Your first time on this page? Allow me to give some explanations.
Awesome Malware Analysis
Defund the Police.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you rshipp & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
Home of the dionaea honeypot
Web Application Honeypot
Advanced Honeypot framework.
Modern Honey Network
Normalizer for honeypot data.
Python low-interaction honeyclient
Ragpicker is a Plugin based malware crawler with pre-analysis and reporting functionalities. Use this tool if you are testing antivirus products, collecting malware for another analyzer/zoo.
A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.
NOT MY CODE! Zeus trojan horse - leaked in 2011, I am not the author. This repository is for study purposes only, do not message me about your lame hacking attempts.
Malware samples collection and analysis.
Evergrowing searchable corpus of malicious Microsoft documents.
A framework for receiving and redistributing abuse feeds
Tool to gather Threat Intelligence indicators from publicly available sources
A modular Python application to pull intelligence about malicious files
A modular Python application to collect intelligence for malicious hosts.
Defanged Indicator of Compromise (IOC) Extractor.
Malware/IOC ingestion and processing engine
DEPRECATED - USE v3 (bearded-avenger)
MISP (core software) - Open Source Threat Intelligence and Sharing Platform (formely known as Malware Information Sharing Platform)
Python OpenIOC Editor
Aggregates security threats from a number of online sources, and outputs to Syslog CEF, Snort Signatures, Iptables rules, hosts.deny, etc.
Extract and aggregate threat intelligence.
ThreatTracker is a Python script designed to monitor and generate alerts on given sets of indicators of compromise (IOCs) indexed by a set of Google Custom Search Engines.
Threat Intelligence Quotient Test - Dataviz and Statistical Analysis of TI feeds
Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
FireEye Publicly Shared Indicators of Compromise (IOCs)
Honeynet Project generic authenticated datafeed protocol
Repository of yara rules
Your Everyday Threat Intelligence
AutoShun is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world.
Community driven honeypot sensor data collection and aggregation.
Continuous aggregation of IOCs from a variety of open reputation sources.
Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
SystemLookup hosts a collection of lists that provide information on
Detection and Classification
Wraps around various tools and provides some additional checks/information to produce a centralized report of a PE file.
BinaryAlert: Serverless, Real-time & Retroactive Malware Detection.
The FLARE team's open-source tool to identify capabilities in executable files.
Program for determining types of files for Windows, Linux and MacOS.
File Scanning Framework
Automated static analysis tools for binary programs
A Single Library Parser to extract meta information,static analysis and detect macros within the files.
HashCheck Shell Extension for Windows with added SHA2, SHA3, and multithreading; originally from code.kliu.org
Loki - Simple IOC and Incident Response Scanner
Malware Analysis Tool using Function Level Fuzzy Hashing
A static analyzer for PE executables.
Malware static analysis framework
Modular file scanning/analysis framework
Linker/Compiler/Tool detector for Windows, Linux and MacOS.
Checks with NSRL RDS servers looking for for hash matches
PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness
Android Malware (Analysis | Scoring System)
yarGen is a generator for YARA rules
Simple tool to find the yara matches on a file
Online Scanners and Sandboxes
Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant
Modified edition of cuckoo
A Python library to interface with a cuckoo-modified instance
The Multiplatform Linux Sandbox
DRAKVUF Black-box Binary Analysis
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools
A Tool for Automatic Analysis of Malware Behavior
VirusTotal Wanna Be - Now with 100% more Hipster
A Python RESTful API framework for online malware analysis and threat intelligence services.
Noriben - Portable, Simple, Malware Analysis Sandbox
Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites.
Minimal, consistent Python API for building integrations with malware sandboxes.
Sandboxed Execution Environment
A Python library and command line tools to provide interactive log visualization.
Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
A tool designed for consistent and safe capture of off network web resources.
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
Searches various online resources to try and get as much info about an IP/domain as possible.
Machinae Security Intelligence Collector
Cross-language temporary (disposable/throwaway) email detection library. Covers 33600 fake email providers.
A set of Maltego transforms for VirusTotal Public API v2.0. This set has the added functionality of caching queries on a daily basis to speed up resolutions.
Phishing Statistics with search for IP, domain and website title.
Spyse is an OSINT search engine that provides fresh data about the entire web. All the data is stored in its own DB for instant access and interconnected with each other for flexible search.
A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
Parses Java Cache IDX files
Automatically exported from code.google.com/p/jsunpack-n
Java decompiler, assembler, and disassembler
Robust ABC (ActionScript Bytecode) [Dis-]Assembler
Documents and Shellcode
Tool to help analyze PDF files
Builds json representation of PDF malware sample
Lite version of PDF X-RAY that uses no backend
Upload common malware lures for Deep File Inspection and heuristical analysis.
This is the development tree. For downloads please see:
EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
Hachoir is a Python library to view and edit a binary stream field by field
Scalpel is an open source data carving tool.
Sample staging & detonation utility to be used in combination with Cuckoo Sandbox.
.NET deobfuscator and unpacker.
FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Tool to help guess a files 256 byte XOR key by using frequency analysis
C++ application that uses memory and code hooks to detect packers
A cross-version Python bytecode decompiler
Automatic and platform-independent unpacker for Windows binaries based on emulation
Automated malware unpacker
unXOR will search a XORed file and try to guess the key using known-plaintext attacks.
Reverse engineering tool for virtualization wrappers
A tool to analyze multi-byte xor cipher
Debugging and Reverse Engineering
A powerful and user-friendly binary analysis platform!
Identifies and extracts information from bots and other malware
Binary Analysis Platform
BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.
Firmware Analysis Tool
BluePill: Neutralizing Anti-Analysis Behavior in Malware Dissection (Black Hat Europe 2019, TIFS 2020)
Capstone disassembly/disassembler framework: Core (Arm, Arm64, BPF, EVM, M68K, M680X, MOS65xx, Mips, PPC, RISCV, Sparc, SystemZ, TMS320C64x, Web Assembly, X86, X86_64, XCore) + bindings.
Web based code browser using clang to provide basic code analysis.
Free and Open Source Reverse Engineering Platform powered by rizin
DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
.NET debugger and assembly editor
A modern tool for the Windows kernel exploration and tracing
GEF - GDB Enhanced Features for exploit devs & reversers
Ghidra is a software reverse engineering (SRE) framework
hackers-grep is a utility to search for strings in PE executables including imports, exports, and debug symbols
Interactive Delphi Reconstructor
Deprecated repo for PANDA 1.0 – see PANDA 2.0 repository
PEDA - Python Exploit Development Assistance for GDB
Automated static analysis tools for binary programs
Plasma is an interactive disassembler for x86/ARM/MIPS. It can generates indented pseudo-code with colored syntax.
Official repository for Pyew.
Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU
ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.
Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide
Sublime Malware Research Tool
A machine learning tool that ranks strings based on their relevance for malware analysis.
Disassembler Library for x86 and x86-64
Free-of-charge standalone tool based on ReSharper's bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code. It can create Visual Studio solutions based on the original binary files in a straight-forward way. [Proprietary] [Free]
Discover which program has a particular file or directory open. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
A sysinternal tool shows real-time file system, Registry, network and process/thread activity. ![Freeware][freeware icon]
integrating bro into yara
Malicious HTTP traffic explorer
Protocol Analysis/Decoder Framework
[Suspended] FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Botnet command & control monitor
Replay HTTP and HTTPS requests from a PCAP based on TLS Master Secrets.
Laika BOSS: Object Scanning System
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
Malcom - Malware Communications Analyzer
Malicious traffic detection system
Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.
ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It understands many kinds of protocols, including IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw, across a wide variety of interface types, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
Visualize network topologies and collect graph statistics based on pcap files
An ICAP Server with yara scanner for URL and content.
analyze a web-based network traffic 🕶 to detect central command and control servers
The free web debugging proxy for any browser, system or platform
Interactive intercepting HTTP proxy for penetration testers and software developers. ![Open-Source Software][OSS Icon] ![Freeware][Freeware Icon]
Differential Analysis of Malware in Memory
Web interface for the Volatility Memory Forensics Framework
inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques
A short and small memory forensics helper.
Based on the Volatility framework, this script will run various plugins as well as create a timeline, or use YARA/ClamAV/VirusTotal to find badness.
VolDiff: Malware Memory Footprint Analysis based on Volatility
An advanced memory forensics framework
Web App for Volatility framework
WinDBG Anti-RootKit Extension
Windows Live Artifacts Acquisition Script
Pure Python parser for classic Windows Event Log files (.evt)
Storage and Workflow
An Open Source Malware Analysis Pipeline System
A warehouse for your malware
Collaborative malware analysis framework
Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
Cryptographic Dataset Generation & Modelling Framework
A simple tool to organise large malicious/benign files into a organised Structure.
Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
Mastering Reverse Engineering: Re-engineer your ethical hacking skills
Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
Collection of malware persistence and hunting information. Be a persistent persistence hunter!
Course materials for Malware Analysis by RPISEC
Windows registry file format specification
Related Awesome Lists
A collection of android security related resources
A curated list of resources for learning about application security
A curated list of CTF frameworks, libraries, resources and softwares
A curated list of awesome forensic analysis tools and resources
A curated list of awesome Hacking tutorials, tools and resources
an awesome list of honeypot resources
A curated list of resources related to Industrial Control System (ICS) security.
A curated list of tools for incident response
A curated list of awesome infosec courses and training resources.
A collection of tools developed by other researchers in the Computer Science area to process network traces. All the right reserved for the original authors.
A collection of awesome penetration testing resources, tools and other shiny things
A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.
A curated list of Awesome Threat Intelligence resources
A curated list of awesome YARA rules, tools, and people.