We often get asked how we uncover the awesome malware samples that we often tweet about on our Twitter account. Besides our research team, which scans various blogs, threat feeds, security groups, etc. there is also some easy ways to get to interesting samples through our public webservice.
Try one of the following steps:
- At the main page at https://www.hybrid-analysis.com/ when you are not logged in yet, a "Report of the Day" link will appear in the top right menu. Top secret patent-pending formulas are applied every day to extract the most interesting report automatically:
- You can head over to our public feed and skim through the JSON summary in search of the "isinteresting" flag:
Note: often, these samples will have a relatively low AV detection ratio, but a high threat score (which is basically AV independent, see more below).
- Use the special indicatorid:<id> search query (requires to be logged in) to hunt through the database for samples that show a specific behavior. For example, search for the indicator ID "target-45" reveals latest samples using excessive ping.exe execution in an attempt to bypass the sandbox:
Note: hover a matched indicator in a report to reveal the ID as part of the HREF.
- Take a look at our advanced search feature that is quite powerful and can be used to scan through the database using a combination of search terms.
The 'Threat Score' is a heuristically determined value that expresses the degree of potentially malicious behavior of a file (based on static, dynamic or hybrid runtime analysis). It is mainly based on the total relevance of all matched indicators.