awesome-malware-analysis

A curated list of awesome malware analysis tools and resources:
- Open Source Threat Intelligence
- Tools
- Other Resources
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
- Books

An example of indicators list while static malware analysis on MalwareAnalyser.io

Malware Collection:

* Conpot — https://github.com/mushorg/conpot- ICS/SCADA honeypot.

* Cowrie — https://github.com/micheloosterhof/cowrie- SSH honeypot, based on Kippo.

* DemoHunter — https://github.com/RevengeComing/DemonHunter- Low interaction Distributed Honeypots.

* Dionaea — https://github.com/DinoTools/dionaea- Honeypot designed to trap malware.

* Glastopf — https://github.com/mushorg/glastopf- Web application honeypot.

* Honeyd — http://www.honeyd.org/ — Create a virtual honeynet.

* HoneyDrive — http://bruteforcelab.com/honeydrive- Honeypot bundle Linux distro.

* Honeytrap — https://github.com/honeytrap/honeytrap- Opensource system for running, monitoring and managing honeypots.

* Mnemosyne — https://github.com/johnnykv/mnemosyne- A normalizer for
honeypot data; supports Dionaea.

* Thug — https://github.com/buffer/thug- Low interaction honeyclient, for
investigating malicious websites.

*Malware samples collected for analysis.*

* Clean MX — http://support.clean-mx.de/clean-mx/viruses.php- Realtime
database of malware and malicious domains.

* Contagio — http://contagiodump.blogspot.com/ — A collection of recent
malware samples and analyses.

* Exploit Database — https://www.exploit-db.com/ — Exploit and shellcode
samples.

* Infosec- CERT-PA — https://infosec.cert-pa.it/analyze/submission.html- Malware samples collection and analysis.

* Malpedia — https://malpedia.caad.fkie.fraunhofer.de/ — A resource providing rapid identification and actionable context for malware investigations.

* Malshare — https://malshare.com — Large repository of malware actively
scrapped from malicious sites.

* Open Malware Project — http://openmalware.org/ — Sample information and downloads. Formerly Offensive Computing.

* Ragpicker — https://github.com/robbyFux/Ragpicker- Plugin based malware
crawler with pre-analysis and reporting functionalities

* theZoo — https://github.com/ytisf/theZoo- Live malware samples for
analysts.

* Tracker h3x — http://tracker.h3x.eu/ — Agregator for malware corpus tracker and malicious download sites.

* vduddu malware repo — https://github.com/vduddu/Malware- Collection of various malware files and source code.

* VirusBay — https://beta.virusbay.io/ — Community-Based malware repository and social network.

* ViruSign — http://www.virussign.com/ — Malware database that detected by many anti malware programs except ClamAV.

* VirusShare — https://virusshare.com/ — Malware repository, registration
required.

* VX Vault — http://vxvault.net- Active collection of malware samples.

* Zeltser’s Sources — https://zeltser.com/malware-sample-sources/ — A list
of malware sample sources put together by Lenny Zeltser.

*Zeus Source Code — https://github.com/Visgean/Zeus- Source for the Zeus
trojan leaked in 2011.
Open Source Threat Intelligence

Tools: Harvest and analyze IOCs.

* AbuseHelper — https://github.com/abusesa/abusehelper- An open-source
framework for receiving and redistributing abuse feeds and threat intel.

* AlienVault Open Threat Exchange — https://otx.alienvault.com/ — Share and
collaborate in developing Threat Intelligence.

* Combine — https://github.com/mlsecproject/combine- Tool to gather Threat
Intelligence indicators from publicly available sources.

* Fileintel — https://github.com/keithjjones/fileintel- Pull intelligence per file hash.

* Hostintel — https://github.com/keithjjones/hostintel- Pull intelligence per host.

* IntelMQ — https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation -
A tool for CERTs for processing incident data using a message queue.

* IOC Editor — https://www.fireeye.com/services/freeware/ioc-editor.html -
A free editor for XML IOC files.

* iocextract — https://github.com/InQuest/python-iocextract- Advanced Indicator
of Compromise — IOC extractor, Python library and command-line tool.

* ioc_writer — https://github.com/mandiant/ioc_writer- Python library for
working with OpenIOC objects, from Mandiant.

* MalPipe — https://github.com/silascutler/MalPipe- Malware/IOC ingestion and
processing engine, that enriches collected data.

* Massive Octo Spice — https://github.com/csirtgadgets/massive-octo-spice -
Previously known as CIF — Collective Intelligence Framework. Aggregates IOCs
from various lists. Curated by the
CSIRT Gadgets Foundation — http://csirtgadgets.org/collective-intelligence-framework.

* MISP — https://github.com/MISP/MISP- Malware Information Sharing
Platform curated by The MISP Project — http://www.misp-project.org/.

* Pulsedive — https://pulsedive.com — Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.

* PyIOCe — https://github.com/pidydx/PyIOCe- A Python OpenIOC editor.

* RiskIQ — https://community.riskiq.com/ — Research, connect, tag and
share IPs and domains. — Was PassiveTotal.

* threataggregator — https://github.com/jpsenior/threataggregator -
Aggregates security threats from a number of sources, including some of
those listed below in other resources — other-resources.

* ThreatCrowd — https://www.threatcrowd.org/ — A search engine for threats, with graphical visualization.

* ThreatIngestor — https://github.com/InQuest/ThreatIngestor/ — Build
automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
more.

* ThreatTracker — https://github.com/michael-yip/ThreatTracker- A Python
script to monitor and generate alerts based on IOCs indexed by a set of
Google Custom Search Engines.

• TIQ-test — https://github.com/mlsecproject/tiq-test- Data visualization
  and statistical analysis of Threat Intelligence feeds.

Other Resources: Threat intelligence and IOC resources.

* Autoshun — https://www.autoshun.org/ — list — https://www.autoshun.org/files/shunlist.csv -
Snort plugin and blocklist.

* Bambenek Consulting Feeds — http://osint.bambenekconsulting.com/feeds/ -
OSINT feeds based on malicious DGA algorithms.

* Fidelis Barncat — https://www.fidelissecurity.com/resources/fidelis-barncat -
Extensive malware config database — must request access.

* CI Army — http://cinsscore.com/ — list — http://cinsscore.com/list/ci-badguys.txt -
Network security blocklists.

* Critical Stack- Free Intel Market — https://intel.criticalstack.com — Free
intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.

* Cybercrime tracker — http://cybercrime-tracker.net/ — Multiple botnet active tracker.

* FireEye IOCs — https://github.com/fireeye/iocs- Indicators of Compromise
shared publicly by FireEye.

* FireHOL IP Lists — https://iplists.firehol.org/ — Analytics for 350+ IP lists
with a focus on attacks, malware and abuse. Evolution, Changes History,
Country Maps, Age of IPs listed, Retention Policy, Overlaps.

* HoneyDB — https://riskdiscovery.com/honeydb- Community driven honeypot sensor data collection and aggregation.

* hpfeeds — https://github.com/rep/hpfeeds- Honeypot feed protocol.

* Internet Storm Center — DShield — https://isc.sans.edu/ — Diary and
searchable incident database, with a web API — https://dshield.org/api/.
— unofficial Python library — https://github.com/rshipp/python-dshield.

* malc0de — http://malc0de.com/database/ — Searchable incident database.

* Malware Domain List — http://www.malwaredomainlist.com/ — Search and share malicious URLs.

* MetaDefender Threat Intelligence Feed — https://www.opswat.com/developers/threat-intelligence-feed -
List of the most looked up file hashes from MetaDefender Cloud.

* OpenIOC — https://www.fireeye.com/services/freeware.html- Framework for sharing threat intelligence.

* Proofpoint Threat Intelligence — https://www.proofpoint.com/us/products/et-intelligence -
Rulesets and more. — Formerly Emerging Threats.

* Ransomware overview — https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml -
A list of ransomware overview with details, detection and prevention.

* STIX- Structured Threat Information eXpression — http://stixproject.github.io -
Standardized language to represent and share cyber threat information.
Related efforts from MITRE — https://www.mitre.org/:
- CAPEC- Common Attack Pattern Enumeration and Classification — http://capec.mitre.org/
- CybOX- Cyber Observables eXpression — http://cyboxproject.github.io
- MAEC- Malware Attribute Enumeration and Characterization — http://maec.mitre.org/
- TAXII- Trusted Automated eXchange of Indicator Information — http://taxiiproject.github.io

* SystemLookup — https://www.systemlookup.com/ — SystemLookup hosts a collection of lists that provide information on
the components of legitimate and potentially unwanted programs.

* ThreatMiner — https://www.threatminer.org/ — Data mining portal for threat intelligence, with search.

* threatRECON — https://threatrecon.co/ — Search for indicators, up to 1000
free per month.

* Yara rules — https://github.com/Yara-Rules/rules- Yara rules repository.

* YETI — https://github.com/yeti-platform/yeti- Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.

* ZeuS Tracker — https://zeustracker.abuse.ch/blocklist.php- ZeuS
blocklists.
Detection and Classification
*Antivirus and other malware identification tools*

* AnalyzePE — https://github.com/hiddenillusion/AnalyzePE- Wrapper for a
variety of tools for reporting on Windows PE files.

* Assemblyline — https://bitbucket.org/cse-assemblyline/assemblyline- A scalable distributed file analysis framework.

* BinaryAlert — https://github.com/airbnb/binaryalert- An open source, serverless
AWS pipeline that scans and alerts on uploaded files based on a set of
YARA rules.

* chkrootkit — http://www.chkrootkit.org/ — Local Linux rootkit detection.

* ClamAV — http://www.clamav.net/ — Open source antivirus engine.

* Detect-It-Easy — https://github.com/horsicq/Detect-It-Easy- A program for
determining types of files.

* Exeinfo PE — http://exeinfo.pe.hu/ — Packer, compressor detector, unpack
info, internal exe tools.

* ExifTool — https://sno.phy.queensu.ca/~phil/exiftool/ — Read, write and
edit file metadata.

* File Scanning Framework — https://github.com/EmersonElectricCo/fsf -
Modular, recursive file scanning solution.

* Generic File Parser — https://github.com/uppusaikiran/generic-parser- A Single Library Parser to extract meta information,static analysis and detect macros within the files.

* hashdeep — https://github.com/jessek/hashdeep- Compute digest hashes with
a variety of algorithms.

* HashCheck — https://github.com/gurnec/HashCheck- Windows shell extension
to compute hashes with a variety of algorithms.

* Loki — https://github.com/Neo23x0/Loki- Host based scanner for IOCs.

* Malfunction — https://github.com/Dynetics/Malfunction- Catalog and
compare malware at a function level.

* Manalyze — https://github.com/JusticeRage/Manalyze- Static analyzer for PEexecutables.

* MASTIFF — https://github.com/KoreLogicSecurity/mastiff- Static analysis
framework.

* MultiScanner — https://github.com/mitre/multiscanner- Modular file
scanning/analysis framework

* nsrllookup — https://github.com/rjhansen/nsrllookup- A tool for looking
up hashes in NIST’s National Software Reference Library database.

* packerid — http://handlers.sans.org/jclausing/packerid.py- A cross-platform
Python alternative to PEiD.

* PE-bear — https://hshrzd.wordpress.com/pe-bear/ — Reversing tool for PE files.

* PEV — http://pev.sourceforge.net/ — A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.

* Rootkit Hunter — http://rkhunter.sourceforge.net/ — Detect Linux rootkits.

* ssdeep — https://ssdeep-project.github.io/ssdeep/ — Compute fuzzy hashes.

* totalhash.py — https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f -
Python script for easy searching of the TotalHash.cymru.com — https://totalhash.cymru.com/
database.

* TrID — http://mark0.net/soft-trid-e.html- File identifier.

* virustotal-falsepositive-detector — https://github.com/uppusaikiran/virustotal-falsepositive-detector- A Tool to Analyze Virustotal Reports to Find Potential False Positives based on similarity of Detection Naming.

* YARA — https://plusvic.github.io/yara/ — Pattern matching tool for analysts.

* Yara rules generator — https://github.com/Neo23x0/yarGen- Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

* Yara Finder — https://github.com/uppusaikiran/yara-finder- A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes: Web-based multi-AV scanners, and malware sandboxes for automated analysis.

* anlyz.io — https://sandbox.anlyz.io/ — Online sandbox.

* any.run — https://app.any.run/ — Online interactive sandbox.

* AndroTotal — https://andrototal.org/ — Free online analysis of APKs against multiple mobile antivirus apps.

* AVCaesar — https://avcaesar.malware.lu/ — Malware.lu online scanner and malware repository.

* Cryptam — http://www.cryptam.com/ — Analyze suspicious office documents.

* Cuckoo Sandbox — https://cuckoosandbox.org/ — Open source, self hosted sandbox and automated analysis system.

* cuckoo-modified — https://github.com/brad-accuvant/cuckoo-modified- Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.

* cuckoo-modified-api — https://github.com/keithjjones/cuckoo-modified-api- A Python API used to control a cuckoo-modified sandbox.

* DeepViz — https://www.deepviz.com/ — Multi-format file analyzer with
machine-learning classification.

* detux — https://github.com/detuxsandbox/detux/ — A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.

* DRAKVUF — https://github.com/tklengyel/drakvuf- Dynamic malware analysis system.

* firmware.re — http://firmware.re/ — Unpacks, scans and analyzes almost any firmware package.

* HaboMalHunter — https://github.com/Tencent/HaboMalHunter- An Automated Malware Analysis Tool for Linux ELF Files.

* Hybrid Analysis — https://www.hybrid-analysis.com/ — Online malware
analysis tool, powered by VxSandbox.

* Intezer — https://analyze.intezer.com — Detect, analyze, and categorize malware by identifying code reuse and code similarities.

* IRMA — http://irma.quarkslab.com/ — An asynchronous and customizable
analysis platform for suspicious files.

* Joe Sandbox — https://www.joesecurity.org- Deep malware analysis with Joe Sandbox.

* Jotti — https://virusscan.jotti.org/en- Free online multi-AV scanner.

* Limon — https://github.com/monnappa22/Limon- Sandbox for Analyzing Linux Malware.

* Malheur — https://github.com/rieck/malheur- Automatic sandboxed analysis of malware behavior.

* malice.io — https://github.com/maliceio/malice- Massively scalable malware analysis framework.

* malsub — https://github.com/diogo-fernan/malsub- A Python RESTful API framework for online malware and URL analysis services.

* Malware config — https://malwareconfig.com/ — Extract, decode and display online the configuration settings from common malwares.

• MalwareAnalyser.io — https://malwareanalyser.io/ — Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.

MalwareAnalyser.io

* Malwr — https://malwr.com/ — Free analysis with an online Cuckoo Sandbox
instance.

* MetaDefender Cloud — https://metadefender.opswat.com/ — Scan a file, hash, IP, URL or
domain address for malware for free.

* NetworkTotal — https://www.networktotal.com/index.html- A service that analyzes
pcap files and facilitates the quick detection of viruses, worms, trojans, and all
kinds of malware using Suricata configured with EmergingThreats Pro.

* Noriben — https://github.com/Rurik/Noriben- Uses Sysinternals Procmon to
collect information about malware in a sandboxed environment.

* PacketTotal — https://packettotal.com/ — PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.

* PDF Examiner — http://www.pdfexaminer.com/ — Analyse suspicious PDF files.

* ProcDot — http://www.procdot.com — A graphical malware analysis tool kit.

* Recomposer — https://github.com/secretsquirrel/recomposer- A helper
script for safely uploading binaries to sandbox sites.

* sandboxapi — https://github.com/InQuest/python-sandboxapi- Python library for
building integrations with several open source and commercial malware sandboxes.

* SEE — https://github.com/F-Secure/see- Sandboxed Execution Environment — SEE
is a framework for building test automation in secured Environments.

* SEKOIA Dropper Analysis — https://malware.sekoia.fr/ — Online dropper analysis — Js, VBScript, Microsoft Office, PDF.

* VirusTotal — https://www.virustotal.com/ — Free online analysis of malware samples and URLs

* Visualize_Logs — https://github.com/keithjjones/visualize_logs- Open source
visualization library and command line tools for logs.

* Zeltser’s List — https://zeltser.com/automated-malware-analysis/ — Free
automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis
*Inspect domains and IP addresses.*

* badips.com — https://www.badips.com/ — Community based IP blacklist service.

* boomerang — https://github.com/EmersonElectricCo/boomerang- A tool designed
for consistent and safe capture of off network web resources.

* Cymon — https://cymon.io/ — Threat intelligence tracker, with IP/domain/hash
search.

* Desenmascara.me — http://desenmascara.me- One click tool to retrieve as
much metadata as possible for a website and to assess its good standing.

* Dig — https://networking.ringofsaturn.com/ — Free online dig and other
network tools.

* dnstwist — https://github.com/elceef/dnstwist- Domain name permutation
engine for detecting typo squatting, phishing and corporate espionage.

* IPinfo — https://github.com/hiddenillusion/IPinfo- Gather information
about an IP or domain by searching online resources.

* Machinae — https://github.com/hurricanelabs/machinae- OSINT tool for
gathering information about URLs, IPs, or hashes. Similar to Automator.

* mailchecker — https://github.com/FGRibreau/mailchecker- Cross-language
temporary email detection library.

* MaltegoVT — https://github.com/michael-yip/MaltegoVT- Maltego transform
for the VirusTotal API. Allows domain/IP research, and searching for file
hashes and scan reports.

* Multi rbl — http://multirbl.valli.org/ — Multiple DNS blacklist and forward
confirmed reverse DNS lookup over more than 300 RBLs.

* NormShield Services — https://services.normshield.com/ — Free API Services
for detecting possible phishing domains, blacklisted ip addresses and breached
accounts.

* PhishStats — https://phishstats.info/ — Phishing Statistics with search for
IP, domain and website title

* SecurityTrails — https://securitytrails.com/ — Historical and current WHOIS,
historical and current DNS records, similar domains, certificate information
and other domain and IP related API and tools.

* SpamCop — https://www.spamcop.net/bl.shtml- IP based spam block list.

* SpamHaus — https://www.spamhaus.org/lookup/ — Block list based on
domains and IPs.

* Sucuri SiteCheck — https://sitecheck.sucuri.net/ — Free Website Malware
and Security Scanner.

* Talos Intelligence — https://talosintelligence.com/ — Search for IP, domain
or network owner. — Previously SenderBase.

* TekDefense Automater — http://www.tekdefense.com/automater/ — OSINT tool
for gathering information about URLs, IPs, or hashes.

* URLQuery — http://urlquery.net/ — Free URL Scanner.

* urlscan.io — https://urlscan.io/ — Free URL Scanner & domain information.

* Whois — https://whois.domaintools.com/ — DomainTools free online whois search.

* Zeltser’s List — https://zeltser.com/lookup-malicious-websites/ — Free
online tools for researching malicious websites, compiled by Lenny Zeltser.

* ZScalar Zulu — https://zulu.zscaler.com/ — Zulu URL Risk Analyzer.
Browser Malware
*Analyze malicious URLs. See also the domain analysis — domain-analysis and
documents and shellcode — documents-and-shellcode sections.*

* Firebug — https://getfirebug.com/ — Firefox extension for web development.

* Java Decompiler — http://jd.benow.ca/ — Decompile and inspect Java apps.

* Java IDX Parser — https://github.com/Rurik/Java_IDX_Parser/ — Parses Java
IDX cache files.

* JSDetox — http://www.relentless-coding.com/projects/jsdetox/ — JavaScript
malware analysis tool.

* jsunpack-n — https://github.com/urule99/jsunpack-n- A javascript
unpacker that emulates browser functionality.

* Krakatau — https://github.com/Storyyeller/Krakatau- Java decompiler,
assembler, and disassembler.

* Malzilla — http://malzilla.sourceforge.net/ — Analyze malicious web pages.

* RABCDAsm — https://github.com/CyberShadow/RABCDAsm- A “Robust
ActionScript Bytecode Disassembler.”

* SWF Investigator — https://labs.adobe.com/technologies/swfinvestigator/ -
Static and dynamic analysis of SWF applications.

* swftools — http://www.swftools.org/ — Tools for working with Adobe Flash
files.

* xxxswf — http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html- A
Python script for analyzing Flash files.
Documents and Shellcode
*Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware — browser-malware section.*

* AnalyzePDF — https://github.com/hiddenillusion/AnalyzePDF- A tool for
analyzing PDFs and attempting to determine whether they are malicious.

* box-js — https://github.com/CapacitorSet/box-js- A tool for studying JavaScript
malware, featuring JScript/WScript support and ActiveX emulation.

* diStorm — http://www.ragestorm.net/distorm/ — Disassembler for analyzing
malicious shellcode.

* JS Beautifier — http://jsbeautifier.org/ — JavaScript unpacking and deobfuscation.

* JS Deobfuscator — http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/ -
Deobfuscate simple Javascript that use eval or document.write to conceal
its code.

* libemu — http://libemu.carnivore.it/ — Library and tools for x86 shellcode
emulation.

* malpdfobj — https://github.com/9b/malpdfobj- Deconstruct malicious PDFs
into a JSON representation.

* OfficeMalScanner — http://www.reconstructer.org/code.html- Scan for
malicious traces in MS Office documents.

* olevba — http://www.decalage.info/python/olevba- A script for parsing OLE
and OpenXML documents and extracting useful information.

* Origami PDF — https://code.google.com/archive/p/origami-pdf- A tool for
analyzing malicious PDFs, and more.

* PDF Tools — https://blog.didierstevens.com/programs/pdf-tools/ — pdfid,
pdf-parser, and more from Didier Stevens.

* PDF X-Ray Lite — https://github.com/9b/pdfxray_lite- A PDF analysis tool,
the backend-free version of PDF X-RAY.

* peepdf — http://eternal-todo.com/tools/peepdf-pdf-analysis-tool- Python
tool for exploring possibly malicious PDFs.

* QuickSand — https://www.quicksand.io/ — QuickSand is a compact C framework
to analyze suspected malware documents to identify exploits in streams of different
encodings and to locate and extract embedded executables.

* Spidermonkey — https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey -
Mozilla’s JavaScript engine, for debugging malicious JS.
File Carving
*For extracting files from inside disk and memory images.*

* bulk_extractor — https://github.com/simsong/bulk_extractor- Fast file
carving tool.

* EVTXtract — https://github.com/williballenthin/EVTXtract- Carve Windows
Event Log files from raw binary data.

* Foremost — http://foremost.sourceforge.net/ — File carving tool designed
by the US Air Force.

* hachoir3 — https://github.com/vstinner/hachoir3- Hachoir is a Python library
to view and edit a binary stream field by field.

* Scalpel — https://github.com/sleuthkit/scalpel- Another data carving
tool.

* SFlock — https://github.com/jbremer/sflock- Nested archive
extraction/unpacking — used in Cuckoo Sandbox.
Deobfuscation
*Reverse XOR and other code obfuscation methods.*

* Balbuzard — https://bitbucket.org/decalage/balbuzard/wiki/Home- A malware
analysis tool for reversing obfuscation — XOR, ROL, etc and more.

* de4dot — https://github.com/0xd4d/de4dot- .NET deobfuscator and
unpacker.

* ex_pe_xor — http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html
& iheartxor — http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html -
Two tools from Alexander Hanel for working with single-byte XOR encoded
files.

* FLOSS — https://github.com/fireeye/flare-floss- The FireEye Labs Obfuscated
String Solver uses advanced static analysis techniques to automatically
deobfuscate strings from malware binaries.

* NoMoreXOR — https://github.com/hiddenillusion/NoMoreXOR- Guess a 256 byte
XOR key using frequency analysis.

* PackerAttacker — https://github.com/BromiumLabs/PackerAttacker- A generic
hidden code extractor for Windows malware.

* un{i}packer — https://github.com/unipacker/unipacker- Automatic and
platform-independent unpacker for Windows binaries based on emulation.

* unpacker — https://github.com/malwaremusings/unpacker/ — Automated malware
unpacker for Windows malware based on WinAppDbg.

* unxor — https://github.com/tomchop/unxor/ — Guess XOR keys using
known-plaintext attacks.

* VirtualDeobfuscator — https://github.com/jnraber/VirtualDeobfuscator -
Reverse engineering tool for virtualization wrappers.

* XORBruteForcer — http://eternal-todo.com/var/scripts/xorbruteforcer -
A Python script for brute forcing single-byte XOR keys.

* XORSearch & XORStrings — https://blog.didierstevens.com/programs/xorsearch/ -
A couple programs from Didier Stevens for finding XORed data.

* xortool — https://github.com/hellman/xortool- Guess XOR key length, as
well as the key itself.
Debugging and Reverse Engineering
*Disassemblers, debuggers, and other static and dynamic analysis tools.*

* angr — https://github.com/angr/angr- Platform-agnostic binary analysis
framework developed at UCSB’s Seclab.

* bamfdetect — https://github.com/bwall/bamfdetect- Identifies and extracts
information from bots and other malware.

* BAP — https://github.com/BinaryAnalysisPlatform/bap- Multiplatform and
open source — MIT binary analysis framework developed at CMU’s Cylab.

* BARF — https://github.com/programa-stic/barf-project- Multiplatform, open
source Binary Analysis and Reverse engineering Framework.

* binnavi — https://github.com/google/binnavi- Binary analysis IDE for
reverse engineering based on graph visualization.

* Binary ninja — https://binary.ninja/ — A reversing engineering platform
that is an alternative to IDA.

* Binwalk — https://github.com/devttys0/binwalk- Firmware analysis tool.

* Capstone — https://github.com/aquynh/capstone- Disassembly framework for
binary analysis and reversing, with support for many architectures and
bindings in several languages.

* codebro — https://github.com/hugsy/codebro- Web based code browser using
clang to provide basic code analysis.

* Cutter — https://github.com/radareorg/cutter- GUI for Radare2.

* DECAF — Dynamic Executable Code Analysis Framework — https://github.com/sycurelab/DECAF
- A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.

* dnSpy — https://github.com/0xd4d/dnSpy- .NET assembly editor, decompiler
and debugger.

* dotPeek — https://www.jetbrains.com/decompiler/ — Free .NET Decompiler and
Assembly Browser.

* Evan’s Debugger — EDB — http://codef00.com/projectsdebugger — A modular debugger with a Qt GUI.

* Fibratus — https://github.com/rabbitstack/fibratus- Tool for exploration
and tracing of the Windows kernel.

* FPort — https://www.mcafee.com/us/downloads/free-tools/fport.aspx- Reports
open TCP/IP and UDP ports in a live system and maps them to the owning application.

* GDB — http://www.sourceware.org/gdb/ — The GNU debugger.

* GEF — https://github.com/hugsy/gef- GDB Enhanced Features, for exploiters
and reverse engineers.

* Ghidra — https://github.com/NationalSecurityAgency/ghidra- A software reverse engineering — SRE framework created and maintained by the National Security Agency Research Directorate.

* hackers-grep — https://github.com/codypierce/hackers-grep- A utility to
search for strings in PE executables including imports, exports, and debug
symbols.

* Hopper — https://www.hopperapp.com/ — The macOS and Linux Disassembler.

* IDA Pro — https://www.hex-rays.com/products/ida/index.shtml- Windows
disassembler and debugger, with a free evaluation version.

* IDR — https://github.com/crypto2011/IDR- Interactive Delphi Reconstructor
is a decompiler of Delphi executable files and dynamic libraries.

* Immunity Debugger — http://debugger.immunityinc.com/ — Debugger for
malware analysis and more, with a Python API.

* ILSpy — http://ilspy.net/ — ILSpy is the open-source .NET assembly browser and decompiler.

* Kaitai Struct — http://kaitai.io/ — DSL for file formats / network protocols /
data structures reverse engineering and dissection, with code generation
for C++, C , Java, JavaScript, Perl, PHP, Python, Ruby.

* LIEF — https://lief.quarkslab.com/ — LIEF provides a cross-platform library
to parse, modify and abstract ELF, PE and MachO formats.

* ltrace — http://ltrace.org/ — Dynamic analysis for Linux executables.

* mac-a-mal — https://github.com/phdphuc/mac-a-mal- An automated framework
for mac malware hunting.

* objdump — https://en.wikipedia.org/wiki/Objdump- Part of GNU binutils,
for static analysis of Linux binaries.

* OllyDbg — http://www.ollydbg.de/ — An assembly-level debugger for Windows
executables.

* PANDA — https://github.com/moyix/panda- Platform for Architecture-Neutral
Dynamic Analysis.

* PEDA — https://github.com/longld/peda- Python Exploit Development
Assistance for GDB, an enhanced display with added commands.

* pestudio — https://winitor.com/ — Perform static analysis of Windows
executables.

* Pharos — https://github.com/cmu-sei/pharos- The Pharos binary analysis framework
can be used to perform automated static analysis of binaries.

* plasma — https://github.com/plasma-disassembler/plasma- Interactive
disassembler for x86/ARM/MIPS.

* PPEE — puppy — https://www.mzrst.com/ — A Professional PE file Explorer for
reversers, malware researchers and those who want to statically inspect PE
files in more detail.

* Process Explorer — https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer -
Advanced task manager for Windows.

* Process Hacker — http://processhacker.sourceforge.net/ — Tool that monitors
system resources.

* Process Monitor — https://docs.microsoft.com/en-us/sysinternals/downloads/procmon -
Advanced monitoring tool for Windows programs.

* PSTools — https://docs.microsoft.com/en-us/sysinternals/downloads/pstools- Windows
command-line tools that help manage and investigate live systems.

* Pyew — https://github.com/joxeankoret/pyew- Python tool for malware
analysis.

* PyREBox — https://github.com/Cisco-Talos/pyrebox- Python scriptable reverse
engineering sandbox by the Talos team at Cisco.

* QKD — https://github.com/ispras/qemu/releases/ — QEMU with embedded WinDbg
server for stealth debugging.

* Radare2 — http://www.radare.org- Reverse engineering framework, with
debugger support.

* RegShot — https://sourceforge.net/projects/regshot/ — Registry compare utility
that compares snapshots.

* RetDec — https://retdec.com/ — Retargetable machine-code decompiler with an
online decompilation service — https://retdec.com/decompilation/ and
API — https://retdec.com/api/ that you can use in your tools.

* ROPMEMU — https://github.com/Cisco-Talos/ROPMEMU- A framework to analyze, dissect
and decompile complex code-reuse attacks.

* SMRT — https://github.com/pidydx/SMRT- Sublime Malware Research Tool, a
plugin for Sublime 3 to aid with malware analyis.

* strace — https://sourceforge.net/projects/strace/ — Dynamic analysis for
Linux executables.

* Triton — https://triton.quarkslab.com/ — A dynamic binary analysis — DBA framework.

* Udis86 — https://github.com/vmt/udis86- Disassembler library and tool
for x86 and x86_64.

* Vivisect — https://github.com/vivisect/vivisect- Python tool for
malware analysis.

* WinDbg — https://developer.microsoft.com/en-us/windows/hardware/download-windbg- multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.

* X64dbg — https://github.com/x64dbg/ — An open-source x64/x32 debugger for windows.

Network: Analyze network interactions.

* Bro — https://www.bro.org- Protocol analyzer that operates at incredible
scale; both file and network protocols.

* BroYara — https://github.com/hempnall/broyara- Use Yara rules from Bro.

* CapTipper — https://github.com/omriher/CapTipper- Malicious HTTP traffic
explorer.

* chopshop — https://github.com/MITRECND/chopshop- Protocol analysis and
decoding framework.

* CloudShark — https://www.cloudshark.org- Web-based tool for packet analysis
and malware traffic detection.

* Fiddler — https://www.telerik.com/fiddler- Intercepting web proxy designed
for “web debugging.”

* Hale — https://github.com/pjlantz/Hale- Botnet C&C monitor.

* Haka — http://www.haka-security.org/ — An open source security oriented
language for describing protocols and applying security policies on — live
captured traffic.

* HTTPReplay — https://github.com/jbremer/httpreplay- Library for parsing
and reading out PCAP files, including TLS streams using TLS Master Secrets
— used in Cuckoo Sandbox.

* INetSim — http://www.inetsim.org/ — Network service emulation, useful when
building a malware lab.

* Laika BOSS — https://github.com/lmco/laikaboss- Laika BOSS is a file-centric
malware analysis and intrusion detection system.

* Malcolm — https://github.com/idaholab/Malcolm- Malcolm is a powerful, easily
deployable network traffic analysis tool suite for full packet capture artifacts
— PCAP files and Zeek logs.

* Malcom — https://github.com/tomchop/malcom- Malware Communications Analyzer.

* Maltrail — https://github.com/stamparm/maltrail- A malicious traffic
detection system, utilizing publicly available — blacklists containing
malicious and/or generally suspicious trails and featuring an reporting
and analysis interface.

* mitmproxy — https://mitmproxy.org/ — Intercept network traffic on the fly.

* Moloch — https://github.com/aol/moloch- IPv4 traffic capturing, indexing
and database system.

* NetworkMiner — http://www.netresec.com/?page=NetworkMiner- Network
forensic analysis tool, with a free version.

* ngrep — https://github.com/jpr5/ngrep- Search through network traffic
like grep.

* PcapViz — https://github.com/mateuszk87/PcapViz- Network topology and
traffic visualizer.

* Python ICAP Yara — https://github.com/RamadhanAmizudin/python-icap-yara- An
ICAP Server with yara scanner for URL or content.

* Squidmagic — https://github.com/ch3k1/squidmagic- squidmagic is a tool
designed to analyze a web-based network traffic to detect central command
and control — C&C servers and malicious sites, using Squid proxy server and
Spamhaus.

* Tcpdump — http://www.tcpdump.org/ — Collect network traffic.

* tcpick — http://tcpick.sourceforge.net/ — Trach and reassemble TCP streams
from network traffic.

* tcpxtract — http://tcpxtract.sourceforge.net/ — Extract files from network
traffic.

* Wireshark — https://www.wireshark.org/ — The network traffic analysis
tool.
Memory Forensics
*Tools for dissecting malware in memory images or running systems.*

* BlackLight — https://www.blackbagtech.com/blacklight.html- Windows/MacOS
forensics client supporting hiberfil, pagefile, raw memory analysis.

* DAMM — https://github.com/504ensicsLabs/DAMM- Differential Analysis of
Malware in Memory, built on Volatility.

* evolve — https://github.com/JamesHabben/evolve- Web interface for the
Volatility Memory Forensics Framework.

* FindAES — https://sourceforge.net/projects/findaes/ — Find AES
encryption keys in memory.

* inVtero.net — https://github.com/ShaneK2/inVtero.net- High speed memory
analysis framework developed in .NET supports all Windows x64, includes
code integrity and write support.

* Muninn — https://github.com/ytisf/muninn- A script to automate portions
of analysis using Volatility, and create a readable report.

* Rekall — http://www.rekall-forensic.com/ — Memory analysis framework,
forked from Volatility in 2013.

* TotalRecall — https://github.com/sketchymoose/TotalRecall- Script based
on Volatility for automating various malware analysis tasks.

* VolDiff — https://github.com/aim4r/VolDiff- Run Volatility on memory
images before and after malware execution, and report changes.

* Volatility — https://github.com/volatilityfoundation/volatility- Advanced
memory forensics framework.

* VolUtility — https://github.com/kevthehermit/VolUtility- Web Interface for
Volatility Memory Analysis framework.

* WDBGARK — https://github.com/swwwolf/wdbgark -
WinDBG Anti-RootKit Extension.

* WinDbg — https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit -
Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts

* AChoir — https://github.com/OMENScan/AChoir- A live incident response
script for gathering Windows artifacts.

* python-evt — https://github.com/williballenthin/python-evt- Python
library for parsing Windows Event Logs.

* python-registry — http://www.williballenthin.com/registry/ — Python
library for parsing registry files.

* RegRipper — http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/
— GitHub — https://github.com/keydet89/RegRipper2.8 -
Plugin-based registry analysis tool.
Storage and Workflow

* Aleph — https://github.com/merces/aleph- Open Source Malware Analysis
Pipeline System.

* CRITs — https://crits.github.io/ — Collaborative Research Into Threats, a
malware and threat repository.

* FAME — https://certsocietegenerale.github.io/fame/ — A malware analysis
framework featuring a pipeline that can be extended with custom modules,
which can be chained and interact with each other to perform end-to-end
analysis.

* Malwarehouse — https://github.com/sroberts/malwarehouse- Store, tag, and
search malware.

* Polichombr — https://github.com/ANSSI-FR/polichombr- A malware analysis
platform designed to help analysts to reverse malwares collaboratively.

* stoQ — http://stoq.punchcyber.com — Distributed content analysis
framework with extensive plugin support, from input to output, and everything
in between.

* Viper — http://viper.li/ — A binary management and analysis framework for
analysts and researchers.
Miscellaneous

* al-khaser — https://github.com/LordNoteworthy/al-khaser- A PoC malware
with good intentions that aimes to stress anti-malware systems.

* CryptoKnight — https://github.com/AbertayMachineLearningGroup/CryptoKnight- Automated cryptographic algorithm reverse engineering and classification framework.

* DC3-MWCP — https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP -
The Defense Cyber Crime Center’s Malware Configuration Parser framework.

* FLARE VM — https://github.com/fireeye/flare-vm- A fully customizable,
Windows-based, security distribution for malware analysis.

* MalSploitBase — https://github.com/misterch0c/malSploitBase- A database
containing exploits used by malware.

* Malware Museum — https://archive.org/details/malwaremuseum- Collection of
malware programs that were distributed in the 1980s and 1990s.

* Malware Organiser — https://github.com/uppusaikiran/malware-organiser- A simple tool to organise large malicious/benign files into a organised Structure.

* Pafish — https://github.com/a0rtega/pafish- Paranoid Fish, a demonstration
tool that employs several techniques to detect sandboxes and analysis
environments in the same way as malware families do.

* REMnux — https://remnux.org/ — Linux distribution and docker images for
malware reverse engineering and analysis.

* Santoku Linux — https://santoku-linux.com/ — Linux distribution for mobile
forensics, malware analysis, and security.

Resources: Books — Essential malware analysis reading material.

* Malware Analyst’s Cookbook and DVD — https://amzn.com/dp/0470613033 -
Tools and Techniques for Fighting Malicious Code.

* Practical Malware Analysis — https://amzn.com/dp/1593272901- The Hands-On
Guide to Dissecting Malicious Software.

* Practical Reverse Engineering — https://www.amzn.com/dp/1118787315/ -
Intermediate Reverse Engineering.

* Real Digital Forensics — https://www.amzn.com/dp/0321240693- Computer
Security and Incident Response.

* Rootkits and Bootkits — https://www.amazon.com/dp/1593277164- Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

* The Art of Memory Forensics — https://amzn.com/dp/1118825098- Detecting
Malware and Threats in Windows, Linux, and Mac Memory.

* The IDA Pro Book — https://amzn.com/dp/1593272898- The Unofficial Guide
to the World’s Most Popular Disassembler.

* The Rootkit Arsenal — https://amzn.com/dp/144962636X- The Rootkit Arsenal:
Escape and Evasion in the Dark Corners of the System

Other:

* APT Notes — https://github.com/aptnotes/data- A collection of papers
and notes related to Advanced Persistent Threats.

* Ember — https://github.com/endgameinc/ember- Endgame Malware BEnchmark for Research,
a repository that makes it easy to — recreate a machine learning model that can be used
to predict a score for a PE file based on static analysis.

* File Formats posters — https://github.com/corkami/pics — Nice visualization
of commonly used file format — including PE & ELF.

* Honeynet Project — http://honeynet.org/ — Honeypot tools, papers, and
other resources.

* Kernel Mode — http://www.kernelmode.info/forum/ — An active community
devoted to malware analysis and kernel development.

* Malicious Software — https://zeltser.com/malicious-software/ — Malware
blog and resources by Lenny Zeltser.

* Malware Analysis Search — https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu -
Custom Google search engine from Corey Harrell — journeyintoir.blogspot.com/.

* Malware Analysis Tutorials — http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html -
The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning
practical malware analysis.

* Malware Analysis, Threat Intelligence and Reverse Engineering — https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering -
Presentation introducing the concepts of malware analysis, threat intelligence
and reverse engineering. Experience or prior knowledge is not required. Labs
link in description.

* Malware Samples and Traffic — http://malware-traffic-analysis.net/ — This
blog focuses on network traffic related to malware infections.

* Malware Search+++ — https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/ Firefox extension allows
you to easily search some of the most popular malware databases

* Practical Malware Analysis Starter Kit — https://bluesoul.me/practical-malware-analysis-starter-kit/ -
This package contains most of the software referenced in the Practical Malware
Analysis book.

* RPISEC Malware Analysis — https://github.com/RPISEC/Malware- These are the
course materials used in the Malware Analysis course at at Rensselaer Polytechnic
Institute during Fall 2015.

* WindowsIR: Malware — http://windowsir.blogspot.com/p/malware.html- Harlan
Carvey’s page on Malware.

* Windows Registry specification — https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md -
Windows registry file format specification.

* csirt_tools — https://www.reddit.comcsirt_tools/ — Subreddit for CSIRT
tools and resources, with a
malware analysis — https://www.reddit.comcsirt_tools/search?q=flair%3A%22Malware%20analysis%22&sort=new&restrict_sr=on flair.

* Malware — https://www.reddit.comMalware- The malware subreddit.

* ReverseEngineering — https://www.reddit.comReverseEngineering — Reverse engineering subreddit, not limited to just malware.


Related Awesome Lists:

* Android Security — https://github.com/ashishb/android-security-awesome

* AppSec — https://github.com/paragonie/awesome-appsec

* CTFs — https://github.com/apsdehal/awesome-ctf

* Forensics — https://github.com/Cugu/awesome-forensics

* “Hacking” — https://github.com/carpedm20/awesome-hacking

* Honeypots — https://github.com/paralax/awesome-honeypots

* Industrial Control System Security — https://github.com/hslatman/awesome-industrial-control-system-security

* Incident-Response — https://github.com/meirwah/awesome-incident-response

* Infosec — https://github.com/onlurking/awesome-infosec

* PCAP Tools — https://github.com/caesar0301/awesome-pcaptools

* Pentesting — https://github.com/enaqx/awesome-pentest

* Security — https://github.com/sbilly/awesome-security

* Threat Intelligence — https://github.com/hslatman/awesome-threat-intelligence

* YARA — https://github.com/InQuest/awesome-yara