A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

• Awesome Malware Analysis
  • Malware Collection
    • Anonymizers
    • Honeypots
    • Malware Corpora
  • Open Source Threat Intelligence
    • Tools
    • Other Resources
  • Detection and Classification
  • Online Scanners and Sandboxes
  • Domain Analysis
  • Browser Malware
  • Documents and Shellcode
  • File Carving
  • Deobfuscation
  • Debugging and Reverse Engineering
  • Network
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Miscellaneous
• Resources
  • Books
  • Twitter
  • Other
• Related Awesome Lists
• Contributing
• Thanks

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some privacy features.
• Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Trap and collect your own samples.

• Conpot - ICS/SCADA honeypot.
• Dionaea - Honeypot designed to trap malware.
• Glastopf - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• HoneyDrive - Honeypot bundle Linux distro.
• Kippo - Medium interaction SSH honeypot.
• Mnemosyne - A normalizer for honeypot data; supports Dionaea.
• Thug - Low interaction honeyclient, for investigating malicious websites.

Malware samples collected for analysis.

• Clean MX - Realtime database of malware and malicious domains.
• Contagio - A collection of recent malware samples and analyses.
• Exploit Database - Exploit and shellcode samples.
• Malshare - Large repository of malware actively scrapped from malicious sites.
• maltrieve - Retrieve malware samples directly from a number of online sources.
• MalwareDB - Malware samples repository.
• theZoo - Live malware samples for analysts.
• ViruSign - Malware database that detected by many anti malware programs except ClamAV.
• VirusShare - Malware repository, registration
• Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code - Source for the Zeus trojan leaked in 2011. required.

Harvest and analyze IOCs.

• Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
• IntelMQ - A tool for CERTs for processing incident data using a message queue.
• IOC Editor - A free editor for XML IOC files, from Mandiant.
• ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
• Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
• MISP - Malware Information Sharing Platform curated by The MISP Project.
• PassiveTotal - Research, connect, tag and share IPs and domains.
• threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
• ThreatCrowd - A search engine for threats, with graphical visualization.
• TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Threat intelligence and IOC resources.

• Autoshun (list) - Snort plugin and blocklist.
• CI Army (list) - Network security blocklists.
• Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
• CRDF ThreatCenter - List of new threats detected by CRDF anti-malware.
• Emerging Threats - Rulesets and more.
• FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
• hpfeeds - Honeypot feed protocol.
• Internet Storm Center (DShield) - Diary and searchable incident database, with a web API (unofficial Python library).
• malc0de - Searchable incident database.
• Malware Domain List - Search and share malicious URLs.
• OpenIOC - Framework for sharing threat intelligence.
• Palevo Blocklists - Botnet C&C blocklists.
• STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
  • CAPEC - Common Attack Pattern Enumeration and Classification
  • CybOX - Cyber Observables eXpression
  • MAEC - Malware Attribute Enumeration and Characterization
  • TAXII - Trusted Automated eXchange of Indicator Information
• threatRECON - Search for indicators, up to 1000 free per month.
• Yara rules - Yara rules repository.
• ZeuS Tracker - ZeuS blocklists.

Antivirus and other malware identification tools

• AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
• ExifTool - Read, write and edit file metadata.
• hashdeep - Compute digest hashes with a variety of algorithms.
• Loki - Host based scanner for IOCs.
• Malfunction - Catalog and compare malware at a function level.
• MASTIFF - Static analysis framework.
• MultiScanner - Modular file scanning/analysis framework
• nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
• packerid - A cross-platform Python alternative to PEiD.
• PEiD - Packer identifier for Windows binaries.
• PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
• Rootkit Hunter - Detect Linux rootkits.
• ssdeep - Compute fuzzy hashes.
• totalhash.py - Python script for easy searching of the TotalHash.com database.
• TrID - File identifier.
• YARA - Pattern matching tool for analysts.
• Yara rules generator - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• AndroTotal - free online analysis of APKs against multiple mobile antivirus apps.
• Anubis - Malware Analysis for Unknown Binaries and Site Check.
• AVCaesar - Malware.lu online scanner and malware repository.
• Cryptam - Analyze suspicious office documents.
• Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
• cuckoo-modified - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
• DRAKVUF - Dynamic malware analysis system.
• Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
• IRMA - An asynchronous and customizable analysis platform for suspicious files.
• Jotti - Free online multi-AV scanner.
• Malheur - Automatic sandboxed analysis of malware behavior.
• Malwr - Free analysis with an online Cuckoo Sandbox instance.
• MASTIFF Online - Online static analysis of malware.
• Metascan Online - Free file scanning with multiple antivirus engines.
• Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
• PDF Examiner - Analyse suspicious PDF files.
• Recomposer - A helper script for safely uploading binaries to sandbox sites.
• VirusTotal - Free online analysis of malware samples and URLs
• Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Inspect domains and IP addresses.

• Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
• Dig - Free online dig and other network tools.
• IPinfo - Gather information about an IP or domain by searching online resources.
• SenderBase - Search for IP, domain or network owner.
• SpamCop - IP based spam block list.
• SpamHaus - Block list based on domains and IPs.
• Sucuri SiteCheck - Free Website Malware and Security Scanner.
• TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
• Whois - DomainTools free online whois search.
• Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

• Firebug - Firefox extension for web development.
• Java Decompiler - Decompile and inspect Java apps.
• Java IDX Parser - Parses Java IDX cache files.
• JSDetox - JavaScript malware analysis tool.
• jsunpack-n - A javascript unpacker that emulates browser functionality.
• Malzilla - Analyze malicious web pages.
• RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
• swftools - Tools for working with Adobe Flash files.
• xxxswf - A Python script for analyzing Flash files.

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

• AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
• diStorm - Disassembler for analyzing malicious shellcode.
• JS Beautifier - JavaScript unpacking and deobfuscation.
• libemu - Library and tools for x86 shellcode emulation.
• malpdfobj - Deconstruct malicious PDFs into a JSON representation.
• OfficeMalScanner - Scan for malicious traces in MS Office documents.
• olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
• Origami PDF - A tool for analyzing malicious PDFs, and more.
• PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
• PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
• peepdf - Python tool for exploring possibly malicious PDFs.
• Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

For extracting files from inside disk and memory images.

• bulk_extractor - Fast file carving tool.
• EVTXtract - Carve Windows Event Log files from raw binary data.
• Foremost - File carving tool designed by the US Air Force.
• Hachoir - A collection of Python libraries for dealing with binary files.
• Scalpel - Another data carving tool.

Reverse XOR and other code obfuscation methods.

• Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
• de4dot - .NET deobfuscator and unpacker.
• ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
• NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
• unxor - Guess XOR keys using known-plaintext attacks.
• XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
• XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
• xortool - Guess XOR key length, as well as the key itself.

Disassemblers, debuggers, and other static and dynamic analysis tools.

• Bokken - GUI for Pyew and Radare.
• dnSpy - .NET assembly editor, decompiler and debugger.
• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
• GDB - The GNU debugger.
• hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
• IDA Pro - Windows disassembler and debugger, with a free evaluation version.
• Immunity Debugger - Debugger for malware analysis and more, with a Python API.
• ltrace - Dynamic analysis for Linux executables.
• objdump - Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg - An assembly-level debugger for Windows executables.
• pestudio - Perform static analysis of Windows executables.
• Process Monitor - Advanced monitoring tool for Windows programs.
• Pyew - Python tool for malware analysis.
• Radare2 - Reverse engineering framework, with debugger support.
• strace - Dynamic analysis for Linux executables.
• Udis86 - Disassembler library and tool for x86 and x86_64.
• Vivisect - Python tool for malware analysis.
• X64dbg - An open-source x64/x32 debugger for windows.

Analyze network interactions.

• Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
• CapTipper - Malicious HTTP traffic explorer.
• chopshop - Protocol analysis and decoding framework.
• Fiddler - Intercepting web proxy designed for "web debugging."
• Hale - Botnet C&C monitor.
• INetSim - Network service emulation, useful when building a malware lab.
• Malcom - Malware Communications Analyzer.
• mitmproxy - Intercept network traffic on the fly.
• Moloch - IPv4 traffic capturing, indexing and database system.
• NetworkMiner - Network forensic analysis tool, with a free version.
• ngrep - Search through network traffic like grep.
• Tcpdump - Collect network traffic.
• tcpick - Trach and reassemble TCP streams from network traffic.
• tcpxtract - Extract files from network traffic.
• Wireshark - The network traffic analysis tool.

Tools for dissecting malware in memory images or running systems.

• DAMM - Differential Analysis of Malware in Memory, built on Volatility
• FindAES - Find AES encryption keys in memory.
• Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
• Rekall - Memory analysis framework, forked from Volatility in 2013.
• TotalRecall - Script based on Volatility for automating various malware analysis tasks.
• VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
• Volatility - Advanced memory forensics framework.
• WinDbg - Live memory inspection and kernel debugging for Windows systems.

• AChoir - A live incident response script for gathering Windows artifacts.
• python-evt - Python library for parsing Windows Event Logs.
• python-registry - Python library for parsing registry files.
• RegRipper (GitHub) - Plugin-based registry analysis tool.

• Aleph - OpenSource Malware Analysis Pipeline System.
• CRITs - Collaborative Research Into Threats, a malware and threat repository.
• Malwarehouse - Store, tag, and search malware.
• MISP - Malware Information Sharing Platform curated by The MISP Project.
• Viper - A binary management and analysis framework for analysts and researchers.

• DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
• Pafish - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
• REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
• Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Essential malware analysis reading material.

• Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
• Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.

Some relevant Twitter accounts.

• Adamb @Hexacorn
• Andrew Case @attrc
• Claudio @botherder
• Dustin Webber @mephux
• Glenn @hiddenillusion
• jekil @jekil
• Jurriaan Bremer @skier_t
• Lenny Zeltser @lennyzeltser
• Liam Randall @hectaman
• Mark Schloesser @repmovsb
• Michael Ligh (MHL) @iMHLv2
• Open Malware @OpenMalware
• Richard Bejtlich @taosecurity
• Volatility @volatility

• APT Notes - A collection of papers and notes related to Advanced Persistent Threats.
• Honeynet Project - Honeypot tools, papers, and other resources.
• Malicious Software - Malware blog and resources by Lenny Zeltser.
• Malware Analysis Search - Custom Google search engine from Corey Harrell.
• WindowsIR: Malware - Harlan Carvey's page on Malware.
• /r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysis flair.
• /r/Malware - The malware subreddit.
• /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

• Android Security
• AppSec
• CTFs
• "Hacking"
• Honeypots
• Incident-Response
• Infosec
• PCAP Tools
• Pentesting
• Security

Pull requests and issues with suggestions are welcome!

This list was made possible by:

• Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
• Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
• And everyone else who has sent pull requests or suggested links to add here!

Thanks!