Navigating Malware Bazaar

Here are the steps and methods to search for malware samples on Malware Bazaar.

Before we get into the steps, please ensure our VM is set up, machine images taken, and precautions enforced. Do not Leeroy Jenkins this on your host machine. Obligatory disclaimer done.

1. Go to the website herp derp: https://https://bazaar.abuse.ch/ and click on MalwareBazaar database.

2. Browse around if you're feeling exploratory, or use the search bar and syntax to look for your intended sample. Malware Bazaar has some helpful syntax to help us find and filter our samples:

• Hash Returns the exact sample with that hash. e.g., 5d41402abc4b2a76b9719d911017c592

• Tag Returns samples with those attribute(s), but these are manually tagged by contributors. e.g., tag: agenttesla exe emotet

• Signature Returns samples with those attribute(s), but are based on antivirus/YARA detections. e.g., signature: agenttesla

• File Type Returns samples with those filetype(s). e.g., file_type: exe docx

• File Size Returns samples with those file size(s) expressed in bytes. Operators are: >, <, =, >=, <= e.g., file_size: >10000

• Date Returns samples which were first seen on the date. Format is YYYY-MM-DD. e.g., first_seen:>2025-12-01

• Country Returns samples with those country tags. Uses 2 letter country code. e.g., country: RU

• Combo Returns samples with multiple attributes. Chained with logical AND. e.g., tag: agenttesla file_type: exe country: CN

1. Once we have the results, click on the DL icon on the far right.

2. This warning page will pop up. The downloaded sample will be in an encrypted zip file to prevent accidental execution by user or by the OS indexing/previewing the file. But the zip file still contains a very real piece of malware, so only unzip it in an isolated and dedicated environment like FlareVM.