awesome-awesomeness/html/malwareanalysis.html

<h1 id="awesome-malware-analysis-awesome">Awesome Malware Analysis <a
href="https://github.com/sindresorhus/awesome"><img
src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"
alt="Awesome" /></a></h1>
<p>A curated list of awesome malware analysis tools and resources.
Inspired by <a
href="https://github.com/vinta/awesome-python">awesome-python</a> and <a
href="https://github.com/ziadoz/awesome-php">awesome-php</a>.</p>
<p><a
href="https://twitter.com/githubbers/status/1182017616740663296"><img
src="drop.png" alt="Drop ICE" /></a></p>
<ul>
<li><a href="#malware-collection">Malware Collection</a>
<ul>
<li><a href="#anonymizers">Anonymizers</a></li>
<li><a href="#honeypots">Honeypots</a></li>
<li><a href="#malware-corpora">Malware Corpora</a></li>
</ul></li>
<li><a href="#open-source-threat-intelligence">Open Source Threat
Intelligence</a>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#other-resources">Other Resources</a></li>
</ul></li>
<li><a href="#detection-and-classification">Detection and
Classification</a></li>
<li><a href="#online-scanners-and-sandboxes">Online Scanners and
Sandboxes</a></li>
<li><a href="#domain-analysis">Domain Analysis</a></li>
<li><a href="#browser-malware">Browser Malware</a></li>
<li><a href="#documents-and-shellcode">Documents and Shellcode</a></li>
<li><a href="#file-carving">File Carving</a></li>
<li><a href="#deobfuscation">Deobfuscation</a></li>
<li><a href="#debugging-and-reverse-engineering">Debugging and Reverse
Engineering</a></li>
<li><a href="#network">Network</a></li>
<li><a href="#memory-forensics">Memory Forensics</a></li>
<li><a href="#windows-artifacts">Windows Artifacts</a></li>
<li><a href="#storage-and-workflow">Storage and Workflow</a></li>
<li><a href="#miscellaneous">Miscellaneous</a></li>
<li><a href="#resources">Resources</a>
<ul>
<li><a href="#books">Books</a></li>
<li><a href="#other">Other</a></li>
</ul></li>
<li><a href="#related-awesome-lists">Related Awesome Lists</a></li>
<li><a href="#contributing">Contributing</a></li>
<li><a href="#thanks">Thanks</a></li>
</ul>
<p>View Chinese translation: <a
href="恶意软件分析大合集.md">恶意软件分析大合集.md</a>.</p>
<hr />
<h2 id="malware-collection">Malware Collection</h2>
<h3 id="anonymizers">Anonymizers</h3>
<p><em>Web traffic anonymizers for analysts.</em></p>
<ul>
<li><a href="http://anonymouse.org/">Anonymouse.org</a> - A free, web
based anonymizer.</li>
<li><a href="https://openvpn.net/">OpenVPN</a> - VPN software and
hosting solutions.</li>
<li><a href="http://www.privoxy.org/">Privoxy</a> - An open source proxy
server with some privacy features.</li>
<li><a href="https://www.torproject.org/">Tor</a> - The Onion Router,
for browsing the web without leaving traces of the client IP.</li>
</ul>
<h3 id="honeypots">Honeypots</h3>
<p><em>Trap and collect your own samples.</em></p>
<ul>
<li><a href="https://github.com/mushorg/conpot">Conpot</a> - ICS/SCADA
honeypot.</li>
<li><a href="https://github.com/micheloosterhof/cowrie">Cowrie</a> - SSH
honeypot, based on Kippo.</li>
<li><a
href="https://github.com/RevengeComing/DemonHunter">DemoHunter</a> - Low
interaction Distributed Honeypots.</li>
<li><a href="https://github.com/DinoTools/dionaea">Dionaea</a> -
Honeypot designed to trap malware.</li>
<li><a href="https://github.com/mushorg/glastopf">Glastopf</a> - Web
application honeypot.</li>
<li><a href="http://www.honeyd.org/">Honeyd</a> - Create a virtual
honeynet.</li>
<li><a href="http://bruteforcelab.com/honeydrive">HoneyDrive</a> -
Honeypot bundle Linux distro.</li>
<li><a href="https://github.com/honeytrap/honeytrap">Honeytrap</a> -
Opensource system for running, monitoring and managing honeypots.</li>
<li><a href="https://github.com/pwnlandia/mhn">MHN</a> - MHN is a
centralized server for management and data collection of honeypots. MHN
allows you to deploy sensors quickly and to collect data immediately,
viewable from a neat web interface.</li>
<li><a href="https://github.com/johnnykv/mnemosyne">Mnemosyne</a> - A
normalizer for honeypot data; supports Dionaea.</li>
<li><a href="https://github.com/buffer/thug">Thug</a> - Low interaction
honeyclient, for investigating malicious websites.</li>
</ul>
<h3 id="malware-corpora">Malware Corpora</h3>
<p><em>Malware samples collected for analysis.</em></p>
<ul>
<li><a href="http://support.clean-mx.de/clean-mx/viruses.php">Clean
MX</a> - Realtime database of malware and malicious domains.</li>
<li><a href="http://contagiodump.blogspot.com/">Contagio</a> - A
collection of recent malware samples and analyses.</li>
<li><a href="https://www.exploit-db.com/">Exploit Database</a> - Exploit
and shellcode samples.</li>
<li><a href="https://infosec.cert-pa.it/analyze/submission.html">Infosec
- CERT-PA</a> - Malware samples collection and analysis.</li>
<li><a href="https://labs.inquest.net">InQuest Labs</a> - Evergrowing
searchable corpus of malicious Microsoft documents.</li>
<li><a
href="https://github.com/HynekPetrak/javascript-malware-collection">Javascript
Mallware Collection</a> - Collection of almost 40.000 javascript malware
samples</li>
<li><a href="https://malpedia.caad.fkie.fraunhofer.de/">Malpedia</a> - A
resource providing rapid identification and actionable context for
malware investigations.</li>
<li><a href="https://malshare.com">Malshare</a> - Large repository of
malware actively scrapped from malicious sites.</li>
<li><a href="http://openmalware.org/">Open Malware Project</a> - Sample
information and downloads. Formerly Offensive Computing.</li>
<li><a href="https://github.com/robbyFux/Ragpicker">Ragpicker</a> -
Plugin based malware crawler with pre-analysis and reporting
functionalities</li>
<li><a href="https://github.com/ytisf/theZoo">theZoo</a> - Live malware
samples for analysts.</li>
<li><a href="http://tracker.h3x.eu/">Tracker h3x</a> - Agregator for
malware corpus tracker and malicious download sites.</li>
<li><a href="https://github.com/vduddu/Malware">vduddu malware repo</a>
- Collection of various malware files and source code.</li>
<li><a href="https://beta.virusbay.io/">VirusBay</a> - Community-Based
malware repository and social network.</li>
<li><a href="http://www.virussign.com/">ViruSign</a> - Malware database
that detected by many anti malware programs except ClamAV.</li>
<li><a href="https://virusshare.com/">VirusShare</a> - Malware
repository, registration required.</li>
<li><a href="http://vxvault.net">VX Vault</a> - Active collection of
malware samples.</li>
<li><a href="https://zeltser.com/malware-sample-sources/">Zeltser’s
Sources</a> - A list of malware sample sources put together by Lenny
Zeltser.</li>
<li><a href="https://github.com/Visgean/Zeus">Zeus Source Code</a> -
Source for the Zeus trojan leaked in 2011.</li>
<li><a href="http://vx-underground.org/">VX Underground</a> - Massive
and growing collection of free malware samples.</li>
</ul>
<h2 id="open-source-threat-intelligence">Open Source Threat
Intelligence</h2>
<h3 id="tools">Tools</h3>
<p><em>Harvest and analyze IOCs.</em></p>
<ul>
<li><a href="https://github.com/abusesa/abusehelper">AbuseHelper</a> -
An open-source framework for receiving and redistributing abuse feeds
and threat intel.</li>
<li><a href="https://otx.alienvault.com/">AlienVault Open Threat
Exchange</a> - Share and collaborate in developing Threat
Intelligence.</li>
<li><a href="https://github.com/mlsecproject/combine">Combine</a> - Tool
to gather Threat Intelligence indicators from publicly available
sources.</li>
<li><a href="https://github.com/keithjjones/fileintel">Fileintel</a> -
Pull intelligence per file hash.</li>
<li><a href="https://github.com/keithjjones/hostintel">Hostintel</a> -
Pull intelligence per host.</li>
<li><a
href="https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation">IntelMQ</a>
- A tool for CERTs for processing incident data using a message
queue.</li>
<li><a
href="https://www.fireeye.com/services/freeware/ioc-editor.html">IOC
Editor</a> - A free editor for XML IOC files.</li>
<li><a
href="https://github.com/InQuest/python-iocextract">iocextract</a> -
Advanced Indicator of Compromise (IOC) extractor, Python library and
command-line tool.</li>
<li><a href="https://github.com/mandiant/ioc_writer">ioc_writer</a> -
Python library for working with OpenIOC objects, from Mandiant.</li>
<li><a href="https://github.com/silascutler/MalPipe">MalPipe</a> -
Malware/IOC ingestion and processing engine, that enriches collected
data.</li>
<li><a href="https://github.com/csirtgadgets/massive-octo-spice">Massive
Octo Spice</a> - Previously known as CIF (Collective Intelligence
Framework). Aggregates IOCs from various lists. Curated by the <a
href="http://csirtgadgets.org/collective-intelligence-framework">CSIRT
Gadgets Foundation</a>.</li>
<li><a href="https://github.com/MISP/MISP">MISP</a> - Malware
Information Sharing Platform curated by <a
href="http://www.misp-project.org/">The MISP Project</a>.</li>
<li><a href="https://pulsedive.com">Pulsedive</a> - Free,
community-driven threat intelligence platform collecting IOCs from
open-source feeds.</li>
<li><a href="https://github.com/pidydx/PyIOCe">PyIOCe</a> - A Python
OpenIOC editor.</li>
<li><a href="https://community.riskiq.com/">RiskIQ</a> - Research,
connect, tag and share IPs and domains. (Was PassiveTotal.)</li>
<li><a
href="https://github.com/jpsenior/threataggregator">threataggregator</a>
- Aggregates security threats from a number of sources, including some
of those listed below in <a href="#other-resources">other
resources</a>.</li>
<li><a href="https://threatconnect.com/free/">ThreatConnect</a> - TC
Open allows you to see and share open source threat data, with support
and validation from our free community.</li>
<li><a href="https://www.threatcrowd.org/">ThreatCrowd</a> - A search
engine for threats, with graphical visualization.</li>
<li><a
href="https://github.com/InQuest/ThreatIngestor/">ThreatIngestor</a> -
Build automated threat intel pipelines sourcing from Twitter, RSS,
GitHub, and more.</li>
<li><a
href="https://github.com/michael-yip/ThreatTracker">ThreatTracker</a> -
A Python script to monitor and generate alerts based on IOCs indexed by
a set of Google Custom Search Engines.</li>
<li><a href="https://github.com/mlsecproject/tiq-test">TIQ-test</a> -
Data visualization and statistical analysis of Threat Intelligence
feeds.</li>
</ul>
<h3 id="other-resources">Other Resources</h3>
<p><em>Threat intelligence and IOC resources.</em></p>
<ul>
<li><a href="https://www.autoshun.org/">Autoshun</a> (<a
href="https://www.autoshun.org/files/shunlist.csv">list</a>) - Snort
plugin and blocklist.</li>
<li><a href="http://osint.bambenekconsulting.com/feeds/">Bambenek
Consulting Feeds</a> - OSINT feeds based on malicious DGA
algorithms.</li>
<li><a
href="https://www.fidelissecurity.com/resources/fidelis-barncat">Fidelis
Barncat</a> - Extensive malware config database (must request
access).</li>
<li><a href="http://cinsscore.com/">CI Army</a> (<a
href="http://cinsscore.com/list/ci-badguys.txt">list</a>) - Network
security blocklists.</li>
<li><a href="https://intel.criticalstack.com">Critical Stack- Free Intel
Market</a> - Free intel aggregator with deduplication featuring 90+
feeds and over 1.2M indicators.</li>
<li><a href="http://cybercrime-tracker.net/">Cybercrime tracker</a> -
Multiple botnet active tracker.</li>
<li><a href="https://github.com/fireeye/iocs">FireEye IOCs</a> -
Indicators of Compromise shared publicly by FireEye.</li>
<li><a href="https://iplists.firehol.org/">FireHOL IP Lists</a> -
Analytics for 350+ IP lists with a focus on attacks, malware and abuse.
Evolution, Changes History, Country Maps, Age of IPs listed, Retention
Policy, Overlaps.</li>
<li><a href="https://riskdiscovery.com/honeydb">HoneyDB</a> - Community
driven honeypot sensor data collection and aggregation.</li>
<li><a href="https://github.com/rep/hpfeeds">hpfeeds</a> - Honeypot feed
protocol.</li>
<li><a href="https://infosec.cert-pa.it/analyze/statistics.html">Infosec
- CERT-PA lists</a> (<a
href="https://infosec.cert-pa.it/analyze/listip.txt">IPs</a> - <a
href="https://infosec.cert-pa.it/analyze/listdomains.txt">Domains</a> -
<a href="https://infosec.cert-pa.it/analyze/listurls.txt">URLs</a>) -
Blocklist service.</li>
<li><a href="https://labs.inquest.net/repdb">InQuest REPdb</a> -
Continuous aggregation of IOCs from a variety of open reputation
sources.</li>
<li><a href="https://labs.inquest.net/iocdb">InQuest IOCdb</a> -
Continuous aggregation of IOCs from a variety of blogs, Github repos,
and Twitter.</li>
<li><a href="https://isc.sans.edu/">Internet Storm Center (DShield)</a>
- Diary and searchable incident database, with a web <a
href="https://dshield.org/api/">API</a>. (<a
href="https://github.com/rshipp/python-dshield">unofficial Python
library</a>).</li>
<li><a href="http://malc0de.com/database/">malc0de</a> - Searchable
incident database.</li>
<li><a href="http://www.malwaredomainlist.com/">Malware Domain List</a>
- Search and share malicious URLs.</li>
<li><a
href="https://www.opswat.com/developers/threat-intelligence-feed">MetaDefender
Threat Intelligence Feed</a> - List of the most looked up file hashes
from MetaDefender Cloud.</li>
<li><a href="https://www.fireeye.com/services/freeware.html">OpenIOC</a>
- Framework for sharing threat intelligence.</li>
<li><a
href="https://www.proofpoint.com/us/products/et-intelligence">Proofpoint
Threat Intelligence</a> - Rulesets and more. (Formerly Emerging
Threats.)</li>
<li><a
href="https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml">Ransomware
overview</a> - A list of ransomware overview with details, detection and
prevention.</li>
<li><a href="http://stixproject.github.io">STIX - Structured Threat
Information eXpression</a> - Standardized language to represent and
share cyber threat information. Related efforts from <a
href="https://www.mitre.org/">MITRE</a>:
<ul>
<li><a href="http://capec.mitre.org/">CAPEC - Common Attack Pattern
Enumeration and Classification</a></li>
<li><a href="http://cyboxproject.github.io">CybOX - Cyber Observables
eXpression</a></li>
<li><a href="http://maec.mitre.org/">MAEC - Malware Attribute
Enumeration and Characterization</a></li>
<li><a href="http://taxiiproject.github.io">TAXII - Trusted Automated
eXchange of Indicator Information</a></li>
</ul></li>
<li><a href="https://www.systemlookup.com/">SystemLookup</a> -
SystemLookup hosts a collection of lists that provide information on the
components of legitimate and potentially unwanted programs.</li>
<li><a href="https://www.threatminer.org/">ThreatMiner</a> - Data mining
portal for threat intelligence, with search.</li>
<li><a href="https://threatrecon.co/">threatRECON</a> - Search for
indicators, up to 1000 free per month.</li>
<li><a href="https://threatshare.io/">ThreatShare</a> - C2 panel
tracker</li>
<li><a href="https://github.com/Yara-Rules/rules">Yara rules</a> - Yara
rules repository.</li>
<li><a href="https://github.com/yeti-platform/yeti">YETI</a> - Yeti is a
platform meant to organize observables, indicators of compromise, TTPs,
and knowledge on threats in a single, unified repository.</li>
<li><a href="https://zeustracker.abuse.ch/blocklist.php">ZeuS
Tracker</a> - ZeuS blocklists.</li>
</ul>
<h2 id="detection-and-classification">Detection and Classification</h2>
<p><em>Antivirus and other malware identification tools</em></p>
<ul>
<li><a href="https://github.com/hiddenillusion/AnalyzePE">AnalyzePE</a>
- Wrapper for a variety of tools for reporting on Windows PE files.</li>
<li><a
href="https://cybercentrecanada.github.io/assemblyline4_docs/">Assemblyline</a>
- A scalable file triage and malware analysis system integrating the
cyber security community’s best tools..</li>
<li><a href="https://github.com/airbnb/binaryalert">BinaryAlert</a> - An
open source, serverless AWS pipeline that scans and alerts on uploaded
files based on a set of YARA rules.</li>
<li><a href="https://github.com/fireeye/capa">capa</a> - Detects
capabilities in executable files.</li>
<li><a href="http://www.chkrootkit.org/">chkrootkit</a> - Local Linux
rootkit detection.</li>
<li><a href="http://www.clamav.net/">ClamAV</a> - Open source antivirus
engine.</li>
<li><a href="https://github.com/horsicq/Detect-It-Easy">Detect It
Easy(DiE)</a> - A program for determining types of files.</li>
<li><a href="http://exeinfo.pe.hu/">Exeinfo PE</a> - Packer, compressor
detector, unpack info, internal exe tools.</li>
<li><a href="https://sno.phy.queensu.ca/~phil/exiftool/">ExifTool</a> -
Read, write and edit file metadata.</li>
<li><a href="https://github.com/EmersonElectricCo/fsf">File Scanning
Framework</a> - Modular, recursive file scanning solution.</li>
<li><a href="https://github.com/cmu-sei/pharos">fn2yara</a> - FN2Yara is
a tool to generate Yara signatures for matching functions (code) in an
executable program.</li>
<li><a href="https://github.com/uppusaikiran/generic-parser">Generic
File Parser</a> - A Single Library Parser to extract meta
information,static analysis and detect macros within the files.</li>
<li><a href="https://github.com/jessek/hashdeep">hashdeep</a> - Compute
digest hashes with a variety of algorithms.</li>
<li><a href="https://github.com/gurnec/HashCheck">HashCheck</a> -
Windows shell extension to compute hashes with a variety of
algorithms.</li>
<li><a href="https://github.com/Neo23x0/Loki">Loki</a> - Host based
scanner for IOCs.</li>
<li><a href="https://github.com/Dynetics/Malfunction">Malfunction</a> -
Catalog and compare malware at a function level.</li>
<li><a href="https://github.com/JusticeRage/Manalyze">Manalyze</a> -
Static analyzer for PE executables.</li>
<li><a href="https://github.com/KoreLogicSecurity/mastiff">MASTIFF</a> -
Static analysis framework.</li>
<li><a href="https://github.com/mitre/multiscanner">MultiScanner</a> -
Modular file scanning/analysis framework</li>
<li><a href="https://github.com/horsicq/Nauz-File-Detector">Nauz File
Detector(NFD)</a> - Linker/Compiler/Tool detector for Windows, Linux and
MacOS.</li>
<li><a href="https://github.com/rjhansen/nsrllookup">nsrllookup</a> - A
tool for looking up hashes in NIST’s National Software Reference Library
database.</li>
<li><a href="https://github.com/sooshie/packerid">packerid</a> - A
cross-platform Python alternative to PEiD.</li>
<li><a href="https://hshrzd.wordpress.com/pe-bear/">PE-bear</a> -
Reversing tool for PE files.</li>
<li><a href="https://github.com/guelfoweb/peframe">PEframe</a> - PEframe
is an open source tool to perform static analysis on Portable Executable
malware and malicious MS Office documents.</li>
<li><a href="http://pev.sourceforge.net/">PEV</a> - A multiplatform
toolkit to work with PE files, providing feature-rich tools for proper
analysis of suspicious binaries.</li>
<li><a href="https://github.com/katjahahn/PortEx">PortEx</a> - Java
library to analyse PE files with a special focus on malware analysis and
PE malformation robustness.</li>
<li><a
href="https://github.com/quark-engine/quark-engine">Quark-Engine</a> -
An Obfuscation-Neglect Android Malware Scoring System</li>
<li><a href="http://rkhunter.sourceforge.net/">Rootkit Hunter</a> -
Detect Linux rootkits.</li>
<li><a href="https://ssdeep-project.github.io/ssdeep/">ssdeep</a> -
Compute fuzzy hashes.</li>
<li><a
href="https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f">totalhash.py</a>
- Python script for easy searching of the <a
href="https://totalhash.cymru.com/">TotalHash.cymru.com</a>
database.</li>
<li><a href="http://mark0.net/soft-trid-e.html">TrID</a> - File
identifier.</li>
<li><a href="https://plusvic.github.io/yara/">YARA</a> - Pattern
matching tool for analysts.</li>
<li><a href="https://github.com/Neo23x0/yarGen">Yara rules generator</a>
- Generate yara rules based on a set of malware samples. Also contains a
good strings DB to avoid false positives.</li>
<li><a href="https://github.com/uppusaikiran/yara-finder">Yara
Finder</a> - A simple tool to yara match the file against various yara
rules to find the indicators of suspicion.</li>
</ul>
<h2 id="online-scanners-and-sandboxes">Online Scanners and
Sandboxes</h2>
<p><em>Web-based multi-AV scanners, and malware sandboxes for automated
analysis.</em></p>
<ul>
<li><a href="https://sandbox.anlyz.io/">anlyz.io</a> - Online
sandbox.</li>
<li><a href="https://app.any.run/">any.run</a> - Online interactive
sandbox.</li>
<li><a href="https://andrototal.org/">AndroTotal</a> - Free online
analysis of APKs against multiple mobile antivirus apps.</li>
<li><a href="https://github.com/nbeede/BoomBox">BoomBox</a> - Automatic
deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.</li>
<li><a href="http://www.cryptam.com/">Cryptam</a> - Analyze suspicious
office documents.</li>
<li><a href="https://cuckoosandbox.org/">Cuckoo Sandbox</a> - Open
source, self hosted sandbox and automated analysis system.</li>
<li><a
href="https://github.com/brad-accuvant/cuckoo-modified">cuckoo-modified</a>
- Modified version of Cuckoo Sandbox released under the GPL. Not merged
upstream due to legal concerns by the author.</li>
<li><a
href="https://github.com/keithjjones/cuckoo-modified-api">cuckoo-modified-api</a>
- A Python API used to control a cuckoo-modified sandbox.</li>
<li><a href="https://www.deepviz.com/">DeepViz</a> - Multi-format file
analyzer with machine-learning classification.</li>
<li><a href="https://github.com/detuxsandbox/detux/">detux</a> - A
sandbox developed to do traffic analysis of Linux malwares and capturing
IOCs.</li>
<li><a href="https://github.com/tklengyel/drakvuf">DRAKVUF</a> - Dynamic
malware analysis system.</li>
<li><a href="http://firmware.re/">firmware.re</a> - Unpacks, scans and
analyzes almost any firmware package.</li>
<li><a href="https://github.com/Tencent/HaboMalHunter">HaboMalHunter</a>
- An Automated Malware Analysis Tool for Linux ELF Files.</li>
<li><a href="https://www.hybrid-analysis.com/">Hybrid Analysis</a> -
Online malware analysis tool, powered by VxSandbox.</li>
<li><a href="https://analyze.intezer.com">Intezer</a> - Detect, analyze,
and categorize malware by identifying code reuse and code
similarities.</li>
<li><a href="http://irma.quarkslab.com/">IRMA</a> - An asynchronous and
customizable analysis platform for suspicious files.</li>
<li><a href="https://www.joesecurity.org">Joe Sandbox</a> - Deep malware
analysis with Joe Sandbox.</li>
<li><a href="https://virusscan.jotti.org/en">Jotti</a> - Free online
multi-AV scanner.</li>
<li><a href="https://github.com/monnappa22/Limon">Limon</a> - Sandbox
for Analyzing Linux Malware.</li>
<li><a href="https://github.com/rieck/malheur">Malheur</a> - Automatic
sandboxed analysis of malware behavior.</li>
<li><a href="https://github.com/maliceio/malice">malice.io</a> -
Massively scalable malware analysis framework.</li>
<li><a href="https://github.com/diogo-fernan/malsub">malsub</a> - A
Python RESTful API framework for online malware and URL analysis
services.</li>
<li><a href="https://malwareconfig.com/">Malware config</a> - Extract,
decode and display online the configuration settings from common
malwares.</li>
<li><a href="https://malwareanalyser.io/">MalwareAnalyser.io</a> -
Online malware anomaly-based static analyser with heuristic detection
engine powered by data mining and machine learning.</li>
<li><a href="https://malwr.com/">Malwr</a> - Free analysis with an
online Cuckoo Sandbox instance.</li>
<li><a href="https://metadefender.opswat.com/">MetaDefender Cloud</a> -
Scan a file, hash, IP, URL or domain address for malware for free.</li>
<li><a href="https://www.networktotal.com/index.html">NetworkTotal</a> -
A service that analyzes pcap files and facilitates the quick detection
of viruses, worms, trojans, and all kinds of malware using Suricata
configured with EmergingThreats Pro.</li>
<li><a href="https://github.com/Rurik/Noriben">Noriben</a> - Uses
Sysinternals Procmon to collect information about malware in a sandboxed
environment.</li>
<li><a href="https://packettotal.com/">PacketTotal</a> - PacketTotal is
an online engine for analyzing .pcap files, and visualizing the network
traffic within.</li>
<li><a href="http://www.pdfexaminer.com/">PDF Examiner</a> - Analyse
suspicious PDF files.</li>
<li><a href="http://www.procdot.com">ProcDot</a> - A graphical malware
analysis tool kit.</li>
<li><a
href="https://github.com/secretsquirrel/recomposer">Recomposer</a> - A
helper script for safely uploading binaries to sandbox sites.</li>
<li><a
href="https://github.com/InQuest/python-sandboxapi">sandboxapi</a> -
Python library for building integrations with several open source and
commercial malware sandboxes.</li>
<li><a href="https://github.com/F-Secure/see">SEE</a> - Sandboxed
Execution Environment (SEE) is a framework for building test automation
in secured Environments.</li>
<li><a href="https://malware.sekoia.fr/">SEKOIA Dropper Analysis</a> -
Online dropper analysis (Js, VBScript, Microsoft Office, PDF).</li>
<li><a href="https://www.virustotal.com/">VirusTotal</a> - Free online
analysis of malware samples and URLs</li>
<li><a
href="https://github.com/keithjjones/visualize_logs">Visualize_Logs</a>
- Open source visualization library and command line tools for logs.
(Cuckoo, Procmon, more to come…)</li>
<li><a href="https://zeltser.com/automated-malware-analysis/">Zeltser’s
List</a> - Free automated sandboxes and services, compiled by Lenny
Zeltser.</li>
</ul>
<h2 id="domain-analysis">Domain Analysis</h2>
<p><em>Inspect domains and IP addresses.</em></p>
<ul>
<li><a href="https://www.abuseipdb.com/">AbuseIPDB</a> - AbuseIPDB is a
project dedicated to helping combat the spread of hackers, spammers, and
abusive activity on the internet.</li>
<li><a href="https://www.badips.com/">badips.com</a> - Community based
IP blacklist service.</li>
<li><a
href="https://github.com/EmersonElectricCo/boomerang">boomerang</a> - A
tool designed for consistent and safe capture of off network web
resources.</li>
<li><a href="https://cymon.io/">Cymon</a> - Threat intelligence tracker,
with IP/domain/hash search.</li>
<li><a href="http://desenmascara.me">Desenmascara.me</a> - One click
tool to retrieve as much metadata as possible for a website and to
assess its good standing.</li>
<li><a href="https://networking.ringofsaturn.com/">Dig</a> - Free online
dig and other network tools.</li>
<li><a href="https://github.com/elceef/dnstwist">dnstwist</a> - Domain
name permutation engine for detecting typo squatting, phishing and
corporate espionage.</li>
<li><a href="https://github.com/hiddenillusion/IPinfo">IPinfo</a> -
Gather information about an IP or domain by searching online
resources.</li>
<li><a href="https://github.com/hurricanelabs/machinae">Machinae</a> -
OSINT tool for gathering information about URLs, IPs, or hashes. Similar
to Automator.</li>
<li><a href="https://github.com/FGRibreau/mailchecker">mailchecker</a> -
Cross-language temporary email detection library.</li>
<li><a href="https://github.com/michael-yip/MaltegoVT">MaltegoVT</a> -
Maltego transform for the VirusTotal API. Allows domain/IP research, and
searching for file hashes and scan reports.</li>
<li><a href="http://multirbl.valli.org/">Multi rbl</a> - Multiple DNS
blacklist and forward confirmed reverse DNS lookup over more than 300
RBLs.</li>
<li><a href="https://services.normshield.com/">NormShield Services</a> -
Free API Services for detecting possible phishing domains, blacklisted
ip addresses and breached accounts.</li>
<li><a href="https://phishstats.info/">PhishStats</a> - Phishing
Statistics with search for IP, domain and website title</li>
<li><a href="https://spyse.com/">Spyse</a> - subdomains, whois, realted
domains, DNS, hosts AS, SSL/TLS info,</li>
<li><a href="https://securitytrails.com/">SecurityTrails</a> -
Historical and current WHOIS, historical and current DNS records,
similar domains, certificate information and other domain and IP related
API and tools.</li>
<li><a href="https://www.spamcop.net/bl.shtml">SpamCop</a> - IP based
spam block list.</li>
<li><a href="https://www.spamhaus.org/lookup/">SpamHaus</a> - Block list
based on domains and IPs.</li>
<li><a href="https://sitecheck.sucuri.net/">Sucuri SiteCheck</a> - Free
Website Malware and Security Scanner.</li>
<li><a href="https://talosintelligence.com/">Talos Intelligence</a> -
Search for IP, domain or network owner. (Previously SenderBase.)</li>
<li><a href="http://www.tekdefense.com/automater/">TekDefense
Automater</a> - OSINT tool for gathering information about URLs, IPs, or
hashes.</li>
<li><a href="https://urlhaus.abuse.ch/">URLhaus</a> - A project from
abuse.ch with the goal of sharing malicious URLs that are being used for
malware distribution.</li>
<li><a href="http://urlquery.net/">URLQuery</a> - Free URL Scanner.</li>
<li><a href="https://urlscan.io/">urlscan.io</a> - Free URL Scanner
&amp; domain information.</li>
<li><a href="https://whois.domaintools.com/">Whois</a> - DomainTools
free online whois search.</li>
<li><a href="https://zeltser.com/lookup-malicious-websites/">Zeltser’s
List</a> - Free online tools for researching malicious websites,
compiled by Lenny Zeltser.</li>
<li><a href="https://zulu.zscaler.com/#">ZScalar Zulu</a> - Zulu URL
Risk Analyzer.</li>
</ul>
<h2 id="browser-malware">Browser Malware</h2>
<p><em>Analyze malicious URLs. See also the <a
href="#domain-analysis">domain analysis</a> and <a
href="#documents-and-shellcode">documents and shellcode</a>
sections.</em></p>
<ul>
<li><a href="https://github.com/Konloch/bytecode-viewer">Bytecode
Viewer</a> - Combines multiple Java bytecode viewers and decompilers
into one tool, including APK/DEX support.</li>
<li><a href="https://getfirebug.com/">Firebug</a> - Firefox extension
for web development.</li>
<li><a href="http://jd.benow.ca/">Java Decompiler</a> - Decompile and
inspect Java apps.</li>
<li><a href="https://github.com/Rurik/Java_IDX_Parser/">Java IDX
Parser</a> - Parses Java IDX cache files.</li>
<li><a
href="http://www.relentless-coding.com/projects/jsdetox/">JSDetox</a> -
JavaScript malware analysis tool.</li>
<li><a href="https://github.com/urule99/jsunpack-n">jsunpack-n</a> - A
javascript unpacker that emulates browser functionality.</li>
<li><a href="https://github.com/Storyyeller/Krakatau">Krakatau</a> -
Java decompiler, assembler, and disassembler.</li>
<li><a href="http://malzilla.sourceforge.net/">Malzilla</a> - Analyze
malicious web pages.</li>
<li><a href="https://github.com/CyberShadow/RABCDAsm">RABCDAsm</a> - A
“Robust ActionScript Bytecode Disassembler.”</li>
<li><a href="https://labs.adobe.com/technologies/swfinvestigator/">SWF
Investigator</a> - Static and dynamic analysis of SWF applications.</li>
<li><a href="http://www.swftools.org/">swftools</a> - Tools for working
with Adobe Flash files.</li>
<li><a
href="http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html">xxxswf</a>
- A Python script for analyzing Flash files.</li>
</ul>
<h2 id="documents-and-shellcode">Documents and Shellcode</h2>
<p><em>Analyze malicious JS and shellcode from PDFs and Office
documents. See also the <a href="#browser-malware">browser malware</a>
section.</em></p>
<ul>
<li><a
href="https://github.com/hiddenillusion/AnalyzePDF">AnalyzePDF</a> - A
tool for analyzing PDFs and attempting to determine whether they are
malicious.</li>
<li><a href="https://github.com/CapacitorSet/box-js">box-js</a> - A tool
for studying JavaScript malware, featuring JScript/WScript support and
ActiveX emulation.</li>
<li><a href="http://www.ragestorm.net/distorm/">diStorm</a> -
Disassembler for analyzing malicious shellcode.</li>
<li><a href="https://labs.inquest.net/dfi">InQuest Deep File
Inspection</a> - Upload common malware lures for Deep File Inspection
and heuristical analysis.</li>
<li><a href="http://jsbeautifier.org/">JS Beautifier</a> - JavaScript
unpacking and deobfuscation.</li>
<li><a href="http://libemu.carnivore.it/">libemu</a> - Library and tools
for x86 shellcode emulation.</li>
<li><a href="https://github.com/9b/malpdfobj">malpdfobj</a> -
Deconstruct malicious PDFs into a JSON representation.</li>
<li><a
href="http://www.reconstructer.org/code.html">OfficeMalScanner</a> -
Scan for malicious traces in MS Office documents.</li>
<li><a href="http://www.decalage.info/python/olevba">olevba</a> - A
script for parsing OLE and OpenXML documents and extracting useful
information.</li>
<li><a href="https://code.google.com/archive/p/origami-pdf">Origami
PDF</a> - A tool for analyzing malicious PDFs, and more.</li>
<li><a href="https://blog.didierstevens.com/programs/pdf-tools/">PDF
Tools</a> - pdfid, pdf-parser, and more from Didier Stevens.</li>
<li><a href="https://github.com/9b/pdfxray_lite">PDF X-Ray Lite</a> - A
PDF analysis tool, the backend-free version of PDF X-RAY.</li>
<li><a
href="http://eternal-todo.com/tools/peepdf-pdf-analysis-tool">peepdf</a>
- Python tool for exploring possibly malicious PDFs.</li>
<li><a href="https://www.quicksand.io/">QuickSand</a> - QuickSand is a
compact C framework to analyze suspected malware documents to identify
exploits in streams of different encodings and to locate and extract
embedded executables.</li>
<li><a
href="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey">Spidermonkey</a>
- Mozilla’s JavaScript engine, for debugging malicious JS.</li>
</ul>
<h2 id="file-carving">File Carving</h2>
<p><em>For extracting files from inside disk and memory images.</em></p>
<ul>
<li><a
href="https://github.com/simsong/bulk_extractor">bulk_extractor</a> -
Fast file carving tool.</li>
<li><a href="https://github.com/williballenthin/EVTXtract">EVTXtract</a>
- Carve Windows Event Log files from raw binary data.</li>
<li><a href="http://foremost.sourceforge.net/">Foremost</a> - File
carving tool designed by the US Air Force.</li>
<li><a href="https://github.com/vstinner/hachoir3">hachoir3</a> -
Hachoir is a Python library to view and edit a binary stream field by
field.</li>
<li><a href="https://github.com/sleuthkit/scalpel">Scalpel</a> - Another
data carving tool.</li>
<li><a href="https://github.com/jbremer/sflock">SFlock</a> - Nested
archive extraction/unpacking (used in Cuckoo Sandbox).</li>
</ul>
<h2 id="deobfuscation">Deobfuscation</h2>
<p><em>Reverse XOR and other code obfuscation methods.</em></p>
<ul>
<li><a
href="https://bitbucket.org/decalage/balbuzard/wiki/Home">Balbuzard</a>
- A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and
more.</li>
<li><a href="https://github.com/0xd4d/de4dot">de4dot</a> - .NET
deobfuscator and unpacker.</li>
<li><a
href="http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html">ex_pe_xor</a>
&amp; <a
href="http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html">iheartxor</a>
- Two tools from Alexander Hanel for working with single-byte XOR
encoded files.</li>
<li><a href="https://github.com/fireeye/flare-floss">FLOSS</a> - The
FireEye Labs Obfuscated String Solver uses advanced static analysis
techniques to automatically deobfuscate strings from malware
binaries.</li>
<li><a href="https://github.com/hiddenillusion/NoMoreXOR">NoMoreXOR</a>
- Guess a 256 byte XOR key using frequency analysis.</li>
<li><a
href="https://github.com/BromiumLabs/PackerAttacker">PackerAttacker</a>
- A generic hidden code extractor for Windows malware.</li>
<li><a
href="https://github.com/extremecoders-re/pyinstxtractor">PyInstaller
Extractor</a> - A Python script to extract the contents of a PyInstaller
generated Windows executable file. The contents of the pyz file (usually
pyc files) present inside the executable are also extracted and
automatically fixed so that a Python bytecode decompiler will recognize
it.</li>
<li><a href="https://github.com/rocky/python-uncompyle6/">uncompyle6</a>
- A cross-version Python bytecode decompiler. Translates Python bytecode
back into equivalent Python source code.</li>
<li><a href="https://github.com/unipacker/unipacker">un{i}packer</a> -
Automatic and platform-independent unpacker for Windows binaries based
on emulation.</li>
<li><a href="https://github.com/malwaremusings/unpacker/">unpacker</a> -
Automated malware unpacker for Windows malware based on WinAppDbg.</li>
<li><a href="https://github.com/tomchop/unxor/">unxor</a> - Guess XOR
keys using known-plaintext attacks.</li>
<li><a
href="https://github.com/jnraber/VirtualDeobfuscator">VirtualDeobfuscator</a>
- Reverse engineering tool for virtualization wrappers.</li>
<li><a
href="http://eternal-todo.com/var/scripts/xorbruteforcer">XORBruteForcer</a>
- A Python script for brute forcing single-byte XOR keys.</li>
<li><a
href="https://blog.didierstevens.com/programs/xorsearch/">XORSearch
&amp; XORStrings</a> - A couple programs from Didier Stevens for finding
XORed data.</li>
<li><a href="https://github.com/hellman/xortool">xortool</a> - Guess XOR
key length, as well as the key itself.</li>
</ul>
<h2 id="debugging-and-reverse-engineering">Debugging and Reverse
Engineering</h2>
<p><em>Disassemblers, debuggers, and other static and dynamic analysis
tools.</em></p>
<ul>
<li><a href="https://github.com/angr/angr">angr</a> - Platform-agnostic
binary analysis framework developed at UCSB’s Seclab.</li>
<li><a href="https://github.com/bwall/bamfdetect">bamfdetect</a> -
Identifies and extracts information from bots and other malware.</li>
<li><a href="https://github.com/BinaryAnalysisPlatform/bap">BAP</a> -
Multiplatform and open source (MIT) binary analysis framework developed
at CMU’s Cylab.</li>
<li><a href="https://github.com/programa-stic/barf-project">BARF</a> -
Multiplatform, open source Binary Analysis and Reverse engineering
Framework.</li>
<li><a href="https://github.com/google/binnavi">binnavi</a> - Binary
analysis IDE for reverse engineering based on graph visualization.</li>
<li><a href="https://binary.ninja/">Binary ninja</a> - A reversing
engineering platform that is an alternative to IDA.</li>
<li><a href="https://github.com/devttys0/binwalk">Binwalk</a> - Firmware
analysis tool.</li>
<li><a href="https://github.com/season-lab/bluepill">BluePill</a> -
Framework for executing and debugging evasive malware and protected
executables.</li>
<li><a href="https://github.com/aquynh/capstone">Capstone</a> -
Disassembly framework for binary analysis and reversing, with support
for many architectures and bindings in several languages.</li>
<li><a href="https://github.com/hugsy/codebro">codebro</a> - Web based
code browser using  clang to provide basic code analysis.</li>
<li><a href="https://github.com/radareorg/cutter">Cutter</a> - GUI for
Radare2.</li>
<li><a href="https://github.com/sycurelab/DECAF">DECAF (Dynamic
Executable Code Analysis Framework)</a> - A binary analysis platform
based   on QEMU. DroidScope is now an extension to DECAF.</li>
<li><a href="https://github.com/0xd4d/dnSpy">dnSpy</a> - .NET assembly
editor, decompiler and debugger.</li>
<li><a href="https://www.jetbrains.com/decompiler/">dotPeek</a> - Free
.NET Decompiler and Assembly Browser.</li>
<li><a href="http://codef00.com/projects#debugger">Evan’s Debugger
(EDB)</a> - A modular debugger with a Qt GUI.</li>
<li><a href="https://github.com/rabbitstack/fibratus">Fibratus</a> -
Tool for exploration and tracing of the Windows kernel.</li>
<li><a
href="https://www.mcafee.com/us/downloads/free-tools/fport.aspx">FPort</a>
- Reports open TCP/IP and UDP ports in a live system and maps them to
the owning application.</li>
<li><a href="http://www.sourceware.org/gdb/">GDB</a> - The GNU
debugger.</li>
<li><a href="https://github.com/hugsy/gef">GEF</a> - GDB Enhanced
Features, for exploiters and reverse engineers.</li>
<li><a
href="https://github.com/NationalSecurityAgency/ghidra">Ghidra</a> - A
software reverse engineering (SRE) framework created and maintained by
the National Security Agency Research Directorate.</li>
<li><a
href="https://github.com/codypierce/hackers-grep">hackers-grep</a> - A
utility to search for strings in PE executables including imports,
exports, and debug symbols.</li>
<li><a href="https://www.hopperapp.com/">Hopper</a> - The macOS and
Linux Disassembler.</li>
<li><a href="https://www.hex-rays.com/products/ida/index.shtml">IDA
Pro</a> - Windows disassembler and debugger, with a free evaluation
version.</li>
<li><a href="https://github.com/crypto2011/IDR">IDR</a> - Interactive
Delphi Reconstructor is a decompiler of Delphi executable files and
dynamic libraries.</li>
<li><a href="http://debugger.immunityinc.com/">Immunity Debugger</a> -
Debugger for malware analysis and more, with a Python API.</li>
<li><a href="http://ilspy.net/">ILSpy</a> - ILSpy is the open-source
.NET assembly browser and decompiler.</li>
<li><a href="http://kaitai.io/">Kaitai Struct</a> - DSL for file formats
/ network protocols / data structures reverse engineering and
dissection, with code generation for C++, C#, Java, JavaScript, Perl,
PHP, Python, Ruby.</li>
<li><a href="https://lief.quarkslab.com/">LIEF</a> - LIEF provides a
cross-platform library to parse, modify and abstract ELF, PE and MachO
formats.</li>
<li><a href="http://ltrace.org/">ltrace</a> - Dynamic analysis for Linux
executables.</li>
<li><a href="https://github.com/phdphuc/mac-a-mal">mac-a-mal</a> - An
automated framework for mac malware hunting.</li>
<li><a href="https://en.wikipedia.org/wiki/Objdump">objdump</a> - Part
of GNU binutils, for static analysis of Linux binaries.</li>
<li><a href="http://www.ollydbg.de/">OllyDbg</a> - An assembly-level
debugger for Windows executables.</li>
<li><a
href="https://low-priority.appspot.com/ollydumpex/">OllyDumpEx</a> -
Dump memory from (unpacked) malware Windows process and store raw or
rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA
Pro, WinDbg, and x64dbg.</li>
<li><a href="https://github.com/moyix/panda">PANDA</a> - Platform for
Architecture-Neutral Dynamic Analysis.</li>
<li><a href="https://github.com/longld/peda">PEDA</a> - Python Exploit
Development Assistance for GDB, an enhanced display with added
commands.</li>
<li><a href="https://winitor.com/">pestudio</a> - Perform static
analysis of Windows executables.</li>
<li><a href="https://github.com/cmu-sei/pharos">Pharos</a> - The Pharos
binary analysis framework can be used to perform automated static
analysis of binaries.</li>
<li><a href="https://github.com/plasma-disassembler/plasma">plasma</a> -
Interactive disassembler for x86/ARM/MIPS.</li>
<li><a href="https://www.mzrst.com/">PPEE (puppy)</a> - A Professional
PE file Explorer for reversers, malware researchers and those who want
to statically inspect PE files in more detail.</li>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer">Process
Explorer</a> - Advanced task manager for Windows.</li>
<li><a href="http://processhacker.sourceforge.net/">Process Hacker</a> -
Tool that monitors system resources.</li>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/procmon">Process
Monitor</a> - Advanced monitoring tool for Windows programs.</li>
<li><a
href="https://docs.microsoft.com/en-us/sysinternals/downloads/pstools">PSTools</a>
- Windows command-line tools that help manage and investigate live
systems.</li>
<li><a href="https://github.com/joxeankoret/pyew">Pyew</a> - Python tool
for malware analysis.</li>
<li><a href="https://github.com/Cisco-Talos/pyrebox">PyREBox</a> -
Python scriptable reverse engineering sandbox by the Talos team at
Cisco.</li>
<li><a href="https://www.qiling.io/">Qiling Framework</a> - Cross
platform emulation and sanboxing framework with instruments for binary
analysis.</li>
<li><a href="https://github.com/ispras/qemu/releases/">QKD</a> - QEMU
with embedded WinDbg server for stealth debugging.</li>
<li><a href="http://www.radare.org/r/">Radare2</a> - Reverse engineering
framework, with debugger support.</li>
<li><a href="https://sourceforge.net/projects/regshot/">RegShot</a> -
Registry compare utility that compares snapshots.</li>
<li><a href="https://retdec.com/">RetDec</a> - Retargetable machine-code
decompiler with an <a href="https://retdec.com/decompilation/">online
decompilation service</a> and <a href="https://retdec.com/api/">API</a>
that you can use in your tools.</li>
<li><a href="https://github.com/Cisco-Talos/ROPMEMU">ROPMEMU</a> - A
framework to analyze, dissect and decompile complex code-reuse
attacks.</li>
<li><a href="https://github.com/NtQuery/Scylla">Scylla Imports
Reconstructor</a> - Find and fix the IAT of an unpacked / dumped PE32
malware.</li>
<li><a href="https://github.com/x64dbg/ScyllaHide">ScyllaHide</a> - An
Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and
TitanEngine.</li>
<li><a href="https://github.com/pidydx/SMRT">SMRT</a> - Sublime Malware
Research Tool, a plugin for Sublime 3 to aid with malware analyis.</li>
<li><a href="https://sourceforge.net/projects/strace/">strace</a> -
Dynamic analysis for Linux executables.</li>
<li><a href="https://github.com/fireeye/stringsifter">StringSifter</a> -
A machine learning tool that automatically ranks strings based on their
relevance for malware analysis.</li>
<li><a href="https://triton.quarkslab.com/">Triton</a> - A dynamic
binary analysis (DBA) framework.</li>
<li><a href="https://github.com/vmt/udis86">Udis86</a> - Disassembler
library and tool for x86 and x86_64.</li>
<li><a href="https://github.com/vivisect/vivisect">Vivisect</a> - Python
tool for malware analysis.</li>
<li><a
href="https://developer.microsoft.com/en-us/windows/hardware/download-windbg">WinDbg</a>
- multipurpose debugger for the Microsoft Windows computer operating
system, used to debug user mode applications, device drivers, and the
kernel-mode memory dumps.</li>
<li><a href="https://github.com/x64dbg/">X64dbg</a> - An open-source
x64/x32 debugger for windows.</li>
</ul>
<h2 id="network">Network</h2>
<p><em>Analyze network interactions.</em></p>
<ul>
<li><a href="https://www.bro.org">Bro</a> - Protocol analyzer that
operates at incredible scale; both file and network protocols.</li>
<li><a href="https://github.com/hempnall/broyara">BroYara</a> - Use Yara
rules from Bro.</li>
<li><a href="https://github.com/omriher/CapTipper">CapTipper</a> -
Malicious HTTP traffic explorer.</li>
<li><a href="https://github.com/MITRECND/chopshop">chopshop</a> -
Protocol analysis and decoding framework.</li>
<li><a href="https://www.cloudshark.org">CloudShark</a> - Web-based tool
for packet analysis and malware traffic detection.</li>
<li><a href="https://github.com/fireeye/flare-fakenet-ng">FakeNet-NG</a>
- Next generation dynamic network analysis tool.</li>
<li><a href="https://www.telerik.com/fiddler">Fiddler</a> - Intercepting
web proxy designed for “web debugging.”</li>
<li><a href="https://github.com/pjlantz/Hale">Hale</a> - Botnet C&amp;C
monitor.</li>
<li><a href="http://www.haka-security.org/">Haka</a> - An open source
security oriented language for describing protocols and applying
security policies on (live) captured traffic.</li>
<li><a href="https://github.com/jbremer/httpreplay">HTTPReplay</a> -
Library for parsing and reading out PCAP files, including TLS streams
using TLS Master Secrets (used in Cuckoo Sandbox).</li>
<li><a href="http://www.inetsim.org/">INetSim</a> - Network service
emulation, useful when building a malware lab.</li>
<li><a href="https://github.com/lmco/laikaboss">Laika BOSS</a> - Laika
BOSS is a file-centric malware analysis and intrusion detection
system.</li>
<li><a href="https://github.com/idaholab/Malcolm">Malcolm</a> - Malcolm
is a powerful, easily deployable network traffic analysis tool suite for
full packet capture artifacts (PCAP files) and Zeek logs.</li>
<li><a href="https://github.com/tomchop/malcom">Malcom</a> - Malware
Communications Analyzer.</li>
<li><a href="https://github.com/stamparm/maltrail">Maltrail</a> - A
malicious traffic detection system, utilizing publicly available
(black)lists containing malicious and/or generally suspicious trails and
featuring an reporting and analysis interface.</li>
<li><a href="https://mitmproxy.org/">mitmproxy</a> - Intercept network
traffic on the fly.</li>
<li><a href="https://github.com/aol/moloch">Moloch</a> - IPv4 traffic
capturing, indexing and database system.</li>
<li><a
href="http://www.netresec.com/?page=NetworkMiner">NetworkMiner</a> -
Network forensic analysis tool, with a free version.</li>
<li><a href="https://github.com/jpr5/ngrep">ngrep</a> - Search through
network traffic like grep.</li>
<li><a href="https://github.com/mateuszk87/PcapViz">PcapViz</a> -
Network topology and traffic visualizer.</li>
<li><a
href="https://github.com/RamadhanAmizudin/python-icap-yara">Python ICAP
Yara</a> - An ICAP Server with yara scanner for URL or content.</li>
<li><a href="https://github.com/ch3k1/squidmagic">Squidmagic</a> -
squidmagic is a tool designed to analyze a web-based network traffic to
detect central command and control (C&amp;C) servers and malicious
sites, using Squid proxy server and Spamhaus.</li>
<li><a href="http://www.tcpdump.org/">Tcpdump</a> - Collect network
traffic.</li>
<li><a href="http://tcpick.sourceforge.net/">tcpick</a> - Trach and
reassemble TCP streams from network traffic.</li>
<li><a href="http://tcpxtract.sourceforge.net/">tcpxtract</a> - Extract
files from network traffic.</li>
<li><a href="https://www.wireshark.org/">Wireshark</a> - The network
traffic analysis tool.</li>
</ul>
<h2 id="memory-forensics">Memory Forensics</h2>
<p><em>Tools for dissecting malware in memory images or running
systems.</em></p>
<ul>
<li><a
href="https://www.blackbagtech.com/blacklight.html">BlackLight</a> -
Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory
analysis.</li>
<li><a href="https://github.com/504ensicsLabs/DAMM">DAMM</a> -
Differential Analysis of Malware in Memory, built on Volatility.</li>
<li><a href="https://github.com/JamesHabben/evolve">evolve</a> - Web
interface for the Volatility Memory Forensics Framework.</li>
<li><a href="https://sourceforge.net/projects/findaes/">FindAES</a> -
Find AES encryption keys in memory.</li>
<li><a href="https://github.com/ShaneK2/inVtero.net">inVtero.net</a> -
High speed memory analysis framework developed in .NET supports all
Windows x64, includes code integrity and write support.</li>
<li><a href="https://github.com/ytisf/muninn">Muninn</a> - A script to
automate portions of analysis using Volatility, and create a readable
report. <a href="https://github.com/LDO-CERT/orochi">Orochi</a> - Orochi
is an open source framework for collaborative forensic memory dump
analysis.</li>
<li><a href="http://www.rekall-forensic.com/">Rekall</a> - Memory
analysis framework, forked from Volatility in 2013.</li>
<li><a
href="https://github.com/sketchymoose/TotalRecall">TotalRecall</a> -
Script based on Volatility for automating various malware analysis
tasks.</li>
<li><a href="https://github.com/aim4r/VolDiff">VolDiff</a> - Run
Volatility on memory images before and after malware execution, and
report changes.</li>
<li><a
href="https://github.com/volatilityfoundation/volatility">Volatility</a>
- Advanced memory forensics framework.</li>
<li><a href="https://github.com/kevthehermit/VolUtility">VolUtility</a>
- Web Interface for Volatility Memory Analysis framework.</li>
<li><a href="https://github.com/swwwolf/wdbgark">WDBGARK</a> - WinDBG
Anti-RootKit Extension.</li>
<li><a
href="https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit">WinDbg</a>
- Live memory inspection and kernel debugging for Windows systems.</li>
</ul>
<h2 id="windows-artifacts">Windows Artifacts</h2>
<ul>
<li><a href="https://github.com/OMENScan/AChoir">AChoir</a> - A live
incident response script for gathering Windows artifacts.</li>
<li><a
href="https://github.com/williballenthin/python-evt">python-evt</a> -
Python library for parsing Windows Event Logs.</li>
<li><a
href="http://www.williballenthin.com/registry/">python-registry</a> -
Python library for parsing registry files.</li>
<li><a
href="http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/">RegRipper</a>
(<a href="https://github.com/keydet89/RegRipper2.8">GitHub</a>) -
Plugin-based registry analysis tool.</li>
</ul>
<h2 id="storage-and-workflow">Storage and Workflow</h2>
<ul>
<li><a href="https://github.com/merces/aleph">Aleph</a> - Open Source
Malware Analysis Pipeline System.</li>
<li><a href="https://crits.github.io/">CRITs</a> - Collaborative
Research Into Threats, a malware and threat repository.</li>
<li><a href="https://certsocietegenerale.github.io/fame/">FAME</a> - A
malware analysis framework featuring a pipeline that can be extended
with custom modules, which can be chained and interact with each other
to perform end-to-end analysis.</li>
<li><a href="https://github.com/sroberts/malwarehouse">Malwarehouse</a>
- Store, tag, and search malware.</li>
<li><a href="https://github.com/ANSSI-FR/polichombr">Polichombr</a> - A
malware analysis platform designed to help analysts to reverse malwares
collaboratively.</li>
<li><a href="http://stoq.punchcyber.com">stoQ</a> - Distributed content
analysis framework with extensive plugin support, from input to output,
and everything in between.</li>
<li><a href="http://viper.li/">Viper</a> - A binary management and
analysis framework for analysts and researchers.</li>
</ul>
<h2 id="miscellaneous">Miscellaneous</h2>
<ul>
<li><a href="https://github.com/LordNoteworthy/al-khaser">al-khaser</a>
- A PoC malware with good intentions that aimes to stress anti-malware
systems.</li>
<li><a
href="https://github.com/AbertayMachineLearningGroup/CryptoKnight">CryptoKnight</a>
- Automated cryptographic algorithm reverse engineering and
classification framework.</li>
<li><a
href="https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP">DC3-MWCP</a>
- The Defense Cyber Crime Center’s Malware Configuration Parser
framework.</li>
<li><a href="https://github.com/fireeye/flare-vm">FLARE VM</a> - A fully
customizable, Windows-based, security distribution for malware
analysis.</li>
<li><a
href="https://github.com/misterch0c/malSploitBase">MalSploitBase</a> - A
database containing exploits used by malware.</li>
<li><a href="https://archive.org/details/malwaremuseum">Malware
Museum</a> - Collection of malware programs that were distributed in the
1980s and 1990s.</li>
<li><a href="https://github.com/uppusaikiran/malware-organiser">Malware
Organiser</a> - A simple tool to organise large malicious/benign files
into a organised Structure.</li>
<li><a href="https://github.com/a0rtega/pafish">Pafish</a> - Paranoid
Fish, a demonstration tool that employs several techniques to detect
sandboxes and analysis environments in the same way as malware families
do.</li>
<li><a href="https://remnux.org/">REMnux</a> - Linux distribution and
docker images for malware reverse engineering and analysis.</li>
<li><a href="https://tsurugi-linux.org/">Tsurugi Linux</a> - Linux
distribution designed to support your DFIR investigations, malware
analysis and OSINT (Open Source INTelligence) activities.</li>
<li><a href="https://santoku-linux.com/">Santoku Linux</a> - Linux
distribution for mobile forensics, malware analysis, and security.</li>
</ul>
<h1 id="resources">Resources</h1>
<h2 id="books">Books</h2>
<p><em>Essential malware analysis reading material.</em></p>
<ul>
<li><a
href="https://www.packtpub.com/networking-and-servers/learning-malware-analysis">Learning
Malware Analysis</a> - Learning Malware Analysis: Explore the concepts,
tools, and techniques to analuze and investigate Windows malware</li>
<li><a href="https://amzn.com/dp/0470613033">Malware Analyst’s Cookbook
and DVD</a> - Tools and Techniques for Fighting Malicious Code.</li>
<li><a
href="https://www.packtpub.com/networking-and-servers/mastering-malware-analysis">Mastering
Malware Analysis</a> - Mastering Malware Analysis: The complete malware
analyst’s guide to combating malicious software, APT, cybercime, and IoT
attacks</li>
<li><a
href="https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering">Mastering
Reverse Engineering</a> - Mastering Reverse Engineering: Re-engineer
your ethical hacking skills</li>
<li><a href="https://amzn.com/dp/1593272901">Practical Malware
Analysis</a> - The Hands-On Guide to Dissecting Malicious Software.</li>
<li><a href="https://www.amzn.com/dp/1118787315/">Practical Reverse
Engineering</a> - Intermediate Reverse Engineering.</li>
<li><a href="https://www.amzn.com/dp/0321240693">Real Digital
Forensics</a> - Computer Security and Incident Response.</li>
<li><a href="https://www.amazon.com/dp/1593277164">Rootkits and
Bootkits</a> - Rootkits and Bootkits: Reversing Modern Malware and Next
Generation Threats</li>
<li><a href="https://amzn.com/dp/1118825098">The Art of Memory
Forensics</a> - Detecting Malware and Threats in Windows, Linux, and Mac
Memory.</li>
<li><a href="https://amzn.com/dp/1593272898">The IDA Pro Book</a> - The
Unofficial Guide to the World’s Most Popular Disassembler.</li>
<li><a href="https://amzn.com/dp/144962636X">The Rootkit Arsenal</a> -
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the
System</li>
</ul>
<h2 id="other">Other</h2>
<ul>
<li><a href="https://github.com/aptnotes/data">APT Notes</a> - A
collection of papers and notes related to Advanced Persistent
Threats.</li>
<li><a href="https://github.com/endgameinc/ember">Ember</a> - Endgame
Malware BEnchmark for Research, a repository that makes it easy to
(re)create a machine learning model that can be used to predict a score
for a PE file based on static analysis.</li>
<li><a href="https://github.com/corkami/pics">File Formats posters</a> -
Nice visualization of commonly used file format (including PE &amp;
ELF).</li>
<li><a href="http://honeynet.org/">Honeynet Project</a> - Honeypot
tools, papers, and other resources.</li>
<li><a href="http://www.kernelmode.info/forum/">Kernel Mode</a> - An
active community devoted to malware analysis and kernel
development.</li>
<li><a href="https://zeltser.com/malicious-software/">Malicious
Software</a> - Malware blog and resources by Lenny Zeltser.</li>
<li><a
href="https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu">Malware
Analysis Search</a> - Custom Google search engine from <a
href="journeyintoir.blogspot.com/">Corey Harrell</a>.</li>
<li><a
href="http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html">Malware
Analysis Tutorials</a> - The Malware Analysis Tutorials by Dr. Xiang Fu,
a great resource for learning practical malware analysis.</li>
<li><a
href="https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering">Malware
Analysis, Threat Intelligence and Reverse Engineering</a> - Presentation
introducing the concepts of malware analysis, threat intelligence and
reverse engineering. Experience or prior knowledge is not required. Labs
link in description.</li>
<li><a href="https://github.com/Karneades/malware-persistence">Malware
Persistence</a> - Collection of various information focused on malware
persistence: detection (techniques), response, pitfalls and the log
collection (tools).</li>
<li><a href="http://malware-traffic-analysis.net/">Malware Samples and
Traffic</a> - This blog focuses on network traffic related to malware
infections.</li>
<li><a
href="https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/">Malware
Search+++</a> Firefox extension allows you to easily search some of the
most popular malware databases</li>
<li><a
href="https://bluesoul.me/practical-malware-analysis-starter-kit/">Practical
Malware Analysis Starter Kit</a> - This package contains most of the
software referenced in the Practical Malware Analysis book.</li>
<li><a href="https://github.com/RPISEC/Malware">RPISEC Malware
Analysis</a> - These are the course materials used in the Malware
Analysis course at at Rensselaer Polytechnic Institute during Fall
2015.</li>
<li><a href="http://windowsir.blogspot.com/p/malware.html">WindowsIR:
Malware</a> - Harlan Carvey’s page on Malware.</li>
<li><a
href="https://github.com/msuhanov/regf/blob/master/Windows%20registry%20file%20format%20specification.md">Windows
Registry specification</a> - Windows registry file format
specification.</li>
<li><a href="https://www.reddit.com/r/csirt_tools/">/r/csirt_tools</a> -
Subreddit for CSIRT tools and resources, with a <a
href="https://www.reddit.com/r/csirt_tools/search?q=flair%3A%22Malware%20analysis%22&amp;sort=new&amp;restrict_sr=on">malware
analysis</a> flair.</li>
<li><a href="https://www.reddit.com/r/Malware">/r/Malware</a> - The
malware subreddit.</li>
<li><a
href="https://www.reddit.com/r/ReverseEngineering">/r/ReverseEngineering</a>
- Reverse engineering subreddit, not limited to just malware.</li>
</ul>
<h1 id="related-awesome-lists">Related Awesome Lists</h1>
<ul>
<li><a
href="https://github.com/ashishb/android-security-awesome">Android
Security</a></li>
<li><a
href="https://github.com/paragonie/awesome-appsec">AppSec</a></li>
<li><a href="https://github.com/apsdehal/awesome-ctf">CTFs</a></li>
<li><a
href="https://github.com/Cugu/awesome-forensics">Forensics</a></li>
<li><a
href="https://github.com/carpedm20/awesome-hacking">“Hacking”</a></li>
<li><a
href="https://github.com/paralax/awesome-honeypots">Honeypots</a></li>
<li><a
href="https://github.com/hslatman/awesome-industrial-control-system-security">Industrial
Control System Security</a></li>
<li><a
href="https://github.com/meirwah/awesome-incident-response">Incident-Response</a></li>
<li><a
href="https://github.com/onlurking/awesome-infosec">Infosec</a></li>
<li><a href="https://github.com/caesar0301/awesome-pcaptools">PCAP
Tools</a></li>
<li><a
href="https://github.com/enaqx/awesome-pentest">Pentesting</a></li>
<li><a
href="https://github.com/sbilly/awesome-security">Security</a></li>
<li><a
href="https://github.com/hslatman/awesome-threat-intelligence">Threat
Intelligence</a></li>
<li><a href="https://github.com/InQuest/awesome-yara">YARA</a></li>
</ul>
<h1 id="contributing"><a href="CONTRIBUTING.md">Contributing</a></h1>
<p>Pull requests and issues with suggestions are welcome! Please read
the <a href="CONTRIBUTING.md">CONTRIBUTING</a> guidelines before
submitting a PR.</p>
<h1 id="thanks">Thanks</h1>
<p>This list was made possible by:</p>
<ul>
<li>Lenny Zeltser and other contributors for developing REMnux, where I
found many of the tools in this list;</li>
<li>Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard
for writing the <em>Malware Analyst’s Cookbook</em>, which was a big
inspiration for creating the list;</li>
<li>And everyone else who has sent pull requests or suggested links to
add here!</li>
</ul>
<p>Thanks!</p>