Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by
awesome-python and
awesome-php .
View Chinese translation: 恶意软件分析大合集.md.
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
-
Anonymouse.org - A free, web based anonymizer.
-
OpenVPN - VPN software and hosting solutions.
-
Privoxy - An open source proxy server with some
privacy features.
-
Tor - The Onion Router, for browsing the web
without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
-
Conpot - ICS/SCADA honeypot.
-
Cowrie - SSH honeypot, based
on Kippo.
-
DemoHunter - Low interaction Distributed Honeypots.
-
Dionaea - Honeypot designed to trap malware.
-
Glastopf - Web application honeypot.
-
Honeyd - Create a virtual honeynet.
-
HoneyDrive - Honeypot bundle Linux distro.
-
Honeytrap - Opensource system for running, monitoring and managing honeypots.
-
MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
-
Mnemosyne - A normalizer for
honeypot data; supports Dionaea.
-
Thug - Low interaction honeyclient, for
investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
-
Clean MX - Realtime
database of malware and malicious domains.
-
Contagio - A collection of recent
malware samples and analyses.
-
Exploit Database - Exploit and shellcode
samples.
-
Infosec - CERT-PA - Malware samples collection and analysis.
-
InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
-
Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
-
Malpedia - A resource providing
rapid identification and actionable context for malware investigations.
-
Malshare - Large repository of malware actively
scrapped from malicious sites.
-
Ragpicker - Plugin based malware
crawler with pre-analysis and reporting functionalities
-
theZoo - Live malware samples for
analysts.
-
Tracker h3x - Agregator for malware corpus tracker
and malicious download sites.
-
vduddu malware repo - Collection of
various malware files and source code.
-
VirusBay - Community-Based malware repository and social network.
-
ViruSign - Malware database that detected by
many anti malware programs except ClamAV.
-
VirusShare - Malware repository, registration
required.
-
VX Vault - Active collection of malware samples.
-
Zeltser’s Sources - A list
of malware sample sources put together by Lenny Zeltser.
-
Zeus Source Code - Source for the Zeus
trojan leaked in 2011.
-
VX Underground - Massive and growing collection of free malware samples.
Open Source Threat Intelligence
Harvest and analyze IOCs.
-
AbuseHelper - An open-source
framework for receiving and redistributing abuse feeds and threat intel.
-
AlienVault Open Threat Exchange - Share and
collaborate in developing Threat Intelligence.
-
Combine - Tool to gather Threat
Intelligence indicators from publicly available sources.
-
Fileintel - Pull intelligence per file hash.
-
Hostintel - Pull intelligence per host.
-
IntelMQ -
A tool for CERTs for processing incident data using a message queue.
-
IOC Editor -
A free editor for XML IOC files.
-
iocextract - Advanced Indicator
of Compromise (IOC) extractor, Python library and command-line tool.
-
ioc_writer - Python library for
working with OpenIOC objects, from Mandiant.
-
MalPipe - Malware/IOC ingestion and
processing engine, that enriches collected data.
-
Massive Octo Spice -
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
from various lists. Curated by the
CSIRT Gadgets Foundation.
-
MISP - Malware Information Sharing
Platform curated by The MISP Project.
-
Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
-
PyIOCe - A Python OpenIOC editor.
-
RiskIQ - Research, connect, tag and
share IPs and domains. (Was PassiveTotal.)
-
threataggregator -
Aggregates security threats from a number of sources, including some of
those listed below in other resources.
-
ThreatConnect - TC Open allows you to see and
share open source threat data, with support and validation from our free community.
-
ThreatCrowd - A search engine for threats,
with graphical visualization.
-
ThreatIngestor - Build
automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
more.
-
ThreatTracker - A Python
script to monitor and generate alerts based on IOCs indexed by a set of
Google Custom Search Engines.
-
TIQ-test - Data visualization
and statistical analysis of Threat Intelligence feeds.
Other Resources
Threat intelligence and IOC resources.
-
Autoshun (list) -
Snort plugin and blocklist.
-
Bambenek Consulting Feeds -
OSINT feeds based on malicious DGA algorithms.
-
Fidelis Barncat -
Extensive malware config database (must request access).
-
CI Army (list) -
Network security blocklists.
-
Critical Stack- Free Intel Market - Free
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
-
Cybercrime tracker - Multiple botnet active tracker.
-
FireEye IOCs - Indicators of Compromise
shared publicly by FireEye.
-
FireHOL IP Lists - Analytics for 350+ IP lists
with a focus on attacks, malware and abuse. Evolution, Changes History,
Country Maps, Age of IPs listed, Retention Policy, Overlaps.
-
HoneyDB - Community driven honeypot sensor data collection and aggregation.
-
hpfeeds - Honeypot feed protocol.
-
Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
-
InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
-
InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
-
Internet Storm Center (DShield) - Diary and
searchable incident database, with a web API.
(unofficial Python library ).
-
malc0de - Searchable incident database.
-
Malware Domain List - Search and share
malicious URLs.
-
MetaDefender Threat Intelligence Feed -
List of the most looked up file hashes from MetaDefender Cloud.
-
OpenIOC - Framework for sharing threat intelligence.
-
Proofpoint Threat Intelligence -
Rulesets and more. (Formerly Emerging Threats.)
-
Ransomware overview -
A list of ransomware overview with details, detection and prevention.
-
STIX - Structured Threat Information eXpression -
Standardized language to represent and share cyber threat information.
Related efforts from MITRE:
-
SystemLookup - SystemLookup hosts a collection of lists that provide information on
the components of legitimate and potentially unwanted programs.
-
ThreatMiner - Data mining portal for threat
intelligence, with search.
-
threatRECON - Search for indicators, up to 1000
free per month.
-
ThreatShare - C2 panel tracker
-
Yara rules - Yara rules repository.
-
YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
-
ZeuS Tracker - ZeuS
blocklists.
Detection and Classification
Antivirus and other malware identification tools
-
AnalyzePE - Wrapper for a
variety of tools for reporting on Windows PE files.
-
Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community’s best tools..
-
BinaryAlert - An open source, serverless
AWS pipeline that scans and alerts on uploaded files based on a set of
YARA rules.
-
capa - Detects capabilities in executable files.
-
chkrootkit - Local Linux rootkit detection.
-
ClamAV - Open source antivirus engine.
-
Detect It Easy(DiE) - A program for
determining types of files.
-
Exeinfo PE - Packer, compressor detector, unpack
info, internal exe tools.
-
ExifTool - Read, write and
edit file metadata.
-
File Scanning Framework -
Modular, recursive file scanning solution.
-
fn2yara - FN2Yara is a tool to generate
Yara signatures for matching functions (code) in an executable program.
-
Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
-
hashdeep - Compute digest hashes with
a variety of algorithms.
-
HashCheck - Windows shell extension
to compute hashes with a variety of algorithms.
-
Loki - Host based scanner for IOCs.
-
Malfunction - Catalog and
compare malware at a function level.
-
Manalyze - Static analyzer for PE
executables.
-
MASTIFF - Static analysis
framework.
-
MultiScanner - Modular file
scanning/analysis framework
-
Nauz File Detector(NFD) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
-
nsrllookup - A tool for looking
up hashes in NIST’s National Software Reference Library database.
-
packerid - A cross-platform
Python alternative to PEiD.
-
PE-bear - Reversing tool for PE
files.
-
PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
-
PEV - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries.
-
PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
-
Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
-
Rootkit Hunter - Detect Linux rootkits.
-
ssdeep - Compute fuzzy hashes.
-
totalhash.py -
Python script for easy searching of the TotalHash.cymru.com
database.
-
TrID - File identifier.
-
YARA - Pattern matching tool for
analysts.
-
Yara rules generator - Generate
yara rules based on a set of malware samples. Also contains a good
strings DB to avoid false positives.
-
Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
-
anlyz.io - Online sandbox.
-
any.run - Online interactive sandbox.
-
AndroTotal - Free online analysis of APKs
against multiple mobile antivirus apps.
-
BoomBox - Automatic deployment of Cuckoo
Sandbox malware lab using Packer and Vagrant.
-
Cryptam - Analyze suspicious office documents.
-
Cuckoo Sandbox - Open source, self hosted
sandbox and automated analysis system.
-
cuckoo-modified - Modified
version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
legal concerns by the author.
-
cuckoo-modified-api - A
Python API used to control a cuckoo-modified sandbox.
-
DeepViz - Multi-format file analyzer with
machine-learning classification.
-
detux - A sandbox developed to do
traffic analysis of Linux malwares and capturing IOCs.
-
DRAKVUF - Dynamic malware analysis
system.
-
filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
-
firmware.re - Unpacks, scans and analyzes almost any
firmware package.
-
HaboMalHunter - An Automated Malware
Analysis Tool for Linux ELF Files.
-
Hybrid Analysis - Online malware
analysis tool, powered by VxSandbox.
-
Intezer - Detect, analyze, and categorize malware by
identifying code reuse and code similarities.
-
IRMA - An asynchronous and customizable
analysis platform for suspicious files.
-
Joe Sandbox - Deep malware analysis with Joe Sandbox.
-
Jotti - Free online multi-AV scanner.
-
Limon - Sandbox for Analyzing Linux Malware.
-
Malheur - Automatic sandboxed analysis
of malware behavior.
-
malice.io - Massively scalable malware analysis framework.
-
malsub - A Python RESTful API framework for
online malware and URL analysis services.
-
Malware config - Extract, decode and display online
the configuration settings from common malwares.
-
MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
-
Malwr - Free analysis with an online Cuckoo Sandbox
instance.
-
MetaDefender Cloud - Scan a file, hash, IP, URL or
domain address for malware for free.
-
NetworkTotal - A service that analyzes
pcap files and facilitates the quick detection of viruses, worms, trojans, and all
kinds of malware using Suricata configured with EmergingThreats Pro.
-
Noriben - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.
-
PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
-
PDF Examiner - Analyse suspicious PDF files.
-
ProcDot - A graphical malware analysis tool kit.
-
Recomposer - A helper
script for safely uploading binaries to sandbox sites.
-
sandboxapi - Python library for
building integrations with several open source and commercial malware sandboxes.
-
SEE - Sandboxed Execution Environment (SEE)
is a framework for building test automation in secured Environments.
-
SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
-
VirusTotal - Free online analysis of malware
samples and URLs
-
Visualize_Logs - Open source
visualization library and command line tools for logs. (Cuckoo, Procmon, more
to come…)
-
Zeltser’s List - Free
automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
-
AbuseIPDB - AbuseIPDB is a project dedicated
to helping combat the spread of hackers, spammers, and abusive activity on the internet.
-
badips.com - Community based IP blacklist service.
-
boomerang - A tool designed
for consistent and safe capture of off network web resources.
-
Cymon - Threat intelligence tracker, with IP/domain/hash
search.
-
Desenmascara.me - One click tool to retrieve as
much metadata as possible for a website and to assess its good standing.
-
Dig - Free online dig and other
network tools.
-
dnstwist - Domain name permutation
engine for detecting typo squatting, phishing and corporate espionage.
-
IPinfo - Gather information
about an IP or domain by searching online resources.
-
Machinae - OSINT tool for
gathering information about URLs, IPs, or hashes. Similar to Automator.
-
mailchecker - Cross-language
temporary email detection library.
-
MaltegoVT - Maltego transform
for the VirusTotal API. Allows domain/IP research, and searching for file
hashes and scan reports.
-
Multi rbl - Multiple DNS blacklist and forward
confirmed reverse DNS lookup over more than 300 RBLs.
-
NormShield Services - Free API Services
for detecting possible phishing domains, blacklisted ip addresses and breached
accounts.
-
PhishStats - Phishing Statistics with search for
IP, domain and website title
-
Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
-
SecurityTrails - Historical and current WHOIS,
historical and current DNS records, similar domains, certificate information
and other domain and IP related API and tools.
-
SpamCop - IP based spam block list.
-
SpamHaus - Block list based on
domains and IPs.
-
Sucuri SiteCheck - Free Website Malware
and Security Scanner.
-
Talos Intelligence - Search for IP, domain
or network owner. (Previously SenderBase.)
-
TekDefense Automater - OSINT tool
for gathering information about URLs, IPs, or hashes.
-
URLhaus - A project from abuse.ch with the goal
of sharing malicious URLs that are being used for malware distribution.
-
URLQuery - Free URL Scanner.
-
urlscan.io - Free URL Scanner & domain information.
-
Whois - DomainTools free online whois
search.
-
Zeltser’s List - Free
online tools for researching malicious websites, compiled by Lenny Zeltser.
-
ZScalar Zulu - Zulu URL Risk Analyzer.
Browser Malware
Analyze malicious URLs. See also the domain analysis and
documents and shellcode sections.
-
Bytecode Viewer - Combines
multiple Java bytecode viewers and decompilers into one tool, including
APK/DEX support.
-
Firebug - Firefox extension for web development.
-
Java Decompiler - Decompile and inspect Java apps.
-
Java IDX Parser - Parses Java
IDX cache files.
-
JSDetox - JavaScript
malware analysis tool.
-
jsunpack-n - A javascript
unpacker that emulates browser functionality.
-
Krakatau - Java decompiler,
assembler, and disassembler.
-
Malzilla - Analyze malicious web pages.
-
RABCDAsm - A “Robust
ActionScript Bytecode Disassembler.”
-
SWF Investigator -
Static and dynamic analysis of SWF applications.
-
swftools - Tools for working with Adobe Flash
files.
-
xxxswf - A
Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware section.
-
AnalyzePDF - A tool for
analyzing PDFs and attempting to determine whether they are malicious.
-
box-js - A tool for studying JavaScript
malware, featuring JScript/WScript support and ActiveX emulation.
-
diStorm - Disassembler for analyzing
malicious shellcode.
-
InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
-
JS Beautifier - JavaScript unpacking and deobfuscation.
-
libemu - Library and tools for x86 shellcode
emulation.
-
malpdfobj - Deconstruct malicious PDFs
into a JSON representation.
-
OfficeMalScanner - Scan for
malicious traces in MS Office documents.
-
olevba - A script for parsing OLE
and OpenXML documents and extracting useful information.
-
Origami PDF - A tool for
analyzing malicious PDFs, and more.
-
PDF Tools - pdfid,
pdf-parser, and more from Didier Stevens.
-
PDF X-Ray Lite - A PDF analysis tool,
the backend-free version of PDF X-RAY.
-
peepdf - Python
tool for exploring possibly malicious PDFs.
-
QuickSand - QuickSand is a compact C framework
to analyze suspected malware documents to identify exploits in streams of different
encodings and to locate and extract embedded executables.
-
Spidermonkey -
Mozilla’s JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
-
bulk_extractor - Fast file
carving tool.
-
EVTXtract - Carve Windows
Event Log files from raw binary data.
-
Foremost - File carving tool designed
by the US Air Force.
-
hachoir3 - Hachoir is a Python library
to view and edit a binary stream field by field.
-
Scalpel - Another data carving
tool.
-
SFlock - Nested archive
extraction/unpacking (used in Cuckoo Sandbox).
Deobfuscation
Reverse XOR and other code obfuscation methods.
-
Balbuzard - A malware
analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
-
de4dot - .NET deobfuscator and
unpacker.
-
ex_pe_xor
& iheartxor -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.
-
FLOSS - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
deobfuscate strings from malware binaries.
-
NoMoreXOR - Guess a 256 byte
XOR key using frequency analysis.
-
PackerAttacker - A generic
hidden code extractor for Windows malware.
-
PyInstaller Extractor -
A Python script to extract the contents of a PyInstaller generated Windows
executable file. The contents of the pyz file (usually pyc files) present
inside the executable are also extracted and automatically fixed so that a
Python bytecode decompiler will recognize it.
-
uncompyle6 - A cross-version
Python bytecode decompiler. Translates Python bytecode back into equivalent
Python source code.
-
un{i}packer - Automatic and
platform-independent unpacker for Windows binaries based on emulation.
-
unpacker - Automated malware
unpacker for Windows malware based on WinAppDbg.
-
unxor - Guess XOR keys using
known-plaintext attacks.
-
VirtualDeobfuscator -
Reverse engineering tool for virtualization wrappers.
-
XORBruteForcer -
A Python script for brute forcing single-byte XOR keys.
-
XORSearch & XORStrings -
A couple programs from Didier Stevens for finding XORed data.
-
xortool - Guess XOR key length, as
well as the key itself.
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
-
angr - Platform-agnostic binary analysis
framework developed at UCSB’s Seclab.
-
bamfdetect - Identifies and extracts
information from bots and other malware.
-
BAP - Multiplatform and
open source (MIT) binary analysis framework developed at CMU’s Cylab.
-
BARF - Multiplatform, open
source Binary Analysis and Reverse engineering Framework.
-
binnavi - Binary analysis IDE for
reverse engineering based on graph visualization.
-
Binary ninja - A reversing engineering platform
that is an alternative to IDA.
-
Binwalk - Firmware analysis tool.
-
BluePill - Framework for executing and debugging evasive malware and protected executables.
-
Capstone - Disassembly framework for
binary analysis and reversing, with support for many architectures and
bindings in several languages.
-
codebro - Web based code browser using
clang to provide basic code analysis.
-
Cutter - GUI for Radare2.
-
DECAF (Dynamic Executable Code Analysis Framework)
- A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
-
dnSpy - .NET assembly editor, decompiler
and debugger.
-
dotPeek - Free .NET Decompiler and
Assembly Browser.
-
Evan’s Debugger (EDB) - A
modular debugger with a Qt GUI.
-
Fibratus - Tool for exploration
and tracing of the Windows kernel.
-
FPort - Reports
open TCP/IP and UDP ports in a live system and maps them to the owning application.
-
GDB - The GNU debugger.
-
GEF - GDB Enhanced Features, for exploiters
and reverse engineers.
-
Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
-
hackers-grep - A utility to
search for strings in PE executables including imports, exports, and debug
symbols.
-
Hopper - The macOS and Linux Disassembler.
-
IDA Pro - Windows
disassembler and debugger, with a free evaluation version.
-
IDR - Interactive Delphi Reconstructor
is a decompiler of Delphi executable files and dynamic libraries.
-
Immunity Debugger - Debugger for
malware analysis and more, with a Python API.
-
ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
-
Kaitai Struct - DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation
for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
-
LIEF - LIEF provides a cross-platform library
to parse, modify and abstract ELF, PE and MachO formats.
-
ltrace - Dynamic analysis for Linux executables.
-
mac-a-mal - An automated framework
for mac malware hunting.
-
objdump - Part of GNU binutils,
for static analysis of Linux binaries.
-
OllyDbg - An assembly-level debugger for Windows
executables.
-
OllyDumpEx - Dump memory
from (unpacked) malware Windows process and store raw or rebuild PE file.
This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
-
PANDA - Platform for Architecture-Neutral
Dynamic Analysis.
-
PEDA - Python Exploit Development
Assistance for GDB, an enhanced display with added commands.
-
pestudio - Perform static analysis of Windows
executables.
-
Pharos - The Pharos binary analysis framework
can be used to perform automated static analysis of binaries.
-
plasma - Interactive
disassembler for x86/ARM/MIPS.
-
PPEE (puppy) - A Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE
files in more detail.
-
Process Explorer -
Advanced task manager for Windows.
-
Process Hacker - Tool that monitors
system resources.
-
Process Monitor -
Advanced monitoring tool for Windows programs.
-
PSTools - Windows
command-line tools that help manage and investigate live systems.
-
Pyew - Python tool for malware
analysis.
-
PyREBox - Python scriptable reverse
engineering sandbox by the Talos team at Cisco.
-
Qiling Framework - Cross platform emulation and sanboxing
framework with instruments for binary analysis.
-
QKD - QEMU with embedded WinDbg
server for stealth debugging.
-
Radare2 - Reverse engineering framework, with
debugger support.
-
RegShot - Registry compare utility
that compares snapshots.
-
RetDec - Retargetable machine-code decompiler with an
online decompilation service and
API that you can use in your tools.
-
ROPMEMU - A framework to analyze, dissect
and decompile complex code-reuse attacks.
-
Scylla Imports Reconstructor - Find and fix
the IAT of an unpacked / dumped PE32 malware.
-
ScyllaHide - An Anti-Anti-Debug library
and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
-
SMRT - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.
-
strace - Dynamic analysis for
Linux executables.
-
StringSifter - A machine learning tool
that automatically ranks strings based on their relevance for malware analysis.
-
Triton - A dynamic binary analysis (DBA) framework.
-
Udis86 - Disassembler library and tool
for x86 and x86_64.
-
Vivisect - Python tool for
malware analysis.
-
WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
-
X64dbg - An open-source x64/x32 debugger for windows.
Network
Analyze network interactions.
-
Bro - Protocol analyzer that operates at incredible
scale; both file and network protocols.
-
BroYara - Use Yara rules from Bro.
-
CapTipper - Malicious HTTP traffic
explorer.
-
chopshop - Protocol analysis and
decoding framework.
-
CloudShark - Web-based tool for packet analysis
and malware traffic detection.
-
FakeNet-NG - Next generation
dynamic network analysis tool.
-
Fiddler - Intercepting web proxy designed
for “web debugging.”
-
Hale - Botnet C&C monitor.
-
Haka - An open source security oriented
language for describing protocols and applying security policies on (live)
captured traffic.
-
HTTPReplay - Library for parsing
and reading out PCAP files, including TLS streams using TLS Master Secrets
(used in Cuckoo Sandbox).
-
INetSim - Network service emulation, useful when
building a malware lab.
-
Laika BOSS - Laika BOSS is a file-centric
malware analysis and intrusion detection system.
-
Malcolm - Malcolm is a powerful, easily
deployable network traffic analysis tool suite for full packet capture artifacts
(PCAP files) and Zeek logs.
-
Malcom - Malware Communications
Analyzer.
-
Maltrail - A malicious traffic
detection system, utilizing publicly available (black)lists containing
malicious and/or generally suspicious trails and featuring an reporting
and analysis interface.
-
mitmproxy - Intercept network traffic on the fly.
-
Moloch - IPv4 traffic capturing, indexing
and database system.
-
NetworkMiner - Network
forensic analysis tool, with a free version.
-
ngrep - Search through network traffic
like grep.
-
PcapViz - Network topology and
traffic visualizer.
-
Python ICAP Yara - An
ICAP Server with yara scanner for URL or content.
-
Squidmagic - squidmagic is a tool
designed to analyze a web-based network traffic to detect central command
and control (C&C) servers and malicious sites, using Squid proxy server and
Spamhaus.
-
Tcpdump - Collect network traffic.
-
tcpick - Trach and reassemble TCP streams
from network traffic.
-
tcpxtract - Extract files from network
traffic.
-
Wireshark - The network traffic analysis
tool.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
-
BlackLight - Windows/MacOS
forensics client supporting hiberfil, pagefile, raw memory analysis.
-
DAMM - Differential Analysis of
Malware in Memory, built on Volatility.
-
evolve - Web interface for the
Volatility Memory Forensics Framework.
-
FindAES - Find AES
encryption keys in memory.
-
inVtero.net - High speed memory
analysis framework developed in .NET supports all Windows x64, includes
code integrity and write support.
-
Muninn - A script to automate portions
of analysis using Volatility, and create a readable report.
Orochi - Orochi is an open source framework for
collaborative forensic memory dump analysis.
-
Rekall - Memory analysis framework,
forked from Volatility in 2013.
-
TotalRecall - Script based
on Volatility for automating various malware analysis tasks.
-
VolDiff - Run Volatility on memory
images before and after malware execution, and report changes.
-
Volatility - Advanced
memory forensics framework.
-
VolUtility - Web Interface for
Volatility Memory Analysis framework.
-
WDBGARK -
WinDBG Anti-RootKit Extension.
-
WinDbg -
Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts
-
AChoir - A live incident response
script for gathering Windows artifacts.
-
python-evt - Python
library for parsing Windows Event Logs.
-
python-registry - Python
library for parsing registry files.
-
RegRipper
(GitHub ) -
Plugin-based registry analysis tool.
Storage and Workflow
-
Aleph - Open Source Malware Analysis
Pipeline System.
-
CRITs - Collaborative Research Into Threats, a
malware and threat repository.
-
FAME - A malware analysis
framework featuring a pipeline that can be extended with custom modules,
which can be chained and interact with each other to perform end-to-end
analysis.
-
Malwarehouse - Store, tag, and
search malware.
-
Polichombr - A malware analysis
platform designed to help analysts to reverse malwares collaboratively.
-
stoQ - Distributed content analysis
framework with extensive plugin support, from input to output, and everything
in between.
-
Viper - A binary management and analysis framework for
analysts and researchers.
Miscellaneous
-
al-khaser - A PoC malware
with good intentions that aimes to stress anti-malware systems.
-
CryptoKnight - Automated cryptographic algorithm reverse engineering and classification framework.
-
DC3-MWCP -
The Defense Cyber Crime Center’s Malware Configuration Parser framework.
-
FLARE VM - A fully customizable,
Windows-based, security distribution for malware analysis.
-
MalSploitBase - A database
containing exploits used by malware.
-
Malware Museum - Collection of
malware programs that were distributed in the 1980s and 1990s.
-
Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
-
Pafish - Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis
environments in the same way as malware families do.
-
REMnux - Linux distribution and docker images for
malware reverse engineering and analysis.
-
Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
-
Santoku Linux - Linux distribution for mobile
forensics, malware analysis, and security.
Resources
Books
Essential malware analysis reading material.
Other
-
APT Notes - A collection of papers
and notes related to Advanced Persistent Threats.
-
Ember - Endgame Malware BEnchmark for Research,
a repository that makes it easy to (re)create a machine learning model that can be used
to predict a score for a PE file based on static analysis.
-
File Formats posters - Nice visualization
of commonly used file format (including PE & ELF).
-
Honeynet Project - Honeypot tools, papers, and
other resources.
-
Kernel Mode - An active community
devoted to malware analysis and kernel development.
-
Malicious Software - Malware
blog and resources by Lenny Zeltser.
-
Malware Analysis Search -
Custom Google search engine from Corey Harrell.
-
Malware Analysis Tutorials -
The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
practical malware analysis.
-
Malware Analysis, Threat Intelligence and Reverse Engineering -
Presentation introducing the concepts of malware analysis, threat intelligence
and reverse engineering. Experience or prior knowledge is not required. Labs
link in description.
-
Malware Persistence - Collection
of various information focused on malware persistence: detection (techniques),
response, pitfalls and the log collection (tools).
-
Malware Samples and Traffic - This
blog focuses on network traffic related to malware infections.
-
Malware Search+++ Firefox extension allows
you to easily search some of the most popular malware databases
-
Practical Malware Analysis Starter Kit -
This package contains most of the software referenced in the Practical Malware
Analysis book.
-
RPISEC Malware Analysis - These are the
course materials used in the Malware Analysis course at at Rensselaer Polytechnic
Institute during Fall 2015.
-
WindowsIR: Malware - Harlan
Carvey’s page on Malware.
-
Windows Registry specification -
Windows registry file format specification.
-
/r/csirt_tools - Subreddit for CSIRT
tools and resources, with a
malware analysis flair.
-
/r/Malware - The malware subreddit.
-
/r/ReverseEngineering -
Reverse engineering subreddit, not limited to just malware.
Pull requests and issues with suggestions are welcome! Please read the
CONTRIBUTING guidelines before submitting a PR.
Thanks
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
writing the Malware Analyst’s Cookbook, which was a big inspiration for
creating the list;
- And everyone else who has sent pull requests or suggested links to add here!
Thanks!