Defund the Police.
Awesome Malware Analysis 
A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
- Anonymizers - Honeypots - Malware Corpora - Tools - Other Resources- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some
- Tor - The Onion Router, for browsing the web
Honeypots
Trap and collect your own samples.
on Kippo.- DemoHunter - Low interaction Distributed Honeypots.
- Dionaea - Honeypot designed to trap malware.
- Glastopf - Web application honeypot.
- Honeyd - Create a virtual honeynet.
- HoneyDrive - Honeypot bundle Linux distro.
- Honeytrap - Opensource system for running, monitoring and managing honeypots.
- MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
- Mnemosyne - A normalizer for
- Thug - Low interaction honeyclient, for
Malware Corpora
Malware samples collected for analysis.
- Clean MX - Realtime
- Contagio - A collection of recent
- Exploit Database - Exploit and shellcode
- Infosec - CERT-PA - Malware samples collection and analysis.
- InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
- Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
- Malpedia - A resource providing
- Malshare - Large repository of malware actively
- Ragpicker - Plugin based malware
- theZoo - Live malware samples for
- Tracker h3x - Agregator for malware corpus tracker
- vduddu malware repo - Collection of
- VirusBay - Community-Based malware repository and social network.
- ViruSign - Malware database that detected by
- VirusShare - Malware repository, registration
- VX Vault - Active collection of malware samples.
- Zeltser's Sources - A list
- Zeus Source Code - Source for the Zeus
- VX Underground - Massive and growing collection of free malware samples.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
- AbuseHelper - An open-source
- AlienVault Open Threat Exchange - Share and
- Combine - Tool to gather Threat
- iocextract - Advanced Indicator
- ioc_writer - Python library for
- MalPipe - Malware/IOC ingestion and
- MISP - Malware Information Sharing
- Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
- PyIOCe - A Python OpenIOC editor.
- RiskIQ - Research, connect, tag and
- ThreatConnect - TC Open allows you to see and
- ThreatCrowd - A search engine for threats,
- ThreatIngestor - Build
- ThreatTracker - A Python
- TIQ-test - Data visualization
Other Resources
Threat intelligence and IOC resources.
Snort plugin and blocklist. OSINT feeds based on malicious DGA algorithms. Extensive malware config database (must request access). Network security blocklists. intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.- Cybercrime tracker - Multiple botnet active tracker.
- FireEye IOCs - Indicators of Compromise
- FireHOL IP Lists - Analytics for 350+ IP lists
- HoneyDB - Community driven honeypot sensor data collection and aggregation.
- hpfeeds - Honeypot feed protocol.
- Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
- InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
- InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
- Internet Storm Center (DShield) - Diary and
- malc0de - Searchable incident database.
- Malware Domain List - Search and share
- OpenIOC - Framework for sharing threat intelligence.
- Proofpoint Threat Intelligence -
- SystemLookup - SystemLookup hosts a collection of lists that provide information on
- ThreatMiner - Data mining portal for threat
- threatRECON - Search for indicators, up to 1000
- ThreatShare - C2 panel tracker
- Yara rules - Yara rules repository.
- YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
- ZeuS Tracker - ZeuS
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE - Wrapper for a
- Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
- BinaryAlert - An open source, serverless
- capa - Detects capabilities in executable files.
- chkrootkit - Local Linux rootkit detection.
- ClamAV - Open source antivirus engine.
- Detect It Easy(DiE) - A program for
- Exeinfo PE - Packer, compressor detector, unpack
- ExifTool - Read, write and
- fn2yara - FN2Yara is a tool to generate
- Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
- hashdeep - Compute digest hashes with
- HashCheck - Windows shell extension
- Loki - Host based scanner for IOCs.
- Malfunction - Catalog and
- Manalyze - Static analyzer for PE
- MASTIFF - Static analysis
- MultiScanner - Modular file
- Nauz File Detector(NFD) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
- nsrllookup - A tool for looking
- packerid - A cross-platform
- PE-bear - Reversing tool for PE
- PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
- PEV - A multiplatform toolkit to work with PE
- PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
- Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
- Rootkit Hunter - Detect Linux rootkits.
- ssdeep - Compute fuzzy hashes.
- totalhash.py -
- Yara rules generator - Generate
- Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- anlyz.io - Online sandbox.
- any.run - Online interactive sandbox.
- AndroTotal - Free online analysis of APKs
- BoomBox - Automatic deployment of Cuckoo
- Cryptam - Analyze suspicious office documents.
- Cuckoo Sandbox - Open source, self hosted
- cuckoo-modified - Modified
- DeepViz - Multi-format file analyzer with
- detux - A sandbox developed to do
- DRAKVUF - Dynamic malware analysis
- filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
- firmware.re - Unpacks, scans and analyzes almost any
- HaboMalHunter - An Automated Malware
- Hybrid Analysis - Online malware
- Intezer - Detect, analyze, and categorize malware by
- IRMA - An asynchronous and customizable
- Joe Sandbox - Deep malware analysis with Joe Sandbox.
- Jotti - Free online multi-AV scanner.
- Limon - Sandbox for Analyzing Linux Malware.
- Malheur - Automatic sandboxed analysis
- malice.io - Massively scalable malware analysis framework.
- malsub - A Python RESTful API framework for
- Malware config - Extract, decode and display online
- MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
- Malwr - Free analysis with an online Cuckoo Sandbox
- MetaDefender Cloud - Scan a file, hash, IP, URL or
- NetworkTotal - A service that analyzes
- Noriben - Uses Sysinternals Procmon to
- PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
- PDF Examiner - Analyse suspicious PDF files.
- ProcDot - A graphical malware analysis tool kit.
- Recomposer - A helper
- sandboxapi - Python library for
- SEE - Sandboxed Execution Environment (SEE)
- SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
- VirusTotal - Free online analysis of malware
- Visualize_Logs - Open source
- Zeltser's List - Free
Domain Analysis
Inspect domains and IP addresses.
- AbuseIPDB - AbuseIPDB is a project dedicated
- badips.com - Community based IP blacklist service.
- boomerang - A tool designed
- Cymon - Threat intelligence tracker, with IP/domain/hash
- Desenmascara.me - One click tool to retrieve as
- Dig - Free online dig and other
- dnstwist - Domain name permutation
- IPinfo - Gather information
- Machinae - OSINT tool for
- mailchecker - Cross-language
- MaltegoVT - Maltego transform
- Multi rbl - Multiple DNS blacklist and forward
- NormShield Services - Free API Services
- PhishStats - Phishing Statistics with search for
- Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
- SecurityTrails - Historical and current WHOIS,
- Sucuri SiteCheck - Free Website Malware
- Talos Intelligence - Search for IP, domain
- TekDefense Automater - OSINT tool
- URLhaus - A project from abuse.ch with the goal
- URLQuery - Free URL Scanner.
- urlscan.io - Free URL Scanner & domain information.
- Whois - DomainTools free online whois
- Zeltser's List - Free
- ZScalar Zulu - Zulu URL Risk Analyzer.
Browser Malware
*Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.*
- Bytecode Viewer - Combines
- Firebug - Firefox extension for web development.
- Java Decompiler - Decompile and inspect Java apps.
- Java IDX Parser - Parses Java
- JSDetox - JavaScript
- jsunpack-n - A javascript
- Krakatau - Java decompiler,
- swftools - Tools for working with Adobe Flash
- xxxswf - A
Documents and Shellcode
*Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.*
- AnalyzePDF - A tool for
- box-js - A tool for studying JavaScript
- diStorm - Disassembler for analyzing
- InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- libemu - Library and tools for x86 shellcode
- malpdfobj - Deconstruct malicious PDFs
- OfficeMalScanner - Scan for
- olevba - A script for parsing OLE
- Origami PDF - A tool for
- PDF Tools - pdfid,
- PDF X-Ray Lite - A PDF analysis tool,
- peepdf - Python
- QuickSand - QuickSand is a compact C framework
File Carving
For extracting files from inside disk and memory images.
- bulk_extractor - Fast file
- EVTXtract - Carve Windows
- Foremost - File carving tool designed
- hachoir3 - Hachoir is a Python library
- Scalpel - Another data carving
- SFlock - Nested archive
Deobfuscation
Reverse XOR and other code obfuscation methods.
- Balbuzard - A malware
- de4dot - .NET deobfuscator and
- FLOSS - The FireEye Labs Obfuscated
- NoMoreXOR - Guess a 256 byte
- PackerAttacker - A generic
- uncompyle6 - A cross-version
- un{i}packer - Automatic and
- unpacker - Automated malware
- unxor - Guess XOR keys using
- xortool - Guess XOR key length, as
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- angr - Platform-agnostic binary analysis
- bamfdetect - Identifies and extracts
- BAP - Multiplatform and
- BARF - Multiplatform, open
- binnavi - Binary analysis IDE for
- Binary ninja - A reversing engineering platform
- Binwalk - Firmware analysis tool.
- BluePill - Framework for executing and debugging evasive malware and protected executables.
- Capstone - Disassembly framework for
- codebro - Web based code browser using
- Cutter - GUI for Radare2.
- DECAF (Dynamic Executable Code Analysis Framework)
- dnSpy - .NET assembly editor, decompiler
- dotPeek - Free .NET Decompiler and
- Fibratus - Tool for exploration
- FPort - Reports
- Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
- hackers-grep - A utility to
- IDR - Interactive Delphi Reconstructor
- Immunity Debugger - Debugger for
- ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
- Kaitai Struct - DSL for file formats / network protocols /
- LIEF - LIEF provides a cross-platform library
- objdump - Part of GNU binutils,
- OllyDbg - An assembly-level debugger for Windows
- OllyDumpEx - Dump memory
- PANDA - Platform for Architecture-Neutral
- PEDA - Python Exploit Development
- pestudio - Perform static analysis of Windows
- Pharos - The Pharos binary analysis framework
- plasma - Interactive
- PPEE (puppy) - A Professional PE file Explorer for
- Process Hacker - Tool that monitors
- PSTools - Windows
- Pyew - Python tool for malware
- PyREBox - Python scriptable reverse
- Qiling Framework - Cross platform emulation and sanboxing
- QKD - QEMU with embedded WinDbg
- Radare2 - Reverse engineering framework, with
- RegShot - Registry compare utility
- RetDec - Retargetable machine-code decompiler with an
- ROPMEMU - A framework to analyze, dissect
- Scylla Imports Reconstructor - Find and fix
- ScyllaHide - An Anti-Anti-Debug library
- SMRT - Sublime Malware Research Tool, a
- strace - Dynamic analysis for
- StringSifter - A machine learning tool
- Vivisect - Python tool for
- WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
- X64dbg - An open-source x64/x32 debugger for windows.
Network
Analyze network interactions.
- Bro - Protocol analyzer that operates at incredible
- chopshop - Protocol analysis and
- CloudShark - Web-based tool for packet analysis
- FakeNet-NG - Next generation
- Fiddler - Intercepting web proxy designed
- HTTPReplay - Library for parsing
- INetSim - Network service emulation, useful when
- Laika BOSS - Laika BOSS is a file-centric
- Malcolm - Malcolm is a powerful, easily
- Malcom - Malware Communications
- Maltrail - A malicious traffic
- NetworkMiner - Network
- ngrep - Search through network traffic
- PcapViz - Network topology and
- Python ICAP Yara - An
- Squidmagic - squidmagic is a tool
- tcpxtract - Extract files from network
- Wireshark - The network traffic analysis
Memory Forensics
Tools for dissecting malware in memory images or running systems.
- BlackLight - Windows/MacOS
- DAMM - Differential Analysis of
- evolve - Web interface for the
- FindAES - Find AES
- inVtero.net - High speed memory
- Muninn - A script to automate portions
- Rekall - Memory analysis framework,
- TotalRecall - Script based
- VolDiff - Run Volatility on memory
- Volatility - Advanced
- VolUtility - Web Interface for
- WDBGARK -
- WinDbg -
Windows Artifacts
- AChoir - A live incident response
- python-evt - Python
- python-registry - Python
Storage and Workflow
- Aleph - Open Source Malware Analysis
- CRITs - Collaborative Research Into Threats, a
- FAME - A malware analysis
- Malwarehouse - Store, tag, and
- Polichombr - A malware analysis
- stoQ - Distributed content analysis
- Viper - A binary management and analysis framework for
Miscellaneous
- al-khaser - A PoC malware
- CryptoKnight - Automated cryptographic algorithm reverse engineering and classification framework.
- DC3-MWCP -
- FLARE VM - A fully customizable,
- MalSploitBase - A database
- Malware Museum - Collection of
- Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
- Pafish - Paranoid Fish, a demonstration
- REMnux - Linux distribution and docker images for
- Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
- Santoku Linux - Linux distribution for mobile
Resources
Books
Essential malware analysis reading material.
- Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
- Malware Analyst's Cookbook and DVD -
- Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
- Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
- Practical Malware Analysis - The Hands-On
- Real Digital Forensics - Computer
- Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
- The Art of Memory Forensics - Detecting
- The IDA Pro Book - The Unofficial Guide
- The Rootkit Arsenal - The Rootkit Arsenal:
Other
- APT Notes - A collection of papers
- Ember - Endgame Malware BEnchmark for Research,
- File Formats posters - Nice visualization
- Honeynet Project - Honeypot tools, papers, and
- Kernel Mode - An active community
- Malicious Software - Malware
- Malware Persistence - Collection
- Malware Samples and Traffic - This
- Malware Search+++ Firefox extension allows
- RPISEC Malware Analysis - These are the
- WindowsIR: Malware - Harlan
- /r/csirt_tools - Subreddit for CSIRT
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering -
Related Awesome Lists
- Android Security
- AppSec
- CTFs
- Executable Packing
- Forensics
- "Hacking"
- Honeypots
- Industrial Control System Security
- Incident-Response
- Infosec
- PCAP Tools
- Pentesting
- Security
- Threat Intelligence
- YARA
Contributing
Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.
Thanks
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
- And everyone else who has sent pull requests or suggested links to add here!
