Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: MALWARE Bazaar SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MALWARE Bazaar

When we publish diary entries covering malware, we almost always share the hash of the malware sample.

I prefer posting the MD5 hash because it is short, together with a link to the VirusTotal entry for said malware sample. VirusTotal reports different hashes, so that you can find your preferred hash. And if you have a VT subscription, you can also download the sample itself.

A new, free malware sharing service is available now: MALWARE Bazaar.

I will make sure that every public malware sample that I blog about from now on, will be available on MALWARE bazaar. Like this sample, for example, that I extracted from a malicious document I wrote recent diaries about.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

479 Posts
ISC Handler
Apr 25th 2020
Hello,

trying to have a look to the samples, I failed to open the zip-file with several Debian tools and your zipdump.py as well. Here the error message was "bad password".

Any hint?

Thanks
Anonymous
I took a look, and the ZIP file you download from Malware Bazaar is encrypted with password "infected" (as mentioned on the download page), but they use modern AES encryption in stead of the old ZipCrypto encryption.

So make sure you use a ZIP tool that supports AES encryption. Tomorrow I'll release a new version of zipdump.py that supports module pyzipper (pyzipper supports AES).
DidierStevens

479 Posts
ISC Handler
Thanks,

the keyword "AES" lead to 7zip.

Having a look to some xlsm there were 3 versions of the same author. The first 32 bytes of the files might reveal something, but I can't interpret it.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!