rshipp
awesome-malware-analysis

Defund the Police.

Last updated Jul 10, 2026
13.9k
Stars
2.7k
Forks
25
Issues
+17
Stars/day
Attention Score
95
Language breakdown
No language data available.
β–Έ Files click to expand
README

Awesome Malware Analysis Awesome

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Drop ICE

- Anonymizers - Honeypots - Malware Corpora - Tools - Other Resources - Books - Other View Chinese translation: ζΆζ„θ½―δ»Άεˆ†ζžε€§εˆι›†.md.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some
privacy features.
  • Tor - The Onion Router, for browsing the web
without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

on Kippo.
  • DemoHunter - Low interaction Distributed Honeypots.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Honeytrap - Opensource system for running, monitoring and managing honeypots.
  • MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Mnemosyne - A normalizer for
honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for
investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

database of malware and malicious domains. malware samples and analyses. samples. rapid identification and actionable context for malware investigations.
  • Malshare - Large repository of malware actively
scrapped from malicious sites. crawler with pre-analysis and reporting functionalities
  • theZoo - Live malware samples for
analysts. and malicious download sites. various malware files and source code.
  • VirusBay - Community-Based malware repository and social network.
  • ViruSign - Malware database that detected by
many anti malware programs except ClamAV. required. of malware sample sources put together by Lenny Zeltser. trojan leaked in 2011.
  • VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

framework for receiving and redistributing abuse feeds and threat intel. collaborate in developing Threat Intelligence. Intelligence indicators from publicly available sources. A tool for CERTs for processing incident data using a message queue. A free editor for XML IOC files. of Compromise (IOC) extractor, Python library and command-line tool. working with OpenIOC objects, from Mandiant.
  • MalPipe - Malware/IOC ingestion and
processing engine, that enriches collected data. Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP - Malware Information Sharing
Platform curated by The MISP Project.
  • Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe - A Python OpenIOC editor.
  • RiskIQ - Research, connect, tag and
share IPs and domains. (Was PassiveTotal.) Aggregates security threats from a number of sources, including some of those listed below in other resources. share open source threat data, with support and validation from our free community. with graphical visualization. automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more. script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines. and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Snort plugin and blocklist. OSINT feeds based on malicious DGA algorithms. Extensive malware config database (must request access). Network security blocklists. intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators. shared publicly by FireEye. with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps. searchable incident database, with a web API. (unofficial Python library). malicious URLs. List of the most looked up file hashes from MetaDefender Cloud. Rulesets and more. (Formerly Emerging Threats.) A list of ransomware overview with details, detection and prevention. Standardized language to represent and share cyber threat information. Related efforts from MITRE: - CAPEC - Common Attack Pattern Enumeration and Classification - CybOX - Cyber Observables eXpression - MAEC - Malware Attribute Enumeration and Characterization - TAXII - Trusted Automated eXchange of Indicator Information
  • SystemLookup - SystemLookup hosts a collection of lists that provide information on
the components of legitimate and potentially unwanted programs. intelligence, with search. free per month.
  • ThreatShare - C2 panel tracker
  • Yara rules - Yara rules repository.
  • YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
  • ZeuS Tracker - ZeuS
blocklists.

Detection and Classification

Antivirus and other malware identification tools

variety of tools for reporting on Windows PE files.
  • Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
  • BinaryAlert - An open source, serverless
AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules. determining types of files. info, internal exe tools. edit file metadata. Modular, recursive file scanning solution.
  • fn2yara - FN2Yara is a tool to generate
Yara signatures for matching functions (code) in an executable program.
  • Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  • hashdeep - Compute digest hashes with
a variety of algorithms. to compute hashes with a variety of algorithms. compare malware at a function level. executables. framework. scanning/analysis framework up hashes in NIST's National Software Reference Library database. Python alternative to PEiD. files.
  • PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  • PEV - A multiplatform toolkit to work with PE
files, providing feature-rich tools for proper analysis of suspicious binaries.
  • PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
  • Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py -
Python script for easy searching of the TotalHash.cymru.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for
analysts. yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
  • Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

against multiple mobile antivirus apps.
  • BoomBox - Automatic deployment of Cuckoo
Sandbox malware lab using Packer and Vagrant. sandbox and automated analysis system. version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author. Python API used to control a cuckoo-modified sandbox.
  • DeepViz - Multi-format file analyzer with
machine-learning classification.
  • detux - A sandbox developed to do
traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF - Dynamic malware analysis
system.
  • filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
  • firmware.re - Unpacks, scans and analyzes almost any
firmware package. Analysis Tool for Linux ELF Files. analysis tool, powered by VxSandbox.
  • Intezer - Detect, analyze, and categorize malware by
identifying code reuse and code similarities.
  • IRMA - An asynchronous and customizable
analysis platform for suspicious files.
  • Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • Jotti - Free online multi-AV scanner.
  • Limon - Sandbox for Analyzing Linux Malware.
  • Malheur - Automatic sandboxed analysis
of malware behavior.
  • malice.io - Massively scalable malware analysis framework.
  • malsub - A Python RESTful API framework for
online malware and URL analysis services. the configuration settings from common malwares.
  • MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • Malwr - Free analysis with an online Cuckoo Sandbox
instance. domain address for malware for free. pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben - Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.
  • PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • PDF Examiner - Analyse suspicious PDF files.
  • ProcDot - A graphical malware analysis tool kit.
  • Recomposer - A helper
script for safely uploading binaries to sandbox sites. building integrations with several open source and commercial malware sandboxes.
  • SEE - Sandboxed Execution Environment (SEE)
is a framework for building test automation in secured Environments. samples and URLs visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • AbuseIPDB - AbuseIPDB is a project dedicated
to helping combat the spread of hackers, spammers, and abusive activity on the internet. for consistent and safe capture of off network web resources.
  • Cymon - Threat intelligence tracker, with IP/domain/hash
search. much metadata as possible for a website and to assess its good standing.
  • Dig - Free online dig and other
network tools. engine for detecting typo squatting, phishing and corporate espionage. about an IP or domain by searching online resources. gathering information about URLs, IPs, or hashes. Similar to Automator. temporary email detection library. for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl - Multiple DNS blacklist and forward
confirmed reverse DNS lookup over more than 300 RBLs. for detecting possible phishing domains, blacklisted ip addresses and breached accounts. IP, domain and website title
  • Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • SecurityTrails - Historical and current WHOIS,
historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools. domains and IPs. and Security Scanner. or network owner. (Previously SenderBase.) for gathering information about URLs, IPs, or hashes.
  • URLhaus - A project from abuse.ch with the goal
of sharing malicious URLs that are being used for malware distribution.
  • URLQuery - Free URL Scanner.
  • urlscan.io - Free URL Scanner & domain information.
  • Whois - DomainTools free online whois
search. online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

*Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.*

multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support. IDX cache files. malware analysis tool. unpacker that emulates browser functionality. assembler, and disassembler. ActionScript Bytecode Disassembler." Static and dynamic analysis of SWF applications.
  • swftools - Tools for working with Adobe Flash
files. Python script for analyzing Flash files.

Documents and Shellcode

*Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.*

analyzing PDFs and attempting to determine whether they are malicious.
  • box-js - A tool for studying JavaScript
malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm - Disassembler for analyzing
malicious shellcode. emulation. into a JSON representation. malicious traces in MS Office documents.
  • olevba - A script for parsing OLE
and OpenXML documents and extracting useful information. analyzing malicious PDFs, and more. pdf-parser, and more from Didier Stevens. the backend-free version of PDF X-RAY. tool for exploring possibly malicious PDFs.
  • QuickSand - QuickSand is a compact C framework
to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables. Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

carving tool. Event Log files from raw binary data. by the US Air Force. to view and edit a binary stream field by field. tool. extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot - .NET deobfuscator and
unpacker. & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS - The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. XOR key using frequency analysis. hidden code extractor for Windows malware. A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it. Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code. platform-independent unpacker for Windows binaries based on emulation. unpacker for Windows malware based on WinAppDbg.
  • unxor - Guess XOR keys using
known-plaintext attacks. Reverse engineering tool for virtualization wrappers. A Python script for brute forcing single-byte XOR keys. A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as
well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr - Platform-agnostic binary analysis
framework developed at UCSB's Seclab. information from bots and other malware.
  • BAP - Multiplatform and
open source (MIT) binary analysis framework developed at CMU's Cylab.
  • BARF - Multiplatform, open
source Binary Analysis and Reverse engineering Framework. reverse engineering based on graph visualization. that is an alternative to IDA.
  • Binwalk - Firmware analysis tool.
  • BluePill - Framework for executing and debugging evasive malware and protected executables.
  • Capstone - Disassembly framework for
binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro - Web based code browser using
Β clang to provide basic code analysis. -Β A binary analysis platform based Β  on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy - .NET assembly editor, decompiler
and debugger.
  • dotPeek - Free .NET Decompiler and
Assembly Browser. modular debugger with a Qt GUI. and tracing of the Windows kernel. open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB - The GNU debugger.
  • GEF - GDB Enhanced Features, for exploiters
and reverse engineers.
  • Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
  • hackers-grep - A utility to
search for strings in PE executables including imports, exports, and debug symbols. disassembler and debugger, with a free evaluation version.
  • IDR - Interactive Delphi Reconstructor
is a decompiler of Delphi executable files and dynamic libraries. malware analysis and more, with a Python API.
  • ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct - DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF - LIEF provides a cross-platform library
to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace - Dynamic analysis for Linux executables.
  • mac-a-mal - An automated framework
for mac malware hunting. for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows
executables. from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
  • PANDA - Platform for Architecture-Neutral
Dynamic Analysis.
  • PEDA - Python Exploit Development
Assistance for GDB, an enhanced display with added commands.
  • pestudio - Perform static analysis of Windows
executables.
  • Pharos - The Pharos binary analysis framework
can be used to perform automated static analysis of binaries. disassembler for x86/ARM/MIPS. reversers, malware researchers and those who want to statically inspect PE files in more detail. Advanced task manager for Windows. system resources. Advanced monitoring tool for Windows programs. command-line tools that help manage and investigate live systems.
  • Pyew - Python tool for malware
analysis.
  • PyREBox - Python scriptable reverse
engineering sandbox by the Talos team at Cisco. framework with instruments for binary analysis.
  • QKD - QEMU with embedded WinDbg
server for stealth debugging.
  • Radare2 - Reverse engineering framework, with
debugger support.
  • RegShot - Registry compare utility
that compares snapshots.
  • RetDec - Retargetable machine-code decompiler with an
online decompilation service and API that you can use in your tools.
  • ROPMEMU - A framework to analyze, dissect
and decompile complex code-reuse attacks. the IAT of an unpacked / dumped PE32 malware. and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
  • SMRT - Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.
  • strace - Dynamic analysis for
Linux executables. that automatically ranks strings based on their relevance for malware analysis.
  • Triton - A dynamic binary analysis (DBA) framework.
  • Udis86 - Disassembler library and tool
for x86 and x86_64. malware analysis.
  • WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg - An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro - Protocol analyzer that operates at incredible
scale; both file and network protocols. explorer. decoding framework. and malware traffic detection. dynamic network analysis tool.
  • Fiddler - Intercepting web proxy designed
for "web debugging."
  • Hale - Botnet C&C monitor.
  • Haka - An open source security oriented
language for describing protocols and applying security policies on (live) captured traffic. and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
  • INetSim - Network service emulation, useful when
building a malware lab. malware analysis and intrusion detection system.
  • Malcolm - Malcolm is a powerful, easily
deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
  • Malcom - Malware Communications
Analyzer. detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy - Intercept network traffic on the fly.
  • Moloch - IPv4 traffic capturing, indexing
and database system. forensic analysis tool, with a free version.
  • ngrep - Search through network traffic
like grep. traffic visualizer. ICAP Server with yara scanner for URL or content. designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams
from network traffic. traffic. tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM - Differential Analysis of
Malware in Memory, built on Volatility.
  • evolve - Web interface for the
Volatility Memory Forensics Framework. encryption keys in memory. analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn - A script to automate portions
of analysis using Volatility, and create a readable report. Orochi - Orochi is an open source framework for collaborative forensic memory dump analysis.
  • Rekall - Memory analysis framework,
forked from Volatility in 2013. on Volatility for automating various malware analysis tasks.
  • VolDiff - Run Volatility on memory
images before and after malware execution, and report changes. memory forensics framework. Volatility Memory Analysis framework. WinDBG Anti-RootKit Extension. Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir - A live incident response
script for gathering Windows artifacts. library for parsing Windows Event Logs. library for parsing registry files. (GitHub) - Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph - Open Source Malware Analysis
Pipeline System.
  • CRITs - Collaborative Research Into Threats, a
malware and threat repository.
  • FAME - A malware analysis
framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis. search malware. platform designed to help analysts to reverse malwares collaboratively.
  • stoQ - Distributed content analysis
framework with extensive plugin support, from input to output, and everything in between.
  • Viper - A binary management and analysis framework for
analysts and researchers.

Miscellaneous

with good intentions that aimes to stress anti-malware systems.
  • CryptoKnight - Automated cryptographic algorithm reverse engineering and classification framework.
  • DC3-MWCP -
The Defense Cyber Crime Center's Malware Configuration Parser framework. Windows-based, security distribution for malware analysis. containing exploits used by malware. malware programs that were distributed in the 1980s and 1990s.
  • Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
  • Pafish - Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux - Linux distribution and docker images for
malware reverse engineering and analysis.
  • Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
  • Santoku Linux - Linux distribution for mobile
forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Tools and Techniques for Fighting Malicious Code. Guide to Dissecting Malicious Software. Intermediate Reverse Engineering. Security and Incident Response. Malware and Threats in Windows, Linux, and Mac Memory. to the World's Most Popular Disassembler. Escape and Evasion in the Dark Corners of the System

Other

and notes related to Advanced Persistent Threats.
  • Ember - Endgame Malware BEnchmark for Research,
a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis. of commonly used file format (including PE & ELF). other resources. devoted to malware analysis and kernel development. blog and resources by Lenny Zeltser. Custom Google search engine from Corey Harrell. The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis. Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description. of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools). blog focuses on network traffic related to malware infections. you to easily search some of the most popular malware databases This package contains most of the software referenced in the Practical Malware Analysis book. course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015. Carvey's page on Malware. Windows registry file format specification. tools and resources, with a malware analysis flair. Reverse engineering subreddit, not limited to just malware.

Related Awesome Lists

Contributing

Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.

Thanks

This list was made possible by:

  • Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;
  • Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for
writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
  • And everyone else who has sent pull requests or suggested links to add here!
Thanks!
πŸ”— More in this category

Β© 2026 GitRepoTrend Β· rshipp/awesome-malware-analysis Β· Updated daily from GitHub