Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

• Malware Collection
  • Anonymizers
  • Honeypots
  • Malware Corpora
• Open Source Threat Intelligence
  • Tools
  • Other Resources
• Detection and Classification
• Online Scanners and Sandboxes
• Domain Analysis
• Browser Malware
• Documents and Shellcode
• File Carving
• Deobfuscation
• Debugging and Reverse Engineering
• Network
• Memory Forensics
• Windows Artifacts
• Storage and Workflow
• Miscellaneous
• Resources
  • Books
  • Other
• Related Awesome Lists
• Contributing
• Thanks

View Chinese translation: 恶意软件分析大合集.md.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some privacy features.
• Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot - ICS/SCADA honeypot.
• Cowrie - SSH honeypot, based on Kippo.
• DemoHunter - Low interaction Distributed Honeypots.
• Dionaea - Honeypot designed to trap malware.
• Glastopf - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• HoneyDrive - Honeypot bundle Linux distro.
• Honeytrap - Opensource system for running, monitoring and managing honeypots.
• MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
• Mnemosyne - A normalizer for honeypot data; supports Dionaea.
• Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX - Realtime database of malware and malicious domains.
• Contagio - A collection of recent malware samples and analyses.
• Exploit Database - Exploit and shellcode samples.
• Infosec - CERT-PA - Malware samples collection and analysis.
• InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
• Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
• Malpedia - A resource providing rapid identification and actionable context for malware investigations.
• Malshare - Large repository of malware actively scrapped from malicious sites.
• Ragpicker - Plugin based malware crawler with pre-analysis and reporting functionalities
• theZoo - Live malware samples for analysts.
• Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
• vduddu malware repo - Collection of various malware files and source code.
• VirusBay - Community-Based malware repository and social network.
• ViruSign - Malware database that detected by many anti malware programs except ClamAV.
• VirusShare - Malware repository, registration required.
• VX Vault - Active collection of malware samples.
• Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code - Source for the Zeus trojan leaked in 2011.
• VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

• AbuseHelper - An open-source framework for receiving and redistributing abuse feeds and threat intel.
• AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
• Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
• Fileintel - Pull intelligence per file hash.
• Hostintel - Pull intelligence per host.
• IntelMQ - A tool for CERTs for processing incident data using a message queue.
• IOC Editor - A free editor for XML IOC files.
• iocextract - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
• ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
• MalPipe - Malware/IOC ingestion and processing engine, that enriches collected data.
• Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
• MISP - Malware Information Sharing Platform curated by The MISP Project.
• Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
• PyIOCe - A Python OpenIOC editor.
• RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
• threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
• ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
• ThreatCrowd - A search engine for threats, with graphical visualization.
• ThreatIngestor - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
• ThreatTracker - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
• TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

• Autoshun (list) - Snort plugin and blocklist.
• Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
• Fidelis Barncat - Extensive malware config database (must request access).
• CI Army (list) - Network security blocklists.
• Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
• Cybercrime tracker - Multiple botnet active tracker.
• FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
• FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
• HoneyDB - Community driven honeypot sensor data collection and aggregation.
• hpfeeds - Honeypot feed protocol.
• Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
• InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
• InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
• Internet Storm Center (DShield) - Diary and searchable incident database, with a web API. (unofficial Python library).
• malc0de - Searchable incident database.
• Malware Domain List - Search and share malicious URLs.
• MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
• OpenIOC - Framework for sharing threat intelligence.
• Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
• Ransomware overview - A list of ransomware overview with details, detection and prevention.
• STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
  • CAPEC - Common Attack Pattern Enumeration and Classification
  • CybOX - Cyber Observables eXpression
  • MAEC - Malware Attribute Enumeration and Characterization
  • TAXII - Trusted Automated eXchange of Indicator Information
• SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
• ThreatMiner - Data mining portal for threat intelligence, with search.
• threatRECON - Search for indicators, up to 1000 free per month.
• ThreatShare - C2 panel tracker
• Yara rules - Yara rules repository.
• YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
• ZeuS Tracker - ZeuS blocklists.

Detection and Classification

Antivirus and other malware identification tools

• AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
• Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
• BinaryAlert - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
• capa - Detects capabilities in executable files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
• Detect It Easy(DiE) - A program for determining types of files.
• Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
• ExifTool - Read, write and edit file metadata.
• File Scanning Framework - Modular, recursive file scanning solution.
• fn2yara - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
• Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
• hashdeep - Compute digest hashes with a variety of algorithms.
• HashCheck - Windows shell extension to compute hashes with a variety of algorithms.
• Loki - Host based scanner for IOCs.
• Malfunction - Catalog and compare malware at a function level.
• Manalyze - Static analyzer for PE executables.
• MASTIFF - Static analysis framework.
• MultiScanner - Modular file scanning/analysis framework
• [Nauz File