Malware research is based upon malware samples and analysis logs. But how to get samples if few people are allowed to share them? How to get a significant number of analysis logs without deploying an expensive infrastructure? This repository aims to help you!

This repository was created and has been maintained by Marcus Botacin. However, the here presented datasets result from a collective effort of many great researchers. I suggest you to check our SECRET Lab page for more information. Many of our papers were based on the data available in this repository.

I aim to share as much data as possible, but this implies on some lack of standards. Data representations have changed a lot over time, so do not expect any standardization.

According to many regulations, sharing the samples themselves might be illegal. However, nothing is said about disclosing their hashes. So, go ahead and retrieve the samples from VirusTotal by searching for them.

Feel free to use all data of this repository. Just let me know about it, so I can add a reference here to your work. Let's incentive more people to share their data!

Here we go.

Labeled data is essential for many security analysis. Stream analysis can only be conducted if the malware samples are identified by their emergence time. However, obtaining labeled data is very hard. In most cases, the sample's data are approximated by VirusTotal submission date or similar heuristics, which might be an imprecise approximation. To help researchers, I made available the capture date of many malware samples in our honeypot. I cannot ensure that the samples were collected as soon as they were released but I think it is a better approximation than only the VT's date. Get the list of hashes here

Malware variants identification is a key security task. It saves processing time and allow attacker's attribution. However, gathering labeled malware families is a hard task. Sometimes, there is no ground-truth for the development of attack attribution. I made available a set of malware samples that we attributed to the same attackers. I hope this could help researchers developing malware similarity detection tools. You can get the sample's hashes here

Over time, I will upload here additional material, such as AV labels and analysis logs from my sandbox.