User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Malware Analysis

Defund the Police.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 5, 2020, 9:05 a.m.

Thank you rshipp & contributors
View Topic on GitHub:
rshipp/awesome-malware-analysis

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Anonymizers

A free, web based anonymizer.

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

An open source proxy server with some

Enable anonymous communication. ![Open-Source Software][oss icon] ![Freeware][freeware icon]

Honeypots

ICS/SCADA honeypot

828
328
22d
GPL-2.0

Cowrie SSH/Telnet Honeypot http://cowrie.readthedocs.io

3.38K
627
9d
n/a

Distributed Honeypot

38
6
2y 7m
MIT

Home of the dionaea honeypot

470
130
5d
GPL-2.0

Web Application Honeypot

437
166
1y 82d
n/a

Advanced Honeypot framework.

788
139
5m
n/a

Modern Honey Network

2.04K
586
4m
n/a

Normalizer for honeypot data.

40
37
6y 7m
GPL-3.0

Python low-interaction honeyclient

803
192
1d
GPL-2.0

Create a virtual honeynet.

Honeypot bundle Linux distro.

Malware Corpora

Collection of almost 40.000 javascript malware samples

344
149
1y 54d
n/a

Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.

77
22
5y 4m
n/a

A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.

6.45K
1.78K
12d
n/a

NOT MY CODE! Zeus trojan horse - leaked in 2011, I am not the author. This repository is for study purposes only, do not message me about your lame hacking attempts.

1.01K
656
6y 9m
n/a

Malware samples collection and analysis.

Evergrowing searchable corpus of malicious Microsoft documents.

Large repository of malware actively

Agregator for malware corpus tracker

Community-Based malware repository and social network.

Malware database that detected by

Malware repository, registration

Active collection of malware samples.

Massive and growing collection of free malware samples.

Tools

A framework for receiving and redistributing abuse feeds

100
15
1y 70d
MIT

Tool to gather Threat Intelligence indicators from publicly available sources

604
171
4y 4m
GPL-3.0

A modular Python application to pull intelligence about malicious files

94
20
1d
n/a

A modular Python application to collect intelligence for malicious hosts.

205
46
9m
n/a

Defanged Indicator of Compromise (IOC) Extractor.

284
62
4m
GPL-2.0
161
54
2y 12m
Apache-2.0

Malware/IOC ingestion and processing engine

91
21
2y 16d
GPL-3.0

DEPRECATED - USE v3 (bearded-avenger)

224
65
2y 10m
LGPL-3.0

MISP (core software) - Open Source Threat Intelligence and Sharing Platform (formely known as Malware Information Sharing Platform)

2.98K
933
1d
AGPL-3.0

Python OpenIOC Editor

15
5
4y 11m
n/a

Aggregates security threats from a number of online sources, and outputs to Syslog CEF, Snort Signatures, Iptables rules, hosts.deny, etc.

71
24
4y 10m
MIT

Extract and aggregate threat intelligence.

414
82
32d
GPL-2.0

ThreatTracker is a Python script designed to monitor and generate alerts on given sets of indicators of compromise (IOCs) indexed by a set of Google Custom Search Engines.

51
9
5y 9m
n/a

Threat Intelligence Quotient Test - Dataviz and Statistical Analysis of TI feeds

147
37
5y 49d
GPL-3.0

Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.

Research, connect, tag and

TC Open allows you to see and

A search engine for threats,

Other Resources

FireEye Publicly Shared Indicators of Compromise (IOCs)

385
94
4y 6m
Apache-2.0

Honeynet Project generic authenticated datafeed protocol

189
99
110d
GPL-3.0

Repository of yara rules

2.36K
638
4m
GPL-2.0

Your Everyday Threat Intelligence

982
222
3d
Apache-2.0

AutoShun is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world.

list](http://cinsscore.com/list/ci-badguys.txt)) -

Multiple botnet active tracker.

Analytics for 350+ IP lists

Community driven honeypot sensor data collection and aggregation.

IPs](https://infosec.cert-pa.it/analyze/listip.txt) - Domains - URLs) - Blocklist service.

Continuous aggregation of IOCs from a variety of open reputation sources.

Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.

Searchable incident database.

Framework for sharing threat intelligence.

SystemLookup hosts a collection of lists that provide information on

Data mining portal for threat

Search for indicators, up to 1000

Detection and Classification

Wraps around various tools and provides some additional checks/information to produce a centralized report of a PE file.

168
36
6y 10m
n/a

BinaryAlert: Serverless, Real-time & Retroactive Malware Detection.

1.07K
149
10m
Apache-2.0

The FLARE team's open-source tool to identify capabilities in executable files.

1.21K
137
1d
Apache-2.0

Program for determining types of files for Windows, Linux and MacOS.

1.92K
284
4d
MIT

File Scanning Framework

224
44
1y 10m
Apache-2.0

Automated static analysis tools for binary programs

922
137
21d
n/a

A Single Library Parser to extract meta information,static analysis and detect macros within the files.

13
6
2y 83d
MIT
511
110
2y 90d
n/a

HashCheck Shell Extension for Windows with added SHA2, SHA3, and multithreading; originally from code.kliu.org

1.03K
122
4y 90d
n/a

Loki - Simple IOC and Incident Response Scanner

1.75K
406
47d
GPL-3.0

Malware Analysis Tool using Function Level Fuzzy Hashing

179
34
4y 11m
LGPL-2.1

A static analyzer for PE executables.

668
138
107d
GPL-3.0

Malware static analysis framework

141
41
5y 75d
n/a

Modular file scanning/analysis framework

489
116
1y 10m
MPL-2.0

Linker/Compiler/Tool detector for Windows, Linux and MacOS.

139
42
2d
MIT

Checks with NSRL RDS servers looking for for hash matches

86
8
1y 71d
ISC

PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

458
131
29d
n/a

Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness

317
69
1y 6m
Apache-2.0

Malware (Analysis | Scoring System)

426
51
5d
GPL-3.0

yarGen is a generator for YARA rules

753
164
54d
n/a

Simple tool to find the yara matches on a file

16
4
2y 101d
MIT

Local Linux rootkit detection.

Open source antivirus engine.

Packer, compressor detector, unpack

PEV

A multiplatform toolkit to work with PE

A Rootkit Hunter for Linux

Pattern matching tool for

Online Scanners and Sandboxes

Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant

156
15
9m
MPL-2.0

Modified edition of cuckoo

247
104
1y 88d
n/a

A Python library to interface with a cuckoo-modified instance

15
3
4y 36d
n/a

The Multiplatform Linux Sandbox

217
63
2y 87d
MIT

DRAKVUF Black-box Binary Analysis

596
176
2d
n/a

HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.

609
214
1y 54d
n/a

Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools

317
109
4y 8m
GPL-3.0

A Tool for Automatic Analysis of Malware Behavior

311
92
1y 7m
GPL-3.0

VirusTotal Wanna Be - Now with 100% more Hipster

1.24K
220
1y 8m
Apache-2.0

A Python RESTful API framework for online malware analysis and threat intelligence services.

301
79
8m
n/a

Noriben - Portable, Simple, Malware Analysis Sandbox

769
197
6m
n/a

Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites.

118
39
7y 38d
n/a

Minimal, consistent Python API for building integrations with malware sandboxes.

92
28
59d
GPL-2.0

Sandboxed Execution Environment

756
95
61d
Apache-2.0

A Python library and command line tools to provide interactive log visualization.

123
33
4y 24d
n/a

Online interactive sandbox.

Free online analysis of APKs

Malware.lu online scanner and

Analyze suspicious office documents.

Open source, self hosted

Multi-format file analyzer with

Unpacks, scans and analyzes almost any

Detect, analyze, and categorize malware by

An asynchronous and customizable

Deep malware analysis with Joe Sandbox.

Free online multi-AV scanner.

Extract, decode and display online

Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.

Free analysis with an online Cuckoo Sandbox

PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.

Analyse suspicious PDF files.

A graphical malware analysis tool kit.

Online dropper analysis (Js, VBScript, Microsoft Office, PDF).

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Domain Analysis

A tool designed for consistent and safe capture of off network web resources.

32
4
3y 8m
Apache-2.0

Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation

2.62K
491
1d
n/a

Searches various online resources to try and get as much info about an IP/domain as possible.

78
25
6y 10m
n/a

Machinae Security Intelligence Collector

436
97
10d
MIT

Cross-language temporary (disposable/throwaway) email detection library. Covers 33600 fake email providers.

1.22K
162
2d
MIT

A set of Maltego transforms for VirusTotal Public API v2.0. This set has the added functionality of caching queries on a daily basis to speed up resolutions.

66
20
5y 8d
n/a

AbuseIPDB is a project dedicated

Community based IP blacklist service.

Threat intelligence tracker, with IP/domain/hash

One click tool to retrieve as

Dig

Free online dig and other

Multiple DNS blacklist and forward

Phishing Statistics with search for IP, domain and website title.

Spyse is an OSINT search engine that provides fresh data about the entire web. All the data is stored in its own DB for instant access and interconnected with each other for flexible search.

Historical and current WHOIS,

IP based spam block list.

A project from abuse.ch with the goal

Free URL Scanner.

Free URL Scanner & domain information.

DomainTools free online whois

Zulu URL Risk Analyzer.

Browser Malware

A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

11.73K
839
4m
GPL-3.0

Parses Java Cache IDX files

38
9
2y 9m
n/a

Automatically exported from code.google.com/p/jsunpack-n

140
58
5y 8m
GPL-2.0

Java decompiler, assembler, and disassembler

1.25K
148
5m
GPL-3.0

Robust ABC (ActionScript Bytecode) [Dis-]Assembler

375
84
1y 20d
GPL-3.0

Firefox extension for web development.

Decompile and inspect Java apps.

Collection of utilities to work with SWF files.

Documents and Shellcode

Tool to help analyze PDF files

141
36
6y 6m
n/a

A tool for studying JavaScript malware.

432
72
84d
MIT

Builds json representation of PDF malware sample

43
14
9y 8m
MIT

Lite version of PDF X-RAY that uses no backend

30
7
9y 27d
n/a

Disassembler for analyzing

Upload common malware lures for Deep File Inspection and heuristical analysis.

Library and tools for x86 shellcode

QuickSand is a compact C framework

File Carving

This is the development tree. For downloads please see:

473
116
48d
n/a

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

131
18
1y 8m
Apache-2.0

Hachoir is a Python library to view and edit a binary stream field by field

374
48
32d
GPL-2.0

Scalpel is an open source data carving tool.

424
80
6y 65d
Apache-2.0

Sample staging & detonation utility to be used in combination with Cuckoo Sandbox.

62
27
11m
n/a

Extract particular kind of files using headers.

Deobfuscation

.NET deobfuscator and unpacker.

4.72K
1.41K
98d
GPL-3.0

FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.

1.68K
283
4m
Apache-2.0

Tool to help guess a files 256 byte XOR key by using frequency analysis

62
19
2y 5m
n/a

C++ application that uses memory and code hooks to detect packers

231
70
2y 9m
GPL-2.0

PyInstaller Extractor

178
62
2d
GPL-3.0

A cross-version Python bytecode decompiler

1.97K
231
15d
GPL-3.0

Automatic and platform-independent unpacker for Windows binaries based on emulation

250
44
27d
GPL-2.0

Automated malware unpacker

94
23
4y 9m
n/a

unXOR will search a XORed file and try to guess the key using known-plaintext attacks.

97
17
7m
Apache-2.0

Reverse engineering tool for virtualization wrappers

43
10
1y 105d
n/a

A tool to analyze multi-byte xor cipher

953
142
64d
n/a

Debugging and Reverse Engineering

A powerful and user-friendly binary analysis platform!

4.71K
784
0d
BSD-2-Clause

Identifies and extracts information from bots and other malware

137
27
4y 11m
MIT

Binary Analysis Platform

1.33K
219
3d
n/a

BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework

1.25K
168
1y 12d
BSD-2-Clause

BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.

2.7K
466
43d
Apache-2.0

Firmware Analysis Tool

6.86K
1.04K
10d
MIT

BluePill: Neutralizing Anti-Analysis Behavior in Malware Dissection (Black Hat Europe 2019, TIFS 2020)

59
14
6m
LGPL-3.0

Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings.

4.57K
1.12K
2d
n/a

Web based code browser using clang to provide basic code analysis.

39
5
3y 4m
n/a

Free and Open Source Reverse Engineering Platform powered by radare2

8.62K
691
1d
GPL-3.0

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.

598
166
9m
GPL-3.0

.NET debugger and assembly editor

16.54K
2.58K
16d
n/a

Tool for exploration and tracing of the Windows kernel

680
104
1d
n/a

GEF - GDB Enhanced Features for exploit devs & reversers

3.29K
476
10d
MIT

Ghidra is a software reverse engineering (SRE) framework

23.11K
3.15K
11d
Apache-2.0

hackers-grep is a utility to search for strings in PE executables including imports, exports, and debug symbols

149
16
2y 5m
n/a

Interactive Delphi Reconstructor

464
144
1d
MIT
62
18
2y 75d
MIT

Deprecated repo for PANDA 1.0 – see PANDA 2.0 repository

86
36
3y 11m
n/a

PEDA - Python Exploit Development Assistance for GDB

4.34K
713
10m
n/a

Automated static analysis tools for binary programs

922
137
21d
n/a

Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.

2.89K
302
1y 9m
GPL-3.0

Official repository for Pyew.

315
91
1y 91d
GPL-2.0

Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU

1.42K
235
4m
GPL-2.0
30
7
95d
n/a

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.

268
46
4y 6m
LGPL-2.1

Imports Reconstructor

564
154
1y 11m
GPL-3.0

Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide

1.77K
199
87d
GPL-3.0

Sublime Malware Research Tool

57
13
4y 11m
n/a

A machine learning tool that ranks strings based on their relevance for malware analysis.

432
72
3d
Apache-2.0

Disassembler Library for x86 and x86-64

744
250
5y 11m
BSD-2-Clause
632
144
94d
n/a

Binary analysis framework.

Free-of-charge standalone tool based on ReSharper's bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code. It can create Visual Studio solutions based on the original binary files in a straight-forward way. [Proprietary] [Free]

The macOS and Linux Disassembler.

ILSpy is the open-source .NET assembly browser and decompiler.

DSL for file formats / network protocols /

LIEF provides a cross-platform library

Dynamic analysis for Linux executables.

An assembly-level debugger for Windows

Perform static analysis of Windows

A Professional PE file Explorer for

Discover which program has a particular file or directory open. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

Excellent full blown task manager.

A sysinternal tool shows real-time file system, Registry, network and process/thread activity. ![Freeware][freeware icon]

Reverse engineering framework, with

Retargetable machine-code decompiler with an

A dynamic binary analysis (DBA) framework.

multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.

Network

integrating bro into yara

30
4
5y 12m
n/a

Malicious HTTP traffic explorer

645
162
64d
GPL-3.0

Protocol Analysis/Decoder Framework

437
105
1y 8m
n/a

[Suspended] FakeNet-NG - Next Generation Dynamic Network Analysis Tool

1.17K
261
24d
Apache-2.0

Botnet command & control monitor

145
60
3y 48d
n/a

Replay HTTP and HTTPS requests from a PCAP based on TLS Master Secrets.

70
25
10m
n/a

Laika BOSS: Object Scanning System

677
153
2y 86d
Apache-2.0

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

35
4
30d
n/a

Malcom - Malware Communications Analyzer

979
206
3y 7d
n/a

Malicious traffic detection system

3.8K
730
1d
MIT

Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.

4.5K
845
1d
n/a

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

528
74
1y 10m
n/a

Visualize network topologies and collect graph statistics based on pcap files

236
57
10m
n/a

An ICAP Server with yara scanner for URL and content.

47
13
3y 9m
n/a

analyze a web-based network traffic 🕶 to detect central command and control servers

71
24
2y 5m
n/a

Bro

Protocol analyzer that operates at incredible

Web-based tool for packet analysis

The free web debugging proxy for any browser, system or platform

An open source security oriented

Network service emulation, useful when

Interactive intercepting HTTP proxy for penetration testers and software developers. ![Open-Source Software][OSS Icon] ![Freeware][Freeware Icon]

Packet analyzer for network traffic capture.

Trach and reassemble TCP streams

Extract files from network

A network protocol analyzer. ![Open-Source Software][oss icon] ![Freeware][freeware icon]

Memory Forensics

Differential Analysis of Malware in Memory

176
51
3y 7m
GPL-2.0

Web interface for the Volatility Memory Forensics Framework

237
38
3y 15d
n/a

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

228
54
3y 10d
AGPL-3.0

A short and small memory forensics helper.

41
7
3y 49d
n/a

Based on the Volatility framework, this script will run various plugins as well as create a timeline, or use YARA/ClamAV/VirusTotal to find badness.

44
8
7y 74d
n/a

VolDiff: Malware Memory Footprint Analysis based on Volatility

175
49
3y 85d
BSD-2-Clause

An advanced memory forensics framework

4.15K
884
111d
GPL-2.0

Web App for Volatility framework

316
82
3y 10m
GPL-3.0

WinDBG Anti-RootKit Extension

432
155
2y 9m
n/a

Memory analysis framework,

Windows Artifacts

Windows Live Artifacts Acquisition Script

141
27
119d
GPL-2.0

Pure Python parser for classic Windows Event Log files (.evt)

29
9
5y 61d
Apache-2.0

Storage and Workflow

An Open Source Malware Analysis Pipeline System

134
51
8m
n/a

A warehouse for your malware

114
42
7y 7m
n/a

Collaborative malware analysis framework

298
53
2y 8m
n/a

Collaborative Research Into Threats, a

Distributed content analysis

A binary management and analysis framework for

Miscellaneous

Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

2.62K
693
38d
GPL-2.0

Cryptographic Dataset Generation & Modelling Framework

21
10
8m
Apache-2.0
2.21K
378
4m
Apache-2.0

Malware exploits

460
196
1y 98d
n/a

A simple tool to organise large malicious/benign files into a organised Structure.

10
4
2y 78d
MIT

Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

1.61K
321
1y 9m
GPL-3.0

Based on Debian.

Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.

Linux distribution for mobile

Books

Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware

Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks

Mastering Reverse Engineering: Re-engineer your ethical hacking skills

Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Other

Related Awesome Lists

A collection of android security related resources

5.01K
1.19K
50d
Apache-2.0

A curated list of resources for learning about application security

4.34K
529
1y 115d
MIT

A curated list of CTF frameworks, libraries, resources and softwares

5.21K
1.05K
6m
CC0-1.0

A curated list of awesome forensic analysis tools and resources

1.31K
300
14d
CC0-1.0

A curated list of awesome Hacking tutorials, tools and resources

6.58K
1.17K
30d
MIT

an awesome list of honeypot resources

4.6K
869
46d
Artistic-2.0

A curated list of resources related to Industrial Control System (ICS) security.

792
298
4m
Apache-2.0

A curated list of tools for incident response

3.85K
959
36d
Apache-2.0

A curated list of awesome infosec courses and training resources.

3.16K
590
6m
n/a

A collection of tools developed by other researchers in the Computer Science area to process network traces. All the right reserved for the original authors.

2.07K
367
6m
n/a

A collection of awesome penetration testing resources, tools and other shiny things

13.16K
3.4K
44d
n/a

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.

6.29K
1.2K
16d
MIT

A curated list of Awesome Threat Intelligence resources

3.92K
903
65d
Apache-2.0

A curated list of awesome YARA rules, tools, and people.

1.25K
218
4d
n/a