Track Awesome Malware Analysis Updates Daily
Defund the Police.
🏠 Home · 🔍 Search · 🔥 Feed · 📮 Subscribe · ❤️ Sponsor · 😺 rshipp/awesome-malware-analysis · ⭐ 11K · 🏷️ Security
Jul 07, 2024
Online Scanners and Sandboxes / Other Resources
- filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
Other / Other Resources
May 09, 2024
Malware Collection / Honeypots
- HoneyDrive - Honeypot bundle Linux distro.
Malware Collection / Malware Corpora
- Clean MX - Realtime database of malware and malicious domains.
Apr 20, 2024
Detection and Classification / Other Resources
- packerid (⭐41) - A cross-platform Python alternative to PEiD.
Debugging and Reverse Engineering / Other Resources
- Qiling Framework - Cross platform emulation and sanboxing framework with instruments for binary analysis.
Apr 16, 2024
Detection and Classification / Other Resources
- Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
Aug 19, 2020
Malware Collection / Malware Corpora
- VX Underground - Massive and growing collection of free malware samples.
Aug 15, 2020
Detection and Classification / Other Resources
- fn2yara (⭐1.5k) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
Browser Malware / Other Resources
- Bytecode Viewer (⭐14k) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
Deobfuscation / Other Resources
- PyInstaller Extractor (⭐2.6k) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
- uncompyle6 (⭐3.6k) - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
Debugging and Reverse Engineering / Other Resources
- OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
- Scylla Imports Reconstructor (⭐1k) - Find and fix the IAT of an unpacked / dumped PE32 malware.
- ScyllaHide (⭐3.3k) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
Aug 13, 2020
Miscellaneous / Other Resources
- Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
Jul 17, 2020
Detection and Classification / Other Resources
- capa (⭐4k) - Detects capabilities in executable files.
Jun 21, 2020
Open Source Threat Intelligence / Other Resources
- ThreatShare - C2 panel tracker
Jun 02, 2020
Debugging and Reverse Engineering / Other Resources
- BluePill (⭐118) - Framework for executing and debugging evasive malware and protected executables.
Apr 01, 2020
Other / Other Resources
- Malware Persistence (⭐160) - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
Jan 04, 2020
Detection and Classification / Other Resources
- PEframe (⭐599) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
Dec 27, 2019
Malware Collection / Honeypots
- MHN (⭐2.4k) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
Nov 21, 2019
Domain Analysis / Other Resources
- Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
Nov 12, 2019
Debugging and Reverse Engineering / Other Resources
- StringSifter (⭐659) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.
Nov 11, 2019
Malware Collection / Malware Corpora
- Javascript Mallware Collection (⭐653) - Collection of almost 40.000 javascript malware samples
Nov 02, 2019
Detection and Classification / Other Resources
- Quark-Engine (⭐1.3k) - An Obfuscation-Neglect Android Malware Scoring System
Nov 01, 2019
Malware Collection / Malware Corpora
- InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
Open Source Threat Intelligence / Other Resources
- InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
- InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
Domain Analysis / Other Resources
- AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
Documents and Shellcode / Other Resources
- InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
Debugging and Reverse Engineering / Other Resources
- Ghidra (⭐49k) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
Books / Other Resources
- Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
Oct 31, 2019
Detection and Classification / Other Resources
- Nauz File Detector(NFD) (⭐497) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
Oct 15, 2019
Books / Other Resources
- Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
- Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
Oct 12, 2019
Open Source Threat Intelligence / Tools
- ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
Domain Analysis / Other Resources
- URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
Sep 19, 2019
Detection and Classification / Other Resources
- PortEx (⭐494) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
Sep 04, 2019
Network / Other Resources
- FakeNet-NG (⭐1.7k) - Next generation dynamic network analysis tool.
Aug 19, 2019
Online Scanners and Sandboxes / Other Resources
- BoomBox (⭐231) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
Jul 17, 2019
Online Scanners and Sandboxes / Other Resources
- MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
Jun 12, 2019
Network / Other Resources
- Malcolm (⭐327) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
May 04, 2019
Books / Other Resources
- Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
Mar 13, 2019
Open Source Threat Intelligence / Tools
- ThreatIngestor (⭐801) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
Mar 06, 2019
Malware Collection / Honeypots
- Cowrie (⭐5k) - SSH honeypot, based on Kippo.
- DemoHunter (⭐58) - Low interaction Distributed Honeypots.
- Dionaea (⭐688) - Honeypot designed to trap malware.
Open Source Threat Intelligence / Other Resources
- SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
- YETI (⭐1.7k) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
Online Scanners and Sandboxes / Other Resources
- PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
Other / Other Resources
- Ember (⭐905) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
- Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases
Feb 16, 2019
Other / Other Resources
- Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.
- Windows Registry specification (⭐312) - Windows registry file format specification.
Feb 14, 2019
Domain Analysis / Other Resources
- SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
Feb 12, 2019
Deobfuscation / Other Resources
- un{i}packer (⭐623) - Automatic and platform-independent unpacker for Windows binaries based on emulation.
Feb 08, 2019
Online Scanners and Sandboxes / Other Resources
- MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
Jan 02, 2019
Debugging and Reverse Engineering / Other Resources
- IDR (⭐916) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.
Dec 27, 2018
Open Source Threat Intelligence / Other Resources
- MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
Nov 15, 2018
Open Source Threat Intelligence / Other Resources
- HoneyDB - Community driven honeypot sensor data collection and aggregation.
Oct 06, 2018
Debugging and Reverse Engineering / Other Resources
- mac-a-mal (⭐82) - An automated framework for mac malware hunting.
Miscellaneous / Other Resources
- CryptoKnight (⭐38) - Automated cryptographic algorithm reverse engineering and classification framework.
Oct 05, 2018
Domain Analysis / Other Resources
- PhishStats - Phishing Statistics with search for IP, domain and website title
Oct 02, 2018
Malware Collection / Malware Corpora
- Malpedia - A resource providing rapid identification and actionable context for malware investigations.
Sep 01, 2018
Debugging and Reverse Engineering / Other Resources
- Cutter - GUI for Radare2.
Aug 22, 2018
Detection and Classification / Other Resources
- Yara Finder (⭐0) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Aug 13, 2018
Online Scanners and Sandboxes / Other Resources
- malice.io (⭐1.6k) - Massively scalable malware analysis framework.
Jul 10, 2018
Malware Collection / Malware Corpora
- VirusBay - Community-Based malware repository and social network.
Jul 09, 2018
Detection and Classification / Other Resources
- Generic File Parser (⭐0) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
Jun 09, 2018
Detection and Classification / Other Resources
- Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
- PE-bear - Reversing tool for PE files.
Browser Malware / Other Resources
- SWF Investigator - Static and dynamic analysis of SWF applications.
Debugging and Reverse Engineering / Other Resources
- dotPeek - Free .NET Decompiler and Assembly Browser.
Jun 02, 2018
Detection and Classification / Other Resources
- HashCheck (⭐1.7k) - Windows shell extension to compute hashes with a variety of algorithms.
May 09, 2018
Open Source Threat Intelligence / Tools
- MalPipe (⭐102) - Malware/IOC ingestion and processing engine, that enriches collected data.
Apr 25, 2018
Online Scanners and Sandboxes / Other Resources
- any.run - Online interactive sandbox.
Apr 20, 2018
Open Source Threat Intelligence / Tools
- iocextract (⭐495) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
Apr 04, 2018
Domain Analysis / Other Resources
- urlscan.io - Free URL Scanner & domain information.
Mar 16, 2018
Malware Collection / Honeypots
- Honeytrap (⭐1.2k) - Opensource system for running, monitoring and managing honeypots.
Mar 14, 2018
Malware Collection / Malware Corpora
- vduddu malware repo - Collection of various malware files and source code.
Online Scanners and Sandboxes / Other Resources
- sandboxapi (⭐132) - Python library for building integrations with several open source and commercial malware sandboxes.
Mar 13, 2018
Detection and Classification / Other Resources
- Manalyze (⭐997) - Static analyzer for PE executables.
Mar 12, 2018
Malware Collection / Malware Corpora
- Infosec - CERT-PA - Malware samples collection and analysis.
Open Source Threat Intelligence / Other Resources
- Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
Nov 28, 2017
Open Source Threat Intelligence / Other Resources
- OpenIOC - Framework for sharing threat intelligence.
Online Scanners and Sandboxes / Other Resources
- SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
File Carving / Other Resources
- hachoir3 (⭐593) - Hachoir is a Python library to view and edit a binary stream field by field.
Miscellaneous / Other Resources
- Malware Organiser (⭐0) - A simple tool to organise large malicious/benign files into a organised Structure.
Nov 16, 2017
Online Scanners and Sandboxes / Other Resources
- Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
Nov 02, 2017
Debugging and Reverse Engineering / Other Resources
- Pharos (⭐1.5k) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
Oct 22, 2017
Open Source Threat Intelligence / Tools
- Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
Oct 18, 2017
Debugging and Reverse Engineering / Other Resources
- Hopper - The macOS and Linux Disassembler.
- ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
- WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
Oct 17, 2017
Other / Other Resources
Oct 07, 2017
Debugging and Reverse Engineering / Other Resources
- codebro (⭐42) - Web based code browser using clang to provide basic code analysis.
- DECAF (Dynamic Executable Code Analysis Framework) (⭐794) - A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
Sep 25, 2017
Open Source Threat Intelligence / Tools
- Massive Octo Spice (⭐228) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
Open Source Threat Intelligence / Other Resources
- ThreatMiner - Data mining portal for threat intelligence, with search.
Detection and Classification / Other Resources
- BinaryAlert (⭐1.4k) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
- ssdeep - Compute fuzzy hashes.
- totalhash.py - Python script for easy searching of the TotalHash.cymru.com database.
Online Scanners and Sandboxes / Other Resources
- anlyz.io - Online sandbox.
- cuckoo-modified-api (⭐19) - A Python API used to control a cuckoo-modified sandbox.
- detux (⭐257) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
- firmware.re - Unpacks, scans and analyzes almost any firmware package.
- HaboMalHunter (⭐725) - An Automated Malware Analysis Tool for Linux ELF Files.
- Limon (⭐384) - Sandbox for Analyzing Linux Malware.
- malsub (⭐363) - A Python RESTful API framework for online malware and URL analysis services.
- Visualize_Logs (⭐136) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
Domain Analysis / Other Resources
- badips.com - Community based IP blacklist service.
- boomerang (⭐34) - A tool designed for consistent and safe capture of off network web resources.
- Cymon - Threat intelligence tracker, with IP/domain/hash search.
- Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
- ZScalar Zulu - Zulu URL Risk Analyzer.
Browser Malware / Other Resources
- Firebug - Firefox extension for web development.
Debugging and Reverse Engineering / Other Resources
- Binary ninja - A reversing engineering platform that is an alternative to IDA.
- PANDA (⭐102) - Platform for Architecture-Neutral Dynamic Analysis.
- plasma (⭐3k) - Interactive disassembler for x86/ARM/MIPS.
- Process Hacker - Tool that monitors system resources.
- PyREBox (⭐1.6k) - Python scriptable reverse engineering sandbox by the Talos team at Cisco.
- QKD (⭐50) - QEMU with embedded WinDbg server for stealth debugging.
- RegShot - Registry compare utility that compares snapshots.
Network / Other Resources
- PcapViz (⭐328) - Network topology and traffic visualizer.
- Python ICAP Yara (⭐56) - An ICAP Server with yara scanner for URL or content.
- Squidmagic (⭐75) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
Memory Forensics / Other Resources
- BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
- DAMM (⭐209) - Differential Analysis of Malware in Memory, built on Volatility.
- inVtero.net (⭐276) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
Storage and Workflow / Other Resources
- FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
Books / Other Resources
- Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- Practical Reverse Engineering - Intermediate Reverse Engineering.
- Real Digital Forensics - Computer Security and Incident Response.
Other / Other Resources
- Kernel Mode - An active community devoted to malware analysis and kernel development.
Aug 10, 2017
File Carving / Other Resources
- SFlock (⭐81) - Nested archive extraction/unpacking (used in Cuckoo Sandbox).
Network / Other Resources
- HTTPReplay (⭐94) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
Jul 28, 2017
Miscellaneous / Other Resources
- FLARE VM (⭐6.1k) - A fully customizable, Windows-based, security distribution for malware analysis.
Jul 26, 2017
Domain Analysis / Other Resources
- NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
Apr 08, 2017
Debugging and Reverse Engineering / Other Resources
- Binwalk (⭐10k) - Firmware analysis tool.
- LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
Mar 26, 2017
Debugging and Reverse Engineering / Other Resources
- Triton - A dynamic binary analysis (DBA) framework.
Mar 23, 2017
Memory Forensics / Other Resources
- WDBGARK (⭐610) - WinDBG Anti-RootKit Extension.
Mar 03, 2017
Network / Other Resources
- CloudShark - Web-based tool for packet analysis and malware traffic detection.
Feb 16, 2017
Debugging and Reverse Engineering / Other Resources
- Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
Dec 16, 2016
Malware Collection / Malware Corpora
- Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
- VX Vault - Active collection of malware samples.
Open Source Threat Intelligence / Other Resources
- Cybercrime tracker - Multiple botnet active tracker.
Online Scanners and Sandboxes / Other Resources
- Malware config - Extract, decode and display online the configuration settings from common malwares.
Domain Analysis / Other Resources
- Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
Dec 15, 2016
Open Source Threat Intelligence / Other Resources
- Ransomware overview - A list of ransomware overview with details, detection and prevention.
Miscellaneous / Other Resources
- Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
Dec 07, 2016
Other / Other Resources
Nov 25, 2016
Detection and Classification / Other Resources
- File Scanning Framework (⭐283) - Modular, recursive file scanning solution.
Nov 20, 2016
Storage and Workflow / Other Resources
- stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
Nov 14, 2016
Documents and Shellcode / Other Resources
- box-js (⭐606) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
Nov 13, 2016
Debugging and Reverse Engineering / Other Resources
- BAP (⭐2k) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
- FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
- Process Explorer - Advanced task manager for Windows.
- PSTools - Windows command-line tools that help manage and investigate live systems.
Books / Other Resources
- The Rootkit Arsenal - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Oct 10, 2016
Open Source Threat Intelligence / Other Resources
- Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
Online Scanners and Sandboxes / Other Resources
- ProcDot - A graphical malware analysis tool kit.
Sep 29, 2016
Malware Collection / Malware Corpora
- Ragpicker (⭐91) - Plugin based malware crawler with pre-analysis and reporting functionalities
Sep 11, 2016
Open Source Threat Intelligence / Tools
- Fileintel (⭐115) - Pull intelligence per file hash.
- Hostintel (⭐258) - Pull intelligence per host.
Aug 28, 2016
Domain Analysis / Other Resources
- URLQuery - Free URL Scanner.
Aug 09, 2016
Debugging and Reverse Engineering / Other Resources
- RetDec - Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
Jul 30, 2016
Open Source Threat Intelligence / Other Resources
- Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
- Fidelis Barncat - Extensive malware config database (must request access).
Jul 01, 2016
Online Scanners and Sandboxes / Other Resources
- Joe Sandbox - Deep malware analysis with Joe Sandbox.
Memory Forensics / Other Resources
- WinDbg - Live memory inspection and kernel debugging for Windows systems.
Jun 28, 2016
Online Scanners and Sandboxes / Other Resources
- NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
Documents and Shellcode / Other Resources
- QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
Deobfuscation / Other Resources
- FLOSS (⭐3.1k) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
- unpacker (⭐117) - Automated malware unpacker for Windows malware based on WinAppDbg.
Debugging and Reverse Engineering / Other Resources
- bamfdetect - Identifies and extracts information from bots and other malware.
Storage and Workflow / Other Resources
- Polichombr (⭐373) - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
Miscellaneous / Other Resources
- al-khaser (⭐5.6k) - A PoC malware with good intentions that aimes to stress anti-malware systems.
- MalSploitBase (⭐531) - A database containing exploits used by malware.
Jun 05, 2016
Other / Other Resources
Jun 04, 2016
Debugging and Reverse Engineering / Other Resources
- ROPMEMU (⭐281) - A framework to analyze, dissect and decompile complex code-reuse attacks.
May 26, 2016
Malware Collection / Honeypots
- Glastopf (⭐541) - Web application honeypot.
Open Source Threat Intelligence / Tools
- AbuseHelper (⭐113) - An open-source framework for receiving and redistributing abuse feeds and threat intel.
- AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
Detection and Classification / Other Resources
- Detect It Easy(DiE) (⭐6.9k) - A program for determining types of files.
Domain Analysis / Other Resources
- MaltegoVT (⭐77) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
Debugging and Reverse Engineering / Other Resources
- Fibratus (⭐2.1k) - Tool for exploration and tracing of the Windows kernel.
- PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
May 18, 2016
Domain Analysis / Other Resources
- dnstwist (⭐4.7k) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
- mailchecker (⭐1.6k) - Cross-language temporary email detection library.
Browser Malware / Other Resources
- Krakatau (⭐2k) - Java decompiler, assembler, and disassembler.
Network / Other Resources
- Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
Memory Forensics / Other Resources
- evolve (⭐259) - Web interface for the Volatility Memory Forensics Framework.
- VolUtility (⭐375) - Web Interface for Volatility Memory Analysis framework.
Other / Other Resources
- File Formats posters (⭐10k) - Nice visualization of commonly used file format (including PE & ELF).
- Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
- Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
Apr 27, 2016
Malware Collection / Malware Corpora
- VirusShare - Malware repository, registration required.
Apr 02, 2016
Network / Other Resources
- Laika BOSS (⭐723) - Laika BOSS is a file-centric malware analysis and intrusion detection system.
Mar 31, 2016
Open Source Threat Intelligence / Other Resources
- FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
Mar 16, 2016
Domain Analysis / Other Resources
- Machinae (⭐499) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
- TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
Feb 27, 2016
Other / Other Resources
Jan 22, 2016
Other / Other Resources
- Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
- RPISEC Malware Analysis (⭐3.7k) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
Jan 09, 2016
Online Scanners and Sandboxes / Other Resources
- SEE (⭐809) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
Dec 29, 2015
Malware Collection / Honeypots
- Honeyd - Create a virtual honeynet.
Open Source Threat Intelligence / Tools
- IOC Editor - A free editor for XML IOC files.
- PyIOCe (⭐16) - A Python OpenIOC editor.
Dec 28, 2015
Open Source Threat Intelligence / Tools
- ThreatTracker (⭐64) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
Open Source Threat Intelligence / Other Resources
- STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
Deobfuscation / Other Resources
- PackerAttacker (⭐263) - A generic hidden code extractor for Windows malware.
- VirtualDeobfuscator (⭐128) - Reverse engineering tool for virtualization wrappers.
Debugging and Reverse Engineering / Other Resources
- angr (⭐7.3k) - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
- BARF (⭐1.4k) - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
- binnavi (⭐2.9k) - Binary analysis IDE for reverse engineering based on graph visualization.
- Capstone (⭐7.2k) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
- GEF (⭐6.7k) - GDB Enhanced Features, for exploiters and reverse engineers.
- PEDA (⭐5.8k) - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
- SMRT (⭐64) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
Network / Other Resources
- BroYara (⭐31) - Use Yara rules from Bro.
Dec 10, 2015
Network / Other Resources
- Maltrail (⭐5.9k) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
Nov 14, 2015
Malware Collection / Honeypots
- Conpot (⭐1.2k) - ICS/SCADA honeypot.
Detection and Classification / Other Resources
- ClamAV - Open source antivirus engine.
Online Scanners and Sandboxes / Other Resources
- DeepViz - Multi-format file analyzer with machine-learning classification.
- Jotti - Free online multi-AV scanner.
Oct 13, 2015
Online Scanners and Sandboxes / Other Resources
- AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
Oct 08, 2015
Debugging and Reverse Engineering / Other Resources
- X64dbg - An open-source x64/x32 debugger for windows.
Oct 02, 2015
Detection and Classification / Other Resources
- Malfunction (⭐191) - Catalog and compare malware at a function level.
Other / Other Resources
- APT Notes (⭐1.6k) - A collection of papers and notes related to Advanced Persistent Threats.
Oct 01, 2015
Other / Other Resources
Sep 25, 2015
Other / Other Resources
Sep 22, 2015
Malware Collection / Malware Corpora
- Malshare - Large repository of malware actively scrapped from malicious sites.
- theZoo (⭐11k) - Live malware samples for analysts.
- ViruSign - Malware database that detected by many anti malware programs except ClamAV.
Open Source Threat Intelligence / Tools
- IntelMQ - A tool for CERTs for processing incident data using a message queue.
- MISP (⭐5.1k) - Malware Information Sharing Platform curated by The MISP Project.
- ThreatCrowd - A search engine for threats, with graphical visualization.
Open Source Threat Intelligence / Other Resources
- Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- threatRECON - Search for indicators, up to 1000 free per month.
- Yara rules (⭐4k) - Yara rules repository.
Detection and Classification / Other Resources
- Loki (⭐3.3k) - Host based scanner for IOCs.
- MultiScanner (⭐615) - Modular file scanning/analysis framework
- Yara rules generator (⭐1.5k) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
Online Scanners and Sandboxes / Other Resources
- Cryptam - Analyze suspicious office documents.
- cuckoo-modified (⭐268) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- IRMA - An asynchronous and customizable analysis platform for suspicious files.
- PDF Examiner - Analyse suspicious PDF files.
Domain Analysis / Other Resources
- Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- SpamCop - IP based spam block list.
- SpamHaus - Block list based on domains and IPs.
- Sucuri SiteCheck - Free Website Malware and Security Scanner.
Deobfuscation / Other Resources
- de4dot (⭐6.8k) - .NET deobfuscator and unpacker.
Debugging and Reverse Engineering / Other Resources
- dnSpy (⭐26k) - .NET assembly editor, decompiler and debugger.
- hackers-grep (⭐167) - A utility to search for strings in PE executables including imports, exports, and debug symbols.
- strace - Dynamic analysis for Linux executables.
Network / Other Resources
- CapTipper (⭐707) - Malicious HTTP traffic explorer.
Windows Artifacts / Other Resources
- AChoir (⭐177) - A live incident response script for gathering Windows artifacts.
Miscellaneous / Other Resources
- Pafish (⭐3.2k) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
Other / Other Resources
- /r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysis flair.
May 18, 2015
Debugging and Reverse Engineering / Other Resources
- pestudio - Perform static analysis of Windows executables.
Memory Forensics / Other Resources
- VolDiff (⭐192) - Run Volatility on memory images before and after malware execution, and report changes.
May 17, 2015
Detection and Classification / Other Resources
- PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
Online Scanners and Sandboxes / Other Resources
- Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
Network / Other Resources
- chopshop (⭐487) - Protocol analysis and decoding framework.
- Moloch (⭐6.2k) - IPv4 traffic capturing, indexing and database system.
Storage and Workflow / Other Resources
- Aleph (⭐154) - Open Source Malware Analysis Pipeline System.
- CRITs - Collaborative Research Into Threats, a malware and threat repository.
Miscellaneous / Other Resources
- DC3-MWCP (⭐290) - The Defense Cyber Crime Center's Malware Configuration Parser framework.
May 15, 2015
Malware Collection / Malware Corpora
- Zeus Source Code (⭐1.4k) - Source for the Zeus trojan leaked in 2011.
Open Source Threat Intelligence / Tools
- ioc_writer (⭐199) - Python library for working with OpenIOC objects, from Mandiant.
- threataggregator (⭐78) - Aggregates security threats from a number of sources, including some of those listed below in other resources.
- TIQ-test (⭐166) - Data visualization and statistical analysis of Threat Intelligence feeds.
Open Source Threat Intelligence / Other Resources
- FireEye IOCs (⭐461) - Indicators of Compromise shared publicly by FireEye.
Detection and Classification / Other Resources
- MASTIFF (⭐173) - Static analysis framework.
Online Scanners and Sandboxes / Other Resources
- DRAKVUF (⭐1k) - Dynamic malware analysis system.
- Malheur (⭐365) - Automatic sandboxed analysis of malware behavior.
- Malwr - Free analysis with an online Cuckoo Sandbox instance.
- Noriben (⭐1.1k) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
Deobfuscation / Other Resources
- Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
- ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- NoMoreXOR (⭐84) - Guess a 256 byte XOR key using frequency analysis.
- unxor (⭐138) - Guess XOR keys using known-plaintext attacks.
- XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
- xortool (⭐1.4k) - Guess XOR key length, as well as the key itself.
Network / Other Resources
- Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
- Fiddler - Intercepting web proxy designed for "web debugging."
- Hale (⭐184) - Botnet C&C monitor.
Miscellaneous / Other Resources
- Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.
Other / Other Resources
- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
- And everyone else who has sent pull requests or suggested links to add here!
May 12, 2015
Open Source Threat Intelligence / Tools
- Combine (⭐650) - Tool to gather Threat Intelligence indicators from publicly available sources.
May 09, 2015
Malware Collection / Anonymizers
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Malware Collection / Honeypots
- Mnemosyne (⭐44) - A normalizer for honeypot data; supports Dionaea.
- Thug (⭐967) - Low interaction honeyclient, for investigating malicious websites.
Malware Collection / Malware Corpora
- Contagio - A collection of recent malware samples and analyses.
- Exploit Database - Exploit and shellcode samples.
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
Open Source Threat Intelligence / Other Resources
- hpfeeds (⭐208) - Honeypot feed protocol.
- Internet Storm Center (DShield) - Diary and searchable incident database, with a web API. (unofficial Python library (⭐24)).
- malc0de - Searchable incident database.
- Malware Domain List - Search and share malicious URLs.
- ZeuS Tracker - ZeuS blocklists.
Detection and Classification / Other Resources
- AnalyzePE (⭐201) - Wrapper for a variety of tools for reporting on Windows PE files.
- chkrootkit - Local Linux rootkit detection.
- ExifTool - Read, write and edit file metadata.
- hashdeep (⭐694) - Compute digest hashes with a variety of algorithms.
- nsrllookup (⭐110) - A tool for looking up hashes in NIST's National Software Reference Library database.
- Rootkit Hunter - Detect Linux rootkits.
- TrID - File identifier.
- YARA - Pattern matching tool for analysts.
Online Scanners and Sandboxes / Other Resources
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- Recomposer (⭐130) - A helper script for safely uploading binaries to sandbox sites.
- VirusTotal - Free online analysis of malware samples and URLs
- Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis / Other Resources
- Dig - Free online dig and other network tools.
- IPinfo (⭐95) - Gather information about an IP or domain by searching online resources.
- Whois - DomainTools free online whois search.
- Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
Browser Malware / Other Resources
- Java Decompiler - Decompile and inspect Java apps.
- Java IDX Parser (⭐39) - Parses Java IDX cache files.
- JSDetox - JavaScript malware analysis tool.
- jsunpack-n (⭐158) - A javascript unpacker that emulates browser functionality.
- Malzilla - Analyze malicious web pages.
- RABCDAsm (⭐427) - A "Robust ActionScript Bytecode Disassembler."
- swftools - Tools for working with Adobe Flash files.
- xxxswf - A Python script for analyzing Flash files.
Documents and Shellcode / Other Resources
- AnalyzePDF (⭐171) - A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm - Disassembler for analyzing malicious shellcode.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- libemu - Library and tools for x86 shellcode emulation.
- malpdfobj (⭐51) - Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF - A tool for analyzing malicious PDFs, and more.
- PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite (⭐34) - A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf - Python tool for exploring possibly malicious PDFs.
- Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
File Carving / Other Resources
- bulk_extractor (⭐1k) - Fast file carving tool.
- EVTXtract (⭐176) - Carve Windows Event Log files from raw binary data.
- Foremost - File carving tool designed by the US Air Force.
- Scalpel (⭐612) - Another data carving tool.
Debugging and Reverse Engineering / Other Resources
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- GDB - The GNU debugger.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- Process Monitor - Advanced monitoring tool for Windows programs.
- Pyew (⭐380) - Python tool for malware analysis.
- Radare2 - Reverse engineering framework, with debugger support.
- Udis86 (⭐999) - Disassembler library and tool for x86 and x86_64.
- Vivisect (⭐908) - Python tool for malware analysis.
Network / Other Resources
- INetSim - Network service emulation, useful when building a malware lab.
- Malcom (⭐1.1k) - Malware Communications Analyzer.
- mitmproxy - Intercept network traffic on the fly.
- NetworkMiner - Network forensic analysis tool, with a free version.
- ngrep (⭐864) - Search through network traffic like grep.
- Tcpdump - Collect network traffic.
- tcpick - Trach and reassemble TCP streams from network traffic.
- tcpxtract - Extract files from network traffic.
- Wireshark - The network traffic analysis tool.
Memory Forensics / Other Resources
- FindAES - Find AES encryption keys in memory.
- Muninn (⭐51) - A script to automate portions of analysis using Volatility, and create a readable report. Orochi (⭐208) - Orochi is an open source framework for collaborative forensic memory dump analysis.
- Rekall - Memory analysis framework, forked from Volatility in 2013.
- TotalRecall (⭐49) - Script based on Volatility for automating various malware analysis tasks.
- Volatility (⭐7k) - Advanced memory forensics framework.
Windows Artifacts / Other Resources
- python-evt (⭐46) - Python library for parsing Windows Event Logs.
- python-registry - Python library for parsing registry files.
Storage and Workflow / Other Resources
- Malwarehouse (⭐131) - Store, tag, and search malware.
- Viper - A binary management and analysis framework for analysts and researchers.
Miscellaneous / Other Resources
- REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
Books / Other Resources
- Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
Other / Other Resources
- Honeynet Project - Honeypot tools, papers, and other resources.
- Malicious Software - Malware blog and resources by Lenny Zeltser.
- Malware Analysis Search - Custom Google search engine from Corey Harrell.
- WindowsIR: Malware - Harlan Carvey's page on Malware.
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.