larsborn

@[email protected]
110 Followers
146 Following
256 Posts
Malware Analyst, Reverse Engineer, Software Developer, Mathematician, Teacher, Podcaster, send cat pics
Websitehttps://www.wallenborn.net
Podcasthttps://armchairinvestigators.de
Reversing Classeshttps://mal.re
larsborn2d ago

I think this wasn't mentioned on the Fediverse yet, so here we go: https://malshare.com is back up! If you've never heard of it: It's an openly developed and cost-free malware repository. As a resarcher, you can register an account and upload and download malware samples to share with other researchers. You only need an email address (feel free to use a throw-away). This sadly became necesarry btw to avoid abuse.

Anyway, we've been hard at work to discuss scope (and reduce it), did some spring cleaning, and automate as much as possible.

A couple of changes:
* CI/CD via github actions
* got rid of YARA scanning
* allowed URL submissions
* got the daily digest working again

Esp. not scanning with YARA anymore was a hard decision. Because without that, it's really just SHA256s. But it's surprisingly hard to run YARA at scale. And in the end, we figured: before there's no MalShare, let's have one without YARA.

We also centralized all issue tracking on https://github.com/Malshare/MalShare/issues. There were issues over 4 years old. We've addressed a couple and the plan is to not let it come to this in the future. Speaking of: please reach out if you want to get involved, we are not that many people and can use any help. There's also donation options to cover hosting cost (we have a lot of malware...).

larsbornMar 16
I did a tiny thing on the weekend: https://blag.nullteilerfrei.de/2026/03/15/helping-move-the-german-educational-system-to-linux/
larsbornFeb 22

Someone did some shenanigans with api.malshare.com: https://github.com/Malshare/MalShare/issues/86. No meaningful leakage of data happened.

If you have visibility and analysis cycles, any input is appreciated!

larsbornJan 18
Samplepedia is great fun, just vibed together a config extractor for a GootLoader sample. It is based on the JavaScript parsing library Babel and I documented the process: https://blag.nullteilerfrei.de/2026/01/18/use-babel-to-deobfuscate-javascript-malware/
larsbornJun 26, 2025
@SebastianWalla, Steffen Haas, @tillmannwerner, and myself will present a .NET instrumentation framework tomorrow at @recon 2025 in Montreal. Here's a humble brag sneak peek demo-ing how easy it is to write a function tracer!
larsbornFeb 8, 2025

For "all my new followers" here: if you are able to understand German, I'm podcasting since a couple of years now. Throughput is limited but we are at 10 episodes now (and counting). Chris' and my format is somewhere in between "two guys just talking" and "reading a lecture script". Hence the limited throughput: we just need a bit of time to prepare each episode.

Anyway, here's the URL: https://armchairinvestigators.de/ you can listen to it directly on the site or just search for "Armchair Investigators" on your favorite Podcast platform (how to actually get your self-hosted Podcast distributed is also a funny story, but more for a blag post, I think).

Oh yeah: our goal is to make cyber accessible to everyone (even your parents) while still being interesting for the average nerd. Topics for example are the Triton/Trisis case, cyber operations by the GRU, Olympic Destroyer, etc.

If you can't understand German but might have people who do, I'd very much appreciate a forward or mention 🙇

Armchair Investigators – Ein Dialog über Malware, Cybercrime und Cyberspionage

Ein Dialog zu Malware, Cybercrime, und Cyberspionage in Podcast-Form von Christian Dietrich und Lars Wallenborn

larsbornFeb 11, 2024
@glesnewich @captainGeech hey my two fellow #100DaysofYARA on #mastdon companions. Haven't seen your posts for a few days. Taking a break? I really enjoyed reading your rules and also company is always motivating for me!