Syrian Malware Samples

Warning: The following files contain malicious software. They are intended for security researchers and should only be executed under controlled environments.

The password to our sample archives is: infected.

Hash (md5)	Filename	Media
185c8d11c0611cae7c81f4458bf1adea	ActiveX.exe	https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ http://malwr.com/analysis/185c8d11c0611cae7c81f4458bf1adea/ http://anubis.iseclab.org/?action=result&task_id=1cd296dfe27b5907469b60bcbe0cd41f1 https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/
7d867d6bd5fc3015a31fdfa121ba9187	FacebookWebBrowser.exe	https://www.eff.org/deeplinks/2012/04/new-wave-facebook-phishing-attacks-targets-syrian-activists https://www.virustotal.com/file/eb2ba9d47c3a3c0120738069bc146de637497b60ab0d4152e582d80c136f1d68/analysis/
79cdf420419a08f791752c759f8e0613	Skype Encription v 2.1.exe	https://www.eff.org/deeplinks/2012/05/fake-skype-encryption-tool-targeted-syrian-activists-promises-security-delivers https://www.virustotal.com/file/b3a78d0b7dbe6f79a512cb9ab1701a1d5e95e1ab1644dfde0086103ee8babbdd/analysis/1354520011/ http://about-threats.trendmicro.com/Malware.aspx?language=au&name=BKDR_METEO.HVN
8c9f9ccffbd2c888b9b5300412f8e580	ورقة حول مجلس القيادة_as‮ fdp.scr	http://blog.trendmicro.com/trendlabs-security-intelligence/fake-skype-encryption-software-cloaks-darkcomet-trojan/ https://www.virustotal.com/file/2f327b5056857c42e65f95fbc57a190aeb296e254d22739e4f269b786034ab36/analysis/ http://malwr.com/analysis/8c9f9ccffbd2c888b9b5300412f8e580/ http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
41a2159b94c6883f03d2d901428a5891	XtremeRAT_svhost2.exe	http://www.f-secure.com/weblog/archives/00002356.html https://www.virustotal.com/file/e11e8b39f785b2184f68369e2e1300530572725073e66117b83be0a84f82355a/analysis/ http://www.threatexpert.com/report.aspx?md5=41a2159b94c6883f03d2d901428a5891 http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
fb6e419e0fd9c2f39be43bcadbd2879f	XTremeRAT_silvia.exe	http://www.f-secure.com/weblog/archives/00002356.html https://www.virustotal.com/file/25d4f6a5ba2e04660e761eb1c5c40fe91b7f2a59aa2bdb8f69bfd7ed78d62d38/analysis/ http://malwr.com/analysis/fb6e419e0fd9c2f39be43bcadbd2879f/ http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
af8e0815a0f44a78a95a89643f7c9ce6	AntiHacker.exe	https://www.eff.org/deeplinks/2012/08/syrian-malware-post http://doc.emergingthreats.net/bin/view/Main/2015748
c09d23a8e44c3170e9af0132788fceb0	new.pif	https://www.eff.org/deeplinks/2012/07/new-blackshades-malware
e58a1795277edc08d35c6898f9befc1c	setup.exe	https://www.virustotal.com/file/a0579416c180348180d646f1a455856f05530796eeda5cd7fc5bc8cd2e84c4f8/analysis/1331151948/ http://threatcenter.crdf.fr/?More&ID=84398&D=CRDF.Malware.Trojan-Dropper.Win32.Injector1390513421
bb52415e659df7786b68d741a7a20162	5518707_304019782967678_137153936323931_76888_135985994_ser	https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M
2838bf29fe88edfd70d1cee4b8551c74	388707_304019782967678_1371539363240931_76888_135985994_ser	https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M
229af3e4f9dccc0497e7546c09790d50	hack_facebook_pro_v6.9.exe	https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M
bc403bef3c2372cb4c76428d42e8d188	aleppo_plan_ خطة_تحريك_حلب cercs.pdf	http://blog.webroot.com/2012/06/06/skype-propagating-trojan-targets-syrian-activists/ https://www.eff.org/deeplinks/2012/05/trojan-hidden-fake-revolutionary-documents-targets-syrian-activists http://www.threatexpert.com/report.aspx?md5=bc403bef3c2372cb4c76428d42e8d188
0d1bd081974a4dcdeee55f025423a72b	new_new .pif	https://citizenlab.org/2012/06/syrian-activists-targeted-with-blackshades-spy-software/ http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
919374a229038ab2a8752790709ff7fc	setup.exe	http://syrianfreedom.org/some-quick-syrian-malware-analysis http://www.pcapr.net/view/contact/2012/3/3/17/syrian_malware_pcapr.html https://www.virustotal.com/file/ba1724250dd2ac9d67e33db2897d55070bfa6b2ecef835aa683e2afd3259ee48/analysis/

Updates

Wednesday, 06 Mar 2013

We are currently searching for the following samples:
MD5s: ed86876db98db35d8c205f8c0b92b0a4 & 02c2ee77cf5aaf8ac03739640c46e822
Both are mentioned in the following EFF report: The Internet is Back in Syria and So is Malware Targeting Syrian Activists

In addition, we are looking for the file 'important.rar', used in a Facebook-based attack. Link to CyberArabs post

Thursday, 31 Jan 2013

One new sample has been added, 185c8d11c0611cae7c81f4458bf1adea / ActiveX.exe. Some notes and background detailing it here and here.

Tuesday, 02 Dec 2012

Two additional samples, Skype Encription v 2.1.exe and FacebookWebBrowser.exe, have been added. The list of samples has also been adjusted so that the most recently-posted samples appear at the top. This does not necessarily correspond to when they were first seen in the wild.

Tuesday, 13 Nov 2012

Three more samples added.

Wednesday, 31 Oct 2012

The front page has been redesigned.

Sunday, 09 Sept 2012

Two more samples are now available for download thanks to y0ug of malware.lu. We appreciate it!
The samples are:

af8e0815a0f44a78a95a89643f7c9ce6
bc403bef3c2372cb4c76428d42e8d188

Saturday, 01 Sept 2012

ouAdded another hash/report from the EFF regarding a Syrian regime-created "antihacker" tool, which drops DarkComet. The report goes into detail about the program's behavior and includes screenshots. Currently looking for a sample of this hash.

Saturday, 14 Jul 2012

Another sample & report added.

Tuesday, 10 Jul 2012

A through report prepared by Telecomix agents has been included in our list of media. It details a malware sample from February of this year. Link here: https://docs.google.com/open?id=0B2lkfUkdFSQjWVlKbTVMQ3dNY3M

Monday, 09 Jul 2012

We've added a page to list any links relating to Syrian malware samples. This includes both news articles and technical analysis.

Welcome to SyrianMalware.com. This website is a catalog of malicious software developed by the Al-Assad regime specifically for targeting dissidents.

Since April 2011, the government of Syria has deployed malware extensively in order to track and arrest democratic activists and ordinary citizens. Here, they can be downloaded and analyzed. This malware provides a window into how an authoritarian government spies on its people.

Each sample lists its respective MD5 hash, filename, links to any media sources which mention that sample specifically, and a download link.

Submitting Samples

We are always looking for new malware samples! If you have any to contribute, please send an email to: contact [at] syrianmalware [dot] com.

About Us

This website is a part of a network of activists working to bring help to Syria through exposure and direct assistance.

Syrian Freedom - We operate a 24/7 livestream and bring constant video & text updates on the situation in Syria on our website. News direct from the ground in Syria.

Syrian Assistance - Syrian Assistance is an independent, non profit organisation consisting of volunteers from different countries, that has been set up to raise money for the basic humanitarian needs of those Syrians either displaced or in need because of the ongoing crisis.