https://malwareconfig.com/Recent content on MalwareConfig - archive & analysisHugo -- gohugo.ioenTue, 02 Jun 2026 00:00:00 +0000https://malwareconfig.com/blog/apt-archive-post-aptnotes/Tue, 02 Jun 2026 00:00:00 +0000https://malwareconfig.com/blog/apt-archive-post-aptnotes/The aptnotes.malwareconfig.com subdomain hosted a search-and-PDF-viewer interface to the APTnotes archive between roughly 2015 and 2019. Most of the inbound links to that subdomain came from research papers and blog posts in the same window, when “I want to read the FireEye APT1 report without leaving my browser” was a real workflow problem and a hosted PDF viewer was a real solution. The archive page for that subdomain now points at the canonical project; this post is the longer version of the same answer.https://malwareconfig.com/blog/2010s-malware-analysis-web/Sat, 16 May 2026 00:00:00 +0000https://malwareconfig.com/blog/2010s-malware-analysis-web/This is an editorial post, not a technical one. Skip it if you are here for config layouts. The 2010s had a particular kind of malware-analysis web that does not exist now. Not because the field got worse, but because it grew up. The shape of it was: one person with a GitHub account and a strong opinion shipped a tool, the tool did one thing well, the README was written for an audience of about fifty other analysts, and the social proof for the tool was a footnote in someone’s writeup that you would find six months later.https://malwareconfig.com/blog/modern-stealer-config-formats/Wed, 06 May 2026 00:00:00 +0000https://malwareconfig.com/blog/modern-stealer-config-formats/The original malwareconfig.com indexed 25,473 configs across families that mostly belonged to a single design school: njRat, DarkComet, Xtreme RAT, adWind, NanoCore. Looking at the 2015-era stat pages now, the config layouts were strikingly homogeneous. A header byte or two for versioning, a length-prefixed list of C2 hosts, an RC4 or single-byte XOR key applied uniformly across the blob, occasionally a mutex name and an installation path, sometimes a build ID.https://malwareconfig.com/about/Mon, 27 Apr 2026 00:00:00 +0000https://malwareconfig.com/about/what malwareconfig.com was Between 2014 and 2019, malwareconfig.com hosted a free configuration-extraction service. You could upload a sample of certain malware families and the site would run a Yara-rule match, then a family-specific decoder, and return the embedded config: C2 hosts, mutex names, RC4 keys, hardcoded version strings. At peak the service indexed 25,473 configs across families that included njRat, DarkComet, Xtreme RAT, adWind, NanoCore, Pony, Dridex, Viper-managed samples, and a handful of macro-document droppers.https://malwareconfig.com/blog/what-i-use-instead-of-malwareconfig/Mon, 27 Apr 2026 00:00:00 +0000https://malwareconfig.com/blog/what-i-use-instead-of-malwareconfig/I picked up malwareconfig.com after the registration lapsed. Watching it accumulate junk inbound links from generic web directories felt worse than letting someone with a stake in the original workflow give the domain a useful afterlife. The site is no longer a configuration-extraction service. The Yara rule manager is gone, the upload form is gone, the per-family stat pages are gone. What’s here now is editorial: notes on the same kinds of questions the original service answered, and pointers to the projects that filled the gap.https://malwareconfig.com/config/9ad9edffe806092ee96ba95e4ff9efce/Tue, 12 Jul 2022 12:00:00 +0000https://malwareconfig.com/config/9ad9edffe806092ee96ba95e4ff9efce/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">ZG9zarm7</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">Mirai</a></td> </tr> <tr> <th>Date Added</th> <td>2022-07-12 11:10:56.896000</td> </tr> <tr> <th>MD5</th> <td>9ad9edffe806092ee96ba95e4ff9efce</td> </tr> <tr> <th>Sha256</th> <td>4e6f7550f000033e37a9d6cec8cc28dc70afb30c33b25ab526334fdf89652f6e</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>Commment</th> <td>The C2 extraction uses a best effort xor decryption.https://malwareconfig.com/config/d38cc4879fe0bc66cb8e772b28fbfd15/Sat, 19 Feb 2022 12:00:00 +0000https://malwareconfig.com/config/d38cc4879fe0bc66cb8e772b28fbfd15/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">Mirai</a></td> </tr> <tr> <th>Date Added</th> <td>2022-02-19 13:39:52.120000</td> </tr> <tr> <th>MD5</th> <td>d38cc4879fe0bc66cb8e772b28fbfd15</td> </tr> <tr> <th>Sha256</th> <td>82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>Commment</th> <td>The C2 extraction uses a best effort xor decryption.https://malwareconfig.com/config/a4f62c45af96eb8cd4ef13910fecc554/Fri, 21 Jan 2022 12:00:00 +0000https://malwareconfig.com/config/a4f62c45af96eb8cd4ef13910fecc554/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">a4f62c45af96eb8cd4ef13910fecc554.bin</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">njRat</a></td> </tr> <tr> <th>Date Added</th> <td>2022-01-21 07:49:50.160000</td> </tr> <tr> <th>MD5</th> <td>a4f62c45af96eb8cd4ef13910fecc554</td> </tr> <tr> <th>Sha256</th> <td>1f7971e9d98d51e7a89cb3cc698ef9f4e0be8a31790c509f75993c1e61c159d9</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> </table> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Virustotal </div> <div class="card-body"> <p>56 out of 69 AV Engines identified the sample as Malicious.https://malwareconfig.com/config/5c25422db7fe9fd4747213abdacdc193/Sun, 02 Jan 2022 12:00:00 +0000https://malwareconfig.com/config/5c25422db7fe9fd4747213abdacdc193/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">7cbc746a357d0236e5150232aa9c1a4ff02217fd4fee80cf72d1b134ebed3637.exe</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">NanoCore</a></td> </tr> <tr> <th>Date Added</th> <td>2022-01-02 22:53:41.042000</td> </tr> <tr> <th>MD5</th> <td>5c25422db7fe9fd4747213abdacdc193</td> </tr> <tr> <th>Sha256</th> <td>7cbc746a357d0236e5150232aa9c1a4ff02217fd4fee80cf72d1b134ebed3637</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>Version</th> <td>b'\x071.https://malwareconfig.com/config/c65788e7aa433f54fff65305d0a25d3a/Tue, 05 Oct 2021 12:00:00 +0000https://malwareconfig.com/config/c65788e7aa433f54fff65305d0a25d3a/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">d83220491d856116bc978b9b4f2211ea38700c829e379a86b28a818b56b2b137</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">DarkComet</a></td> </tr> <tr> <th>Date Added</th> <td>2021-10-05 15:55:23.576000</td> </tr> <tr> <th>MD5</th> <td>c65788e7aa433f54fff65305d0a25d3a</td> </tr> <tr> <th>Sha256</th> <td>d83220491d856116bc978b9b4f2211ea38700c829e379a86b28a818b56b2b137</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>MUTEX</th> <td>DCMIN_MUTEX-QQAZHZC</td> </tr> <tr> <th>SID</th> <td>New</td> </tr> <tr> <th>NETDATA</th> <td>morifc.https://malwareconfig.com/config/e121c5a3c4db555a826e0347ae0e436a/Wed, 21 Apr 2021 12:00:00 +0000https://malwareconfig.com/config/e121c5a3c4db555a826e0347ae0e436a/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">VirusShare_e121c5a3c4db555a826e0347ae0e436a</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">DarkComet</a></td> </tr> <tr> <th>Date Added</th> <td>2015-03-23 20:29:25</td> </tr> <tr> <th>MD5</th> <td>e121c5a3c4db555a826e0347ae0e436a</td> </tr> <tr> <th>Sha256</th> <td>d33d4d5560080302bbe56e577612c6fd8a45ec0986189b95ac8e2a3a850f6298</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>Version</th> <td>#KCMDDC5#</td> </tr> <tr> <th>CampaignID</th> <td>LogUser</td> </tr> <tr> <th>FTPUserName</th> <td></td> </tr> <tr> <th>FTPRoot</th> <td></td> </tr> <tr> <th>FTPSize</th> <td></td> </tr> <tr> <th>FireWallBypass</th> <td>1</td> </tr> <tr> <th>Password</th> <td></td> </tr> <tr> <th>OfflineKeylogger</th> <td>1</td> </tr> <tr> <th>FTPHost</th> <td></td> </tr> <tr> <th>Mutex</th> <td>DC_MUTEX-HMBXHW7</td> </tr> <tr> <th>FTPPort</th> <td></td> </tr> <tr> <th>FTPPassword</th> <td></td> </tr> <tr> <th>Domains</th> <td>25.https://malwareconfig.com/config/52beaea292d998d9c04fb0ec947787b3/Fri, 26 Mar 2021 12:00:00 +0000https://malwareconfig.com/config/52beaea292d998d9c04fb0ec947787b3/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//">decimal.dat</a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">NanoCore</a></td> </tr> <tr> <th>Date Added</th> <td>2021-03-26 11:53:16.019000</td> </tr> <tr> <th>MD5</th> <td>52beaea292d998d9c04fb0ec947787b3</td> </tr> <tr> <th>Sha256</th> <td>029ab13c01e83c65048e1264f03057d6da0185efb21e80c7fa3f9da38a6f2eb5</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Config Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>Version</th> <td>b'\x071.https://malwareconfig.com/config/da23c1fdc150daca591f708eea1c00ef/Wed, 21 Aug 2019 12:00:00 +0000https://malwareconfig.com/config/da23c1fdc150daca591f708eea1c00ef/Details <table class="table table-striped table-bordered table-sm"> <tr> <th>FileName</th> <td><a href="/stats//"></a></td> </tr> <tr> <th>Malware Family</th> <td><a href="/stats//">DarkComet</a></td> </tr> <tr> <th>Date Added</th> <td>2019-02-07 06:25:09</td> </tr> <tr> <th>MD5</th> <td>da23c1fdc150daca591f708eea1c00ef</td> </tr> <tr> <th>Sha256</th> <td>11dda7b3ffb57f3484b1a0995bd01a5664fadcad597ce09e7be94254f4688b55</td> </tr> <tr> <th>Robot</th> <td>Robots lovingly delivered by <a href="https://robohash.org">robohash.org</a></td> </tr> </table> </div> </div> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> Advertising </div> <div class="card-body"> <!-- ducktoolkit-leaderboard --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-1435553701793282" data-ad-slot="1601555780"></ins> </div> </div> </div> </div> <div class="row mt-5"> <div class="col"> <div class="card"> <div class="card-header"> C2 Data </div> <table class="table table-striped table-bordered table-sm"> <tr> <th>FTPSIZE</th> <td></td> </tr> <tr> <th>SID</th> <td>COMETDB</td> </tr> <tr> <th>MUTEX</th> <td>DC_MUTEX-C8X9971</td> </tr> <tr> <th>OFFLINEK</th> <td>1</td> </tr> <tr> <th>FTPPORT</th> <td></td> </tr> <tr> <th>GENCODE</th> <td>nRfxb2G8vinG</td> </tr> <tr> <th>NETDATA</th> <td>cometdb.