malware4edu

Malware Samples that could be used for teaching students about malware analysis. The samples here are based on recommendations from the public with different backgrounds. Some of them are experts doing malware analysis, others shared their thoughts on which sample they found interesting and helped them learn about this field. I will keep updating this list as I find new interesting samples to add and hopefully will add some notes around each sample.

Below is what experts, researchers, students, etc said:

1. Professor Duane Dunston said: "A fakeAV sample. It does a lot of the most common techniques discussed like obscure filename, install in users\public, change registry run key, the early versions weren't packed so you could see a lot of the details like imports, URL strings, etc." here
2. Expert Brian Maloney said "I known it’s a little old now but what about Cryptowall? It is well documented by the late
   @ydklijnsma. I might have some samples laying around that aided in updating some of his tools. It would also be a nice tribute to an incredible person." here and also said "I also might have the pcap and procmon output to feed into @ProcDOT" here
3. Charlie Crane said "Emotet maldocs and similar because they are real world and quite cleaver in the way they hide parent/child processes relationships" here
4. Ahmet Payaslıoğlu said "Emotet was a good example for me to analyze initially. Process injection, Network connections, new file creation, registry key changes, cryptography, etc... It could be a good example for beginners." here
5. Waleed said "When I started learning, I used StuxNet, and until now I don't know why!? xD" here
6. Professor Lionel Faleiro said "I use Emotet and Adwind in my beginner trainings. Found good success with them." here and also said "Differentiating between Payloads and C2 traffic. Showing the different levels of analysis from beginner behavioral (fiddler,procmon,netmon) to code analysis (Obfuscation, decompiling, etc). I have some old posts on my blog" here
7. John Poffenbarger said "Sapphire/ Slammer? Compact. Lots of references beyond the 1s and 0s…which matters more than sometimes recognized." here
8. Jan said "I have no direct Sample/Family to recommend but i would prefer something really difficult to cover as many obstacles as possible. I remember from the courses i took, everything was easy and working but in the real world everything was different." here
9. Ayush Anand said "This ransomware is quiet good for teaching, it contain multiple stages and teaches multiple techniques e.g. Uac bypass, ppid spoofing, wmi persistence, excel 4.0. File is not packed/not obfuscated so easy for students to read in assembly or pseudo code." here and the blog post is here
10. Expert Florian Roth said "Chafer‘s Remexi for a start, because it’s simple in its functionality and easy to disassemble & understand" here
11. Security Researcher Dr. Ahmed Shosha said "I would craft binary bomb with real malware TTPs. Then gradually introduce simple real samples through the class. Preferably from old botnets that is no longer active or botnets that have been sinkholed (stuff that there public writeups for)." here and also said "For example Zeus and storm. Not very easy but fits the purpose." here
12. Expert James said "Anything #powershell related.....and #cobaltstrike....might as well get them used to seeing it early on." here and then he said "#powershell #empire is a good place to start." here
13. Malware Researcher Myrtus said "Hancitor, pretty straight forward and extremely consistent. No string encryption or API hashing either, and is still active almost everyday" here
14. InfoSecDodo said "I'm still a noob in malware analysis, but malicious documents are great for learning static analysis. As for malware, I found RedLineStealer to be pretty straightforward for showing unpacking and injection. No anti debugging and common APIs, like WriteProcessMemory for injection" here and the sample can be found here
15. Expert Abdalhalim Ashraf said "I would recommend Meterpreter and it’s extensions. You/students can generate (have a control on) what to be analyze. Also they can have a look at the actual capabilities the malware provides to its operator. May it distract the students a bit?" here
16. Threat Intel Professional Lord Xorington said "I'd look back to some China related stuff like Ixeshe, comment crew samples, getkys, plugx, and other stuff like that. Get a good feel for things and a history lesson. Poison Ivy and Gh0st variants would also serve a similar purpose. And, definitely Cobalt Strike." here
17. Threat Hunter Specialist Insomnihack said "A variety: PS/VBA scripts, executables, loaders/droppers, compression/encoding/encryption, file/mem/net artefacts, lolbins, webshells, C2/Web panels. Why: If you just dig into one kind, you'll miss out on the whole picture." here
18. ZuriGorri20 said "I think we should start with the basics and not go right into multi-stage malware like Emotet, shouldn’t we? My first malware analysis was for RedLine Infostealer and learned A LOT (and most importantly, understood everything that was goung on)" here
19. Security Research M. Shahpasandi" said "A hidden tear ransomware variant. Easy to disassemble and decrypable off course." here
20. Investigator and Professor Chris Gastardi" said "Have incorporated WannaCry into one of my courses. Tons of public reporting, real world application, drives home importance of VM snapshots, great for analysis in Ghidra or IDA." here and also said "" here
21. Reverser and Researcher SOUITEN said "Mirai and Gafgyt(Bashlite) are good 101 lessons. Simple,cross-platform, source code, still making noises." here
22. Researcher m4n0w4r said "Many samples out there,but I think you can teach them about top of samples ITW.#Qakbot is one of them, used maldoc with #XLMmacro,unpack tech in loader Dll, main payload used junk code,encrypted strings, dynamic resolve APIs,evasion tech,anti-sndbox, encrypted configs,persistence" here
23. Security Analyst Eli Salem said "Syswin" here
24. SeMSeM said "Cobalt Strike" here
26. Who's next? :)

General Advice and Recommendations

1. Krassen Deltchev shared URLs to platforms where you can find malware samples here
2. Edward Graham said "Just beginning study. Probably best to have isolated laptop." here
3. Cyb3rljack said "any thing from you it will be very cool !! also i hope you to share it with us if you dont mind "free" , you can choose ransomware cuz its most common affected in the world. i am very happy to see your tweet about malware analysis really interesting." here

The discussion can be found here: What malware samples would you recommend using to teach malware analysis for new students and why?

SUMMARY OF SAMPLE RECOMMENDATIONS

Good luck!