- Awesome Malware Analysis
- Malware Collection
- Open Source Threat Intelligence
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Debugging and Reverse Engineering
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Related Awesome Lists
Web traffic anonymizers for analysts.
- Anonymouse.org – A free, web based anonymizer.
- OpenVPN – VPN software and hosting solutions.
- Privoxy – An open source proxy server with some privacy features.
- Tor – The Onion Router, for browsing the web without leaving traces of the client IP.
Trap and collect your own samples.
- Conpot – ICS/SCADA honeypot.
- Cowrie – SSH honeypot, based on Kippo. Dionaea – Honeypot designed to trap malware.
- Glastopf – Web application honeypot.
- Honeyd – Create a virtual honeynet.
- HoneyDrive – Honeypot bundle Linux distro.
- Mnemosyne – A normalizer for honeypot data; supports Dionaea.
- Thug – Low interaction honeyclient, for investigating malicious websites.
Malware samples collected for analysis.
- Clean MX – Realtime database of malware and malicious domains.
- Contagio – A collection of recent malware samples and analyses.
- Exploit Database – Exploit and shellcode samples.
- Malshare – Large repository of malware actively scrapped from malicious sites. samples directly from a number of online sources.
- MalwareDB – Malware samples repository.
- Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
- Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
- theZoo – Live malware samples for analysts.
- Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
- ViruSign – Malware database that detected by many anti malware programs except ClamAV.
- VirusShare – Malware repository, registration required.
- VX Vault – Active collection of malware samples.
- Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
- Zeus Source Code – Source for the Zeus trojan leaked in 2011.
Open Source Threat Intelligence
Harvest and analyze IOCs.
- AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
- AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
- Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
- Fileintel – Pull intelligence per file hash.
- Hostintel – Pull intelligence per host.
- IntelMQ – A tool for CERTs for processing incident data using a message queue.
- IOC Editor – A free editor for XML IOC files.
- ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
- Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- MISP – Malware Information Sharing Platform curated by The MISP Project.
- PassiveTotal – Research, connect, tag and share IPs and domains.
- PyIOCe – A Python OpenIOC editor.
- threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
- ThreatCrowd – A search engine for threats, with graphical visualization.
- ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
- TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.
Threat intelligence and IOC resources.
- Autoshun (list) – Snort plugin and blocklist.
- Bambenek Consulting Feeds – OSINT feeds based on malicious DGA algorithms.
- Fidelis Barncat – Extensive malware config database (must request access).
- CI Army (list) – Network security blocklists.
- Critical Stack- Free Intel Market – Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- Cybercrime tracker – Multiple botnet active tracker.
- FireEye IOCs – Indicators of Compromise shared publicly by FireEye.
- FireHOL IP Lists – Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
- hpfeeds – Honeypot feed protocol.
- Internet Storm Center (DShield) – Diary and searchable incident database, with a web API (unofficial Python library).
- malc0de – Searchable incident database.
- Malware Domain List – Search and share malicious URLs.
- Metadefender.com Threat Intelligence Feeds – List of the most looked up file hashes from Metadefender.com malware feed.
- OpenIOC – Framework for sharing threat intelligence.
- Palevo Blocklists – Botnet C&C blocklists.
- Proofpoint Threat Intelligence – Rulesets and more. (Formerly Emerging Threats.)
- Ransomware overview – A list of ransomware overview with details, detection and prevention.
- STIX – Structured Threat Information eXpression – Standardized language to represent and share cyber threat information. Related efforts from MITRE:
- threatRECON – Search for indicators, up to 1000 free per month.
- Yara rules – Yara rules repository.
- ZeuS Tracker – ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
- BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
- chkrootkit – Local Linux rootkit detection.
- ClamAV – Open source antivirus engine.
- Detect-It-Easy – A program for determining types of files.
- ExifTool – Read, write and edit file metadata.
- File Scanning Framework – Modular, recursive file scanning solution.
- hashdeep – Compute digest hashes with a variety of algorithms.
- Loki – Host based scanner for IOCs.
- Malfunction – Catalog and compare malware at a function level.
- MASTIFF – Static analysis framework.
- MultiScanner – Modular file scanning/analysis framework
- nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
- packerid – A cross-platform Python alternative to PEiD.
- PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
- Rootkit Hunter – Detect Linux rootkits.
- ssdeep – Compute fuzzy hashes.
- totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
- TrID – File identifier.
- YARA – Pattern matching tool for analysts.
- Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- APK Analyzer – Free dynamic analysis of APKs.
- AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
- AVCaesar – Malware.lu online scanner and malware repository.
- Cryptam – Analyze suspicious office documents.
- Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
- cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
- DeepViz – Multi-format file analyzer with machine-learning classification.
- detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
- Document Analyzer – Free dynamic analysis of DOC and PDF files.
- DRAKVUF – Dynamic malware analysis system.
- File Analyzer – Free dynamic analysis of PE files.
- firmware.re – Unpacks, scans and analyzes almost any firmware package.
- Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
- IRMA – An asynchronous and customizable analysis platform for suspicious files.
- Joe Sandbox – Deep malware analysis with Joe Sandbox.
- Jotti – Free online multi-AV scanner.
- Limon – Sandbox for Analyzing Linux Malwares
- Malheur – Automatic sandboxed analysis of malware behavior.
- malsub – A Python RESTful API framework for online malware and URL analysis services.
- Malware config – Extract, decode and display online the configuration settings from common malwares.
- Malwr – Free analysis with an online Cuckoo Sandbox instance.
- MASTIFF Online – Online static analysis of malware.
- Metadefender.com – Scan a file, hash or IP address for malware (free)
- NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
- Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
- PDF Examiner – Analyse suspicious PDF files.
- ProcDot – A graphical malware analysis tool kit.
- Recomposer – A helper script for safely uploading binaries to sandbox sites.
- Sand droid – Automatic and complete Android application analysis system.
- SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
- URL Analyzer – Free dynamic analysis of URL files.
- VirusTotal – Free online analysis of malware samples and URLs
- Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
- Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.
Inspect domains and IP addresses.
- boomerang – A tool designed for consistent and safe capture of off network web resources.
- Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- Dig – Free online dig and other network tools.
- dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
- IPinfo – Gather information about an IP or domain by searching online resources.
- Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
- mailchecker – Cross-language temporary email detection library.
- MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
- Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
- NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
- SenderBase – Search for IP, domain or network owner.
- SpamCop – IP based spam block list.
- SpamHaus – Block list based on domains and IPs.
- Sucuri SiteCheck – Free Website Malware and Security Scanner.
- TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
- URLQuery – Free URL Scanner.
- Whois – DomainTools free online whois search.
- Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
- ZScalar Zulu – Zulu URL Risk Analyzer.
- Firebug – Firefox extension for web development.
- Java Decompiler – Decompile and inspect Java apps.
- Java IDX Parser – Parses Java IDX cache files.
- Krakatau – Java decompiler, assembler, and disassembler.
- Malzilla – Analyze malicious web pages.
- RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
- swftools – Tools for working with Adobe Flash files.
- xxxswf – A Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm – Disassembler for analyzing malicious shellcode.
- libemu – Library and tools for x86 shellcode emulation.
- malpdfobj – Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner – Scan for malicious traces in MS Office documents.
- olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF – A tool for analyzing malicious PDFs, and more.
- PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf – Python tool for exploring possibly malicious PDFs.
- QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
For extracting files from inside disk and memory images.
- bulk_extractor – Fast file carving tool.
- EVTXtract – Carve Windows Event Log files from raw binary data.
- Foremost – File carving tool designed by the US Air Force.
- Hachoir – A collection of Python libraries for dealing with binary files.
- Scalpel – Another data carving tool.
Reverse XOR and other code obfuscation methods.
- Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
- de4dot – .NET deobfuscator and unpacker.
- ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
- NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
- PackerAttacker – A generic hidden code extractor for Windows malware.
- unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
- unxor – Guess XOR keys using known-plaintext attacks.
- VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
- XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
- xortool – Guess XOR key length, as well as the key itself.
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
- bamfdetect – Identifies and extracts information from bots and other malware.
- BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
- BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
- binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
- Binary ninja – A reversing engineering platform that is an alternative to IDA.
- Binwalk – Firmware analysis tool.
- Bokken – GUI for Pyew and Radare. (mirror)
- Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
- codebro – Web based code browser using clang to provide basic code analysis.
- dnSpy – .NET assembly editor, decompiler and debugger.
- Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
- Fibratus – Tool for exploration and tracing of the Windows kernel.
- FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
- GDB – The GNU debugger.
- GEF – GDB Enhanced Features, for exploiters and reverse engineers.
- hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
- IDA Pro – Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger – Debugger for malware analysis and more, with a Python API.
- LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
- ltrace – Dynamic analysis for Linux executables.
- objdump – Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg – An assembly-level debugger for Windows executables.
- PANDA – Platform for Architecture-Neutral Dynamic Analysis
- PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
- pestudio – Perform static analysis of Windows executables.
- plasma – Interactive disassembler for x86/ARM/MIPS.
- PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
- Process Explorer – Advanced task manager for Windows.
- Process Hacker – Tool that monitors system resources.
- Process Monitor – Advanced monitoring tool for Windows programs.
- PSTools – Windows command-line tools that help manage and investigate live systems.
- Pyew – Python tool for malware analysis.
- QKD – QEMU with embedded WinDbg server for stealth debugging.
- Radare2 – Reverse engineering framework, with debugger support.
- RegShot – Registry compare utility that compares snapshots.
- RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
- ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
- SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
- strace – Dynamic analysis for Linux executables.
- Triton – A dynamic binary analysis (DBA) framework.
- Udis86 – Disassembler library and tool for x86 and x86_64.
- Vivisect – Python tool for malware analysis.
- X64dbg – An open-source x64/x32 debugger for windows.
Analyze network interactions.
- Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
- BroYara – Use Yara rules from Bro.
- CapTipper – Malicious HTTP traffic explorer.
- chopshop – Protocol analysis and decoding framework.
- CloudShark – Web-based tool for packet analysis and malware traffic detection.
- Fiddler – Intercepting web proxy designed for “web debugging.”
- Hale – Botnet C&C monitor.
- Haka – An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
- INetSim – Network service emulation, useful when building a malware lab.
- Laika BOSS – Laika BOSS is a file-centric malware analysis and intrusion detection system.
- Malcom – Malware Communications Analyzer.
- Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
- mitmproxy – Intercept network traffic on the fly.
- Moloch – IPv4 traffic capturing, indexing and database system.
- NetworkMiner – Network forensic analysis tool, with a free version.
- ngrep – Search through network traffic like grep.
- PcapViz – Network topology and traffic visualizer.
- Python ICAP Yara – An ICAP Server with yara scanner for URL or content.
- Squidmagic – squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
- Tcpdump – Collect network traffic.
- tcpick – Trach and reassemble TCP streams from network traffic.
- tcpxtract – Extract files from network traffic.
- Wireshark – The network traffic analysis tool.
Tools for dissecting malware in memory images or running systems.
- BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis
- DAMM – Differential Analysis of Malware in Memory, built on Volatility
- evolve – Web interface for the Volatility Memory Forensics Framework.
- FindAES – Find AES encryption keys in memory.
- Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
- Rekall – Memory analysis framework, forked from Volatility in 2013.
- TotalRecall – Script based on Volatility for automating various malware analysis tasks.
- VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
- Volatility – Advanced memory forensics framework.
- VolUtility – Web Interface for Volatility Memory Analysis framework.
- WDBGARK – WinDBG Anti-RootKit Extension.
- WinDbg – Live memory inspection and kernel debugging for Windows systems.
- AChoir – A live incident response script for gathering Windows artifacts.
- python-evt – Python library for parsing Windows Event Logs.
- python-registry – Python library for parsing registry files.
- RegRipper (GitHub) – Plugin-based registry analysis tool.
Storage and Workflow
- Aleph – Open Source Malware Analysis Pipeline System.
- CRITs – Collaborative Research Into Threats, a malware and threat repository.
- FAME – FAME is a malware analysis framework. It features a pipeline that can be extended with custom modules that can be chained and interact with each other to perform end-to-end analysis.
- Malwarehouse – Store, tag, and search malware.
- Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
- stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
- Viper – A binary management and analysis framework for analysts and researchers.
- al-khaser – A PoC malware with good intentions that aimes to stress anti-malware systems.
- Binarly – Search engine for bytes in a large corpus of malware.
- DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
- FLARE VM – A fully customizable, Windows-based, security distribution for malware analysis.
- MalSploitBase – A database containing exploits used by malware.
- Malware Museum – Collection of malware programs that were distributed in the 1980s and 1990s.
- Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
- REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
- Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.
Essential malware analysis reading material.
- Malware Analyst’s Cookbook and DVD – Tools and Techniques for Fighting Malicious Code.
- Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software.
- Practical Reverse Engineering – Intermediate Reverse Engineering
- Real Digital Forensics – Computer Security and Incident Response
- The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book – The Unofficial Guide to the World’s Most Popular Disassembler.
- The Rootkit Arsenal – The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Some relevant Twitter accounts.
- Adamb @Hexacorn
- Andrew Case @attrc
- Binni Shah @binitamshah
- Claudio @botherder
- Dustin Webber @mephux
- Glenn @hiddenillusion
- jekil @jekil
- Jurriaan Bremer @skier_t
- Lenny Zeltser @lennyzeltser
- Liam Randall @hectaman
- Mark Schloesser @repmovsb
- Michael Ligh (MHL) @iMHLv2
- Monnappa @monnappa22
- Open Malware @OpenMalware
- Richard Bejtlich @taosecurity
- Volatility @volatility
- APT Notes – A collection of papers and notes related to Advanced Persistent Threats.
- File Formats posters – Nice visualization of commonly used file format (including PE & ELF).
- Honeynet Project – Honeypot tools, papers, and other resources.
- Kernel Mode – An active community devoted to malware analysis and kernel development.
- Malicious Software – Malware blog and resources by Lenny Zeltser.
- Malware Analysis Search – Custom Google search engine from Corey Harrell.
- Malware Analysis Tutorials – The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
- Malware Samples and Traffic – This blog focuses on network traffic related to malware infections.
- Practical Malware Analysis Starter Kit – This package contains most of the software referenced in the Practical Malware Analysis book.
- RPISEC Malware Analysis – These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
- WindowsIR: Malware – Harlan Carvey’s page on Malware.
- Windows Registry specification – Windows registry file format specification.
- /r/csirt_tools – Subreddit for CSIRT tools and resources, with a malware analysis flair.
- /r/Malware – The malware subreddit.
- /r/ReverseEngineering – Reverse engineering subreddit, not limited to just malware.
Related Awesome Lists
- Android Security
- Industrial Control System Security
- PCAP Tools
- Threat Intelligence
Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst’s Cookbook, which was a big inspiration for creating the list;
- And everyone else who has sent pull requests or suggested links to add here!