Breaking News

Learn this moderately sooner than continuing.

This repository accommodates are living malware samples to be used within the Sensible Malware Research & Triage route (PMAT). Those samples are both written to emulate commonplace malware traits or are are living, actual international, “stuck within the wild” samples. Each classes are bad. Those samples are to be treated with excessive warning always.

  • Don’t obtain those samples to a pc you don’t personal.
  • Don’t execute any of those samples on a pc you don’t personal.
  • Don’t obtain and/or execute those samples in an atmosphere that you can not revert to a stored state, i.e. a digital system.
  • Apply protected malware dealing with procedures always when the usage of those samples.

Through downloading the contents of this repository, without reference to when you’ve got bought the route or now not, you’re agreeing to the Finish Person License Settlement. Please seek advice from for more info.


The construction of this repository maps to the route movies. The highest listing accommodates the identify of the segment, and the subdirectories are the samples in use all over that a part of the route. For instance:

┣ 📂0-1.HandlingAndSafety
┃ ┣ 📜Malware.Calc.exe.7z
┃ ┣ 📜md5sum.txt
┃ ┣ 📜password.txt
┃ ┗ 📜sha256sum.txt
┣ 📂1-1.BasicStaticAnalysis
┃ ┣ 📂Malware.PackedAndNotPacked.exe.malz
┃ ┃ ┣ 📜
┃ ┃ ┣ 📜md5sum.txt
┃ ┃ ┣ 📜password.txt
┃ ┃ ┗ 📜sha256sum.txt
┃ ┣ 📂Malware.Unknown.exe.malz
┃ ┃ ┣ 📜Malware.Unknown.exe.7z
┃ ┃ ┣ 📜README.txt
┃ ┃ ┗ 📜password.txt

Within the instance above, the 0-1.HandlingAndSafety listing accommodates a zipped replica of Malware.Calc.exe.7z and the opposite information that pattern is supplied with. It’s used within the Dealing with and Protection segment within the route.

Beneath the Dealing with and Protection pattern, the 1-1.BasicStaticAnalysis listing accommodates two samples which might be utilized in that segment. The entire route follows this construction, so test to peer which segment you are recently in after which the movies will reference the pattern to paintings on.


Every segment is damaged down by way of subject:

0. Malware Dealing with and Protection

This segment covers elementary malware handing and protection, together with defanging malware and protected practices for switch and garage.

1. Elementary Static | Elementary Dynamic

This segment covers preliminary triage, static research, preliminary detonation, and the main technique of elementary research.

2. Complex Static | Complex Dynamic

This segment covers complex malware research technique and introduces Meeting, debugging, decompiling, and examining the Home windows API on the ASM degree.

3. Area of expertise Elegance Malware

This segment covers other forte categories of malware like maldocs, C# assemblies, and script-based malware. It additionally features a segment on cell platform malware research.

4. Bossfights!

The Bossfights pit you towards notorious actual international samples of malware and require you to do a complete research.

5. Automation | Rule Writing | Record Writing

This segment covers efficient record writing, Yara rule writing, and automating the preliminary levels of triage with Blue-Jupyter.

6. Route Conclusion: Route Ultimate | References | Assets | Additional Readings

The route ultimate is composed of a capstone by which you are going to mix all related talents on this route to put in writing and post open-source details about a given pattern from the route.

The route conclusion comprises additional readings, references, and useful sources for additional studying.

Please notice: some samples are used more than one instances in several sections. Test to ensure which pattern the route movies are referencing and that you’ve the proper one for a given video.

Demanding situations

The problem samples on this route are used as mini-capstones for the other sections. Every pattern marked as a Problem features a set of questions to respond to in regards to the pattern in addition to an solutions/ listing. The README within the solutions/ listing accommodates temporary solutions to every query within the Problem. Attempt to get so far as you’ll be able to with out having a look on the solutions first!


Every pattern is zipped and password safe. The password for all malware samples is inflamed.

Record Template

In one of the crucial ultimate sections of the route, I educate tips on how to write a easy Malware Research record. The template utilized in that segment is right here. Be happy to make use of this as a template for this route or another malware experiences you need to create.


You can be questioning, why is there an image of a good-looking cat within the root listing?

That is Cosmo, my cat. He isn’t superb at malware research, so he is alongside for the journey to be informed issues. I do not need prime hopes for him (he’s only a cat in any case).

cosmo.jpeg serves two purposes.

A Surrogate Knowledge Report

The malware samples on this route are constructed to accomplish other purposes. Some are designed to smash knowledge. Some are designed to scouse borrow it. Some do not contact your knowledge in any respect.

cosmo.jpeg is a placeholder for the valuable, valuable knowledge that a median finish consumer will have on their host. Some malware samples on this route will scouse borrow him, encrypt him, encode and exfiltrate him, the entire 9 yards. As a way to as it should be constitute what knowledge robbery or destruction may seem like, the customized written malware samples on this route are going to focus on this document in particular.

It is a bit of a hefty document (about 1.6MB), not like Cosmo himself who isn’t a hefty cat in any respect. So it must serve smartly as an information document placeholder.

Environmental Keying

I wrote the samples for this route from the bottom as much as be as protected as conceivable. I’m mindful that placing malware samples out into the sector, without reference to your aim for doing so, imparts chance. As a way to lend a hand mitigate the likelihood that those samples may well be used maliciously, I have keyed them to this actual document. This can be a purple crew tactic that guarantees a payload will handiest cause if there are specific identifiers provide within the setting. cosmo.jpeg provide at the Desktop of FLARE-VM acts as the important thing for many of the malware samples on this route.


If you find yourself finished downloading and extracting this lab repository, take cosmo.jpeg and replica it to the desktop of the primary consumer account at the Home windows FLARE-VM host. That is all!

Leave a Reply

Your email address will not be published.

Donate Us