An analyst investigates whether 64-bit malware is becoming more common by analyzing 217GB of ZIP archives from MalwareBazaar, applying YARA to differentiate 32-bit and 64-bit PE files. The study finds a rising but still-small share of 64-bit samples and highlights data limitations in MalwareBazaar, inviting others to share additional statistics. #MalwareBazaar #abuse.ch #YARA #PE #ISC_SANS #XavierMertens
Keypoints
- The author analyzed 175.962 EXE/DLL samples from MalwareBazaar to assess 32-bit vs 64-bit prevalence in the wild.
- Two YARA rules were used to distinguish 32-bit from 64-bit PE binaries by checking the PE header bytes.
- A Python script processed all ZIP archives (217GB) and focused only on “.exe” and “.dll” files.
- 64-bit samples amounted to 10.952 files, about 6.224% of the dataset.
- Only 1 DLL was detected as 64-bit, with HASH:86150c570e2d253d54fd5f70c9fe62ff37897dc3a7b21658fa891263a843790d.
- A timeline shows a slight upward trend in 64-bit samples in recent months, though MalwareBazaar data may not reflect the full picture.
MITRE Techniques
- [T1059.006] Python – Used Python to process all files from ZIP archives and apply the YARA rule against them. ‘I used Python to process all files from ZIP archives and use the YARA rule against them.’
- [T1560.001] Archive Collected Data – Processed ZIP archives with a password to limit access during analysis. ‘zipObj.setpassword(b”infected”)’
Indicators of Compromise
- [Hash] 86150c570e2d253d54fd5f70c9fe62ff37897dc3a7b21658fa891263a843790d – 64-bit DLL detected in the dataset
Read more: https://isc.sans.edu/diary/32+or+64+bits+Malware%3F/28968