• Posted by: Eng. Donya Bino
• February 04, 2026

What Is MalwareBazaar?

MalwareBazaar is a free public malware sharing and intelligence platform hosted by abuse.ch (the organization running URLhaus, Feodo Tracker and SSL Blacklist).

As a community-driven repository, MalwareBazaar enables:
1. Uploading new malware samples by security researchers, threat hunters, incident responders, SOC analysts and vendors of AV/EDR products.
2. Downloading malware samples uploaded by other members of the community for analysis and signature generation or sandbox testing.
3. Performing hash (MD5/SHA1/SHA256), tag, file type, signature, date of first appearance (when viewed by the submitting member), and name of vendor detection to facilitate searching for specific malware samples.
4. Obtaining short-term (first seen/last seen), size, mime type and signature data from multiple AV vendors via VirusTotal, assisting with the generation of threat intelligence.

Key Features 
1. Daily fresh samples : thousands of new files uploaded every day
2. No registration required to browse or download (but registration unlocks API access and higher rate limits)
3. Tags : very useful: e.g., “ransomware”, “banking-trojan”, “stealer”, “rat”, “clickfix”, “lumma”, “redline”, “vidar”, “anatsa”, “agenttesla”
4. YARA & Sigma rule sharing : many community rules linked to specific samples
5. ZIP passwords : most archives use the standard password infected (very important to remember)
6. API : free tier available for automated downloads and searches
7. No live malware execution : downloads are provided as-is; you must analyze in a safe, isolated environment

Why MalwareBazaar Is Useful 
1. Malware specimens are freely available for safe examination via virtual machines only.
2. Enter a file hash into the IOC Lookup Tool for fast identification of whether or not it has been previously categorized as malware. 
3. Real-world phishing attack droppers, infostealers (if you down load the old, defanged versions they are the safest), and ransomware samples can all be found here and downloaded, this can be used to practice reverse engineering these types of malware. 
4. Look for new malware samples of the same type, or type as those found in your organization, in your region or among your organization's members.

Practical Ways to Use It
1. Search for a known hash Go to https://bazaar.abuse.ch → enter SHA256 hash → see tags, first-seen date, AV detections.
2. Browse recent banking trojans → sort by “Last seen” → download a recent sample (use password infected to unzip).
3. Download via API (for automation) Example curl command (requires free API key):
curl -X POST -H "API-KEY: your_key_here" \
     -d '{"query":"get_taginfo","tag":"lumma"}' \
     https://mb-api.abuse.ch/api/v1/

4. Safety Measures while Handling Files
a) Do not use your primary computer to execute any files or samples that you are working on. 
b) Use an isolated VM (either VirtualBox or VMware) and do not use shared folders or clipboard functionality. 
c) Before running or opening any files on the VM take a snapshot of the VM so you can return to that point if the file or sample causes issues. 
d) If at all possible, run files/samples by utilizing a sandbox or service such as: Any.run, Hybrid Analysis, or CAPE Sandbox. 
e) When analyzing files & samples, utilize tools such as: olevba, capa, floss, strings, Ghidra, or x64dbg. 

Key Takeaways 
MalwareBazaar is an online public repository for up-to-date, real-world malware samples and threat intelligence. You do not need to log in to use this resource, and it is constantly being updated. 

MalwareBazaar is a valuable resource for reverse engineering malware, performing threat hunting through IOC lookups, and understanding the current threat landscape through tags (such as, but not limited to: "anatsa", "clickfix", "lumma").