$malwareconfig

config-extraction archive · technical writeups · yara rule notes
status: archive est: 2014 archived: 2019 resumed: 2026

about this archive

what malwareconfig.com was

Between 2014 and 2019, malwareconfig.com hosted a free configuration-extraction service. You could upload a sample of certain malware families and the site would run a Yara-rule match, then a family-specific decoder, and return the embedded config: C2 hosts, mutex names, RC4 keys, hardcoded version strings.

At peak the service indexed 25,473 configs across families that included njRat, DarkComet, Xtreme RAT, adWind, NanoCore, Pony, Dridex, Viper-managed samples, and a handful of macro-document droppers. The service was operated by Kevin Breen, who also maintained the RATDecoders project, which is what most of the extraction logic was actually based on.

The site went dormant in 2019. The decoders moved on, the public-upload model fell out of favor (sandboxes like Triage, Hatching, ANY.RUN absorbed that workflow), and the original web app was retired.

what this archive is

This is not the original service. The upload form is gone. The config search index is gone. The Yara rule manager UI is gone.

What remains:

  • Editorial writeups on the same kinds of technical questions the original service answered. Static config extraction, Yara rule design, modern equivalents to the families the service used to index.
  • Subdomain archive pages for the historical subdomains aptnotes.malwareconfig.com , viper.malwareconfig.com , and dridex.malwareconfig.com , with credit and pointers to the canonical projects each one referenced.
  • An RSS feed for new writeups, posted irregularly. There is no publishing schedule.

what this archive is not

  • It is not run by Kevin Breen. The original author moved on to other work; for his current public output, see github.com/kevthehermit .
  • It is not a config-extraction service. There is no upload form. Submissions are not accepted. The web app is not coming back.
  • It is not affiliated with the APTnotes/data project, the Viper malware management framework (Claudio Guarnieri), or the oletools ecosystem (Philippe Lagadec). Those projects have their own canonical homes and authors. The subdomain pages here exist to point traffic and links to those canonical homes, not to mirror them.
  • It is not a Yara rule repository. For working rules, the right places are YARAify , MalwareBazaar , and signature-base by Florian Roth.

why bother

The domain accumulated several hundred inbound links from the threat-intel community over its operational life: research papers, GitHub READMEs, blog posts, threat reports. Most of those links still resolve to a 200, and most of them came from places that took the original service seriously. Letting the domain sit dormant or end up as a parking page felt like the wrong outcome. Republishing as an archive that acknowledges what it was and names the projects that fill the gap today is the better one.

If you found your way here from a 10-year-old footnote in a malware analysis blog, the answer is: yes, that footnote was probably right at the time. The link still works. There just isn’t an upload form on the other end of it anymore.

contact

Editorial inquiries, corrections, factual problems with the writeups: [email protected] . Mail is read, not always replied to.

Sample submissions, malware analysis requests, “can you decode this for me” questions: please use Triage , ANY.RUN , Hatching , or VirusTotal . All four are better at this than a static archive could be.