While a cybercriminal decides to commence malware operations, he stands ahead of a huge offer how to build it and what malware to choose. It depends on his network of connections in the underground, technical knowledge, and maybe most important - the initial budget he has to launch the operations. On the one hand there are highly sophisticated full take malware like Ursnif, Trickbot and Dridex, and on the other hand stealers like Azorult, Predator the Thief, Oski, etc. During this talk we will present the offering of the malware on the underground, the pricing and the trends on it. Also, we will explore the market of “private” nonpublic malware families, that even if you have appropriate budget, you can’t purchase it without proper “vetting”.