ArkeiStealer
93ead8ac9cc6e68ee033 x RedLineStealer, 27 x RaccoonStealer, 8 x Stop
58b282b8a4a6929e9e23 x Formbook, 19 x AgentTesla, 8 x SnakeKeylogger
57399998ecd4d46c0e45 x ArkeiStealer, 5 x Osiris, 2 x Hancitor
501072c093b038190616 x RedLineStealer, 10 x Stop, 8 x RaccoonStealer
39b2a89c96a2cada728 x Formbook, 5 x RedLineStealer, 4 x RaccoonStealer
37a28aa2e2e0aaa2a213 x Formbook, 10 x AgentTesla, 5 x SnakeKeylogger
3471b119dcce57633328 x TrickBot, 2 x BazaLoader, 1 x Heodo
33327e7c7d727e6e7612 x RedLineStealer, 12 x RaccoonStealer, 3 x Stop
301072c293b038190614 x RedLineStealer, 4 x DanaBot, 3 x Stop

Malware sample shared


The chart below shows the number of unique malware samples shared on MalwareBazaar per day over a period of 12 months.


Top Reporters


It wouldn't be possible to operate MalwareBazaar without the help of volunteers who contribute malware samples to MalwareBazaar. The table below shows the top reporters and their Twitter handle.

RankReporterLast activitySubmissions
1Twitter @abuse_ch2021-09-2679'299
2Twitter @lazyactivist1922021-04-2669'725
3Twitter @Cryptolaemus12021-06-1754'205
4Twitter @Seifreed2020-11-1848'946
5Twitter @c4llsec2021-05-1923'982
6Twitter @Libranalysis2021-07-1917'024
7Twitter @JAMESWT_MHT2021-09-2416'563
8Twitter @cocaman2021-09-2410'282
9Twitter @SecuriteInfoCom2021-09-269'546
10Twitter @zbetcheckin2021-09-269'466
11Twitter @GovCERT_CH2021-09-246'572
12Twitter @FORMALITYDE2021-09-245'549
13Twitter @jarumlus2021-08-255'359
14Twitter @James_inthe_box2021-09-244'833
15Twitter @lowmal32021-09-102'490

Top Malware Families

Top Tags

Most matching YARA rules


YARA rules that matched most on malware samples in MalwareBazaar.

Malware SamplesYARA ruleLast match
78'467SharedStringsKatie Kleemola2021-07-19
76'690Email_stealer_bin_memJames_inthe_box2021-09-06
74'494Select_from_enumerationJames_inthe_box2021-09-07
73'324UAC_bypass_bin_memJames_inthe_box2021-08-08
71'631IPPort_combo_memJames_inthe_box2021-08-31
45'492Cobalt_functions@j0sm12021-07-13
28'887MALWARE_Win_DLLLoaderditekSHen2021-09-22
28'052ach_Dridex_xls_20200528abuse.ch2021-09-14
27'740DridexV4kevoreilly2021-09-22
25'318Win32_Trojan_EmotetReversingLabs2021-09-14
24'266DridexLoaderkevoreilly2021-09-24
23'034ach_Quakbot_xlsb_20201023abuse.ch2021-09-14
22'926win_dridex_autoFelix Bilstein2021-09-22
22'029win_sisfader_autoFelix Bilstein2021-05-07
18'722win_emotet_autoFelix Bilstein2021-09-14

Most downloaded Malware Samples


Most downloaded malware samples on MalwareBazaar.

DownloadsMalware SampleTypeSignatureReporter
72'02970ab26000929d26e0e4e567bd0dc4158054538485fcfd51dd4b60a534967814b lzhFirebirdRATTwitter @GovCERT_CH
2'881759ef75e133383af768b2be302dc256ad4e6720fb64eda70af76954dd29caf73Word file docPonyTwitter @abuse_ch
2'64510547fbcab56e5eeced75b4db50aac92a2eafe3581ad35018e27ea840b6abcb6Excel file xlsGet2Twitter @ffforward
2'63047b9b9ddc9f9e6c66cd6ea322a51bec7b843502b30db19f119fa59794ee19cd6Excel file xlsTA505Twitter @erdbaerkuchen
2'6289ad7ce27ce7da3c4b2639771869b20b78fff34f32dab3355c2be2980e708ab07DLL dllGet2Twitter @ffforward
2'604f0ad6a854cc6b8511c0499267c59c3e9a987845c912f3da030dd5a2201978385 sh Twitter @ov3rflow1
2'509afb4b0092c76214b9ac99cf9c00ae56163916c04e7713bd56a38abf07a81a7d7 html Twitter @TheGing3rm4n
2'48602419de92a33a88bc17701008182ca9f7ea8d4645311b837b98738acdea83254 sh Twitter @ov3rflow1
2'481455e09d22b9e9b172e5cf25a87f70c079bf97edc0295251a42f48211caf5043fVisual Basic Script (vbs) vbs Twitter @creP_R2point0
2'477e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85aExecutable exeBlackNETTwitter @abuse_ch
2'4707fad486d054e36626a9842c99b2ff58dbf9e264d8faf45b3376afa02f0e829a7 sh Twitter @ov3rflow1
2'457c2577719ac323c385fdae61c336d5582472c2441ac1ec0699ec0948305ae8786 sh Twitter @ov3rflow1
2'451b4e670799c0a241b69b231fd9a1d3c2e2a29b4d4d67c9bf746c01a6f19b0210d sh Twitter @ov3rflow1
2'44861043ee383ff19ba6d5e65e455dd8d1170f1f6365dfb9c9c0764171f519ceb55 sh Twitter @ov3rflow1
2'446cf932ebbd2a2684dec9a823f2c223ef1666a18683dc342f45d71d99508624e88 sh Twitter @ov3rflow1

CAPE Sandbox CAPE Sandbox


Top detections by CAPE Sandbox for malware samples on MalwareBazaar.

ClamAV ClamAV


Top detections by ClamAV for malware samples on MalwareBazaar.

Intezer Intezer


Top detections by Intezer for malware samples on MalwareBazaar.

Joe Sandbox Joe Sandbox


Top detections by Joe Sandbox for malware samples on MalwareBazaar.

CERT.PL MWDB CERT.PL MWDB


Top detections by CERT.PL MWDB for malware samples on MalwareBazaar.

ReversingLabs ReversingLabs


Top detections by ReversingLabs Titanium Platform for malware samples on MalwareBazaar.

Threatray Threatray


Top detections by Threatray for malware samples on MalwareBazaar.

Triage Triage


Top detections by Triage for malware samples on MalwareBazaar.

UnpacMe UnpacMe


Top detections by UnpacMe for malware samples on MalwareBazaar.

VMRay VMRay


Top detections by VMRay for malware samples on MalwareBazaar.

Most discussed Malware Samples


Most discussed (commented) malware samples on MalwareBazaar.

CommentsMalware SampleTypeSignature
1097bb6f30d2fe5546a810da356e41652d1bccfe2130cf77dec36b9ee17c19259dExcel file xlsDridex
6d9b05da007d51cf86d4a6448d17183ab69a195436fe17b497185149676d0e77bExecutable exeTrickBot
47277388a0a82e85fe6eb38ed47bd5640c74f10be64ee6e9b8610c49b73328859 7zHawkEye
3f4841b9b9006e327d58c8d6fb6e1bb3699d05fcd10fcaf7adcdde47efccb13b3 zipAgentTesla
3e97b35c4339e0412571a445b2fe20e30fe91585cad505820b56a098a66e54c23Executable exeAgentTesla
30994e0972430f7cf02b66c290b6e62666c14da2ca9ad369e7cf5447313dc8550Executable exeTrickBot
3667f88e8dcd4a15529ed02bb20da6ae2e5b195717eb630b20b9732c8573c4e83Word file docPhobos
2df822aa4ae822b89d8f1c6b4afe3f9bf4679b7c9872bd95d3cbfab366a57edcaHTML Application (hta) hta 
22b7bdd0b8bde43d8e9d9a32352a408c5028e2a39c694be064a6ed18d0aa830e7Executable exeStop
2251643f0b539eb872ebeb216f1b71f0f8dc8301276ea63dbfdf10a7267ac7379 zip 

Top File Types


Most seen file types associated with malware samples on MalwareBazaar.

Top imphashes


Most seen imphashes on MalwareBazaar.

Malware SampleimphashTop 4 Signatures
51'922f34d5f2d4577ed6d9ceec516c1f5a744AgentTesla Formbook Loki njrat
9'777c9f7e018b269f1b5fe81cf757d6f8e93Heodo
8'608987b9d7dc84d935c3675da82d40e06f2Dridex Gozi Tofsee VelvetSweatshopDridex
3'22687bed5a7cba00c7e1f4015f1bdae2183IcedID TrickBot Netsky Rapid
2'180433637d5d88b1ab11a7e5bfc30abfe93Dridex
1'95850f8a2255c4baf188eb0098c86160f78Heodo
1'723d20e8b584b1e294911b88a699c987910Dridex
1'586f71b9cb9891e9cf4bae79d2b5aa115c6Dridex
1'538afcdf79be1557326c854b6e20cb900a7AgentTesla RemcosRAT NanoCore QuasarRAT
1'506015974618e9105226f001019d35e62e5Quakbot

Top ssdeep hashes


Most seen ssdeep hashes on MalwareBazaar.

Malware SamplessdeepSignature(s)
1'12412288:J2+J+l5QvSoOUkQNPRoswLLjfsHJNF05s:AJl5QrrkQFCHspN4Quakbot
1'12312288:U2+J+l5QvSoOUkQGPRoswLLjfsHJNF05F:PJl5QrrkQOCHspN4Quakbot
1'12112288:l2+J+l5QvSoOUkQiPRoswLLjfsHJNF05h:8Jl5QrrkQaCHspN4Quakbot
3733072:IFNthWQl/rSJ7lvt9filcZritkrINAEYsm2:IBhWQ/mJLflrOAp2Gozi Heodo
30712288:xyP2Md2hn+tDKFtKwK5KLK6KYK5KlK3K1aoNl7Mv+lwVwy:grdO+tDKFQoNOmlTrickBot
180384:PnqmQF9b8PdvtUuiyaFwrEnO2/7vUyV2aGcuFjqZUb:Cme9bodlpkqkOOjU/aGciqUbQuakbot
180384:fnqmQF9b8PdvtUuiyaFwrEnO2/7vUU2aGcuFjqZ5g:yme9bodlpkqkOOjUdaGciq5gQuakbot
180384:/nqmQF9b8PdvtUuiyaFwrEnO2/7vUU2aGcuFjqZ5g:Sme9bodlpkqkOOjUdaGciq5gQuakbot
179384:/nqmQF9b8PdvtUuiyaFwrEnO2/7vUjqN2aGcuFjqZM:Sme9bodlpkqkOOjUjqgaGciqMQuakbot
179384:jnqmQF9b8PdvtUuiyaFwrEnO2/7vUjqN2aGcuFjqZM:eme9bodlpkqkOOjUjqgaGciqMQuakbot

Top dhash icon


Most seen dhashes of icons from PE32 executables and their signatures.

Malware Sampledhash iconSignature(s)
340ead8ac9cc6e68ee0108 x RaccoonStealer, 86 x RedLineStealer, 40 x Smoke Loader
2744839b2b4e8c38890136 x RaccoonStealer, 37 x Smoke Loader, 29 x RedLineStealer
2644839b2b0e8c38890105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer
154b2a89c96a2cada7245 x DiamondFox, 27 x RedLineStealer, 22 x RaccoonStealer
133ead8a89cc6e68ee043 x RaccoonStealer, 30 x RedLineStealer, 19 x Smoke Loader
112ead8ac9cc6a68ee043 x RedLineStealer, 37 x RaccoonStealer, 6 x ArkeiStealer
108000000000000000021 x RedLineStealer, 18 x AgentTesla, 12 x Formbook
1001072c093b038190622 x RedLineStealer, 22 x RaccoonStealer, 19 x Stop
99848c5454baf4747433 x DiamondFox, 21 x RaccoonStealer, 19 x RedLineStealer
98ead8ac9cc6e68ea035 x RaccoonStealer, 18 x RedLineStealer, 12 x Smoke Loader