Malware analysis tools are very important for Security Professionals, who have to learn new tools, methods, and ideas all the time in order to figure out how to deal with complex threats and cyber attacks.
Malicious code and sophisticated malware are almost impossible to figure out without malware analysis tools because they are made up of many different methods and functions.
Here, we’ve put together a list of the hundreds of tools and resources that security experts and malware analysts can use to understand malware and figure out what it is trying to do.
Malware research is an important part of cybersecurity because it gives a deep understanding of how malicious software works, where it came from, and possible ways to stop it. Over the years, many tools, both static and dynamic, have been made to help with this hard job.
Static analysis tools look at malware’s code without running it. IDA Pro, a popular disassembler, and PEview, which checks the guts of Windows executables, are two examples of such tools.
On the other hand, dynamic research tools like Cuckoo Sandbox and Wireshark watch how malware behaves while it is running. When used together, these tools give a full picture of how malware acts, how it is put together, and what it might do.
Table of Contents
Malware Analysis Tools & Courses
Malware Analysis Courses
Detection and Classification
Reverse Engineering
Binary Format and Binary Analysis
Malware Analysis Tools for Reconstruction
Memory Forensics Malware Analysis Tools
Domain Malware Analysis Tools
Books
Open Source Threat Intelligence Tool
Other Resources
- Malware Analysis Courses
- Hex Editors
- Disassemblers
- Detection and Classification
- Dynamic Binary Instrumentation
- Dynamic Analysis
- Deobfuscation
- Debugging
- Malware Analysis Courses
- Reverse Engineering
- Binary Analysis
- Decompiler
- Bytecode Analysis
- Reconstruction
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Malware samples
- Courses
- Domain Analysis
- Books
Malware Analysis Courses
Here we have listed the best courses list for malware analysis, reverse engineering, exploit development, and more.
Hex Editors
A hex editor (or binary file editor or byte editor) is a type of computer program that allows for the manipulation of the fundamental binary data that constitutes a computer file.
The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.
- HxD
- 010 Editor
- Hex Workshop
- HexFiend
- Hiew
Disassemblers
A disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.
A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language.
Disassembly, the output of a disassembler, is often formatted for human readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.
- IDA Pro
- Binary Ninja
- Radare
- Hopper
- Capstone
- objdump
- fREedom
- plasma
Detection and Classification
- AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
- Assemblyline – A scalable distributed file analysis framework.
- BinaryAlert – An open-source, serverless AWS pipeline that scans and alerts uploaded files based on a set of YARA rules.
- ClamAV – Open source antivirus engine.
- Detect-It-Easy – A program for determining types of files.
- ExifTool – Read, write, and edit file metadata.
- File Scanning Framework – Modular, recursive file scanning solution.
- hashdeep – Compute digest hashes with a variety of algorithms.
- Loki – Host-based scanner for IOCs.
- Malfunction – Catalog and compare malware at a function level.
- MASTIFF – Static analysis framework.
- MultiScanner – Modular file scanning/analysis framework
- nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
- packerid – A cross-platform Python alternative to PEiD.
- PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
- Rootkit Hunter – Detect Linux rootkits.
- ssdeep – Compute fuzzy hashes.
- totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
- TrID – File identifier.
- YARA – Pattern matching tool for analysts.
- Yara rules generator – Generate Yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Tools
Mac Decrypt
Mac Decrypting Tools
Emulator
Emulator Tools
Document Analysis
Document-Based Malware Analysis Tools.
Dynamic Analysis
This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.
The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding
Deobfuscation
Reverse XOR and other code obfuscation Malware Analysis Tools and methods.
- Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc.).
- de4dot – .NET deobfuscator and unpacker.
- ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
- NoMoreXOR – Guess a 256-byte XOR key using frequency analysis.
- PackerAttacker – A generic hidden code extractor for Windows malware.
- unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
- unxor – Guess XOR keys using known-plaintext attacks.
- VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
- XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings – A couple of programs from Didier Stevens for finding XORed data.
- xortool – Guess the XOR key length, as well as the key itself.
Debugging
In this List, we can see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools. Cross-Platform Debugging Tools
Windows-Only Debugging Tools
Linux-Only Debugging Tools
Reverse Engineering
- angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
- bamfdetect – Identifies and extracts information from bots and other malware.
- BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
- BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
- binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
- Binary ninja – A reversing engineering platform that is an alternative to IDA.
- Binwalk – Firmware analysis tool.
- Bokken – GUI for Pyew and Radare. (mirror)
- Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
- codebro – Web-based code browser using Clang to provide basic code analysis.
- DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
- dnSpy – .NET assembly editor, decompiler, and debugger.
- Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
- Fibratus – Tool for exploration and tracing of the Windows kernel.
- FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
- GDB – The GNU debugger.
- GEF – GDB Enhanced Features, for exploiters and reverse engineers.
- hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
- Hopper – The macOS and Linux Disassembler.
- IDA Pro – Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger – Debugger for malware analysis and more, with a Python API.
- ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
- Kaitai Struct – DSL for file formats/network protocols/data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, and Ruby.
- LIEF – LIEF provides a cross-platform library to parse, modify, and abstract ELF, PE, and MachO formats.
- ltrace – Dynamic analysis for Linux executables.
- objdump – Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg – An assembly-level debugger for Windows executables.
- PANDA – Platform for Architecture-Neutral Dynamic Analysis.
- PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
- pestudio – Perform static analysis of Windows executables.
- Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
- plasma – Interactive disassembler for x86/ARM/MIPS.
- PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers, and those who want to inspect PE files in more detail.
- Process Explorer – Advanced task manager for Windows.
- Process Hacker – Tool that monitors system resources.
- Process Monitor – Advanced monitoring tool for Windows programs.
- PSTools – Windows command-line tools that help manage and investigate live systems.
- Pyew – Python tool for malware analysis.
- PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
- QKD – QEMU with embedded WinDbg server for stealth debugging.
- Radare2 – Reverse engineering framework, with debugger support.
- RegShot – Registry compares utility that compares snapshots.
- RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
- ROPMEMU – A framework to analyze, dissect, and decompile complex code-reuse attacks.
- SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analysis.
- strace – Dynamic analysis for Linux executables.
- Triton – A dynamic binary analysis (DBA) framework.
- Udis86 – Disassembler library and tool for x86 and x86_64.
- Vivisect – Python tool for malware analysis.
- WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user-mode applications, device drivers, and kernel-mode memory dumps.
- X64dbg – An open-source x64/x32 debugger for Windows.
The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.
Binary Analysis Resources
Decompiler
A decompiler is a computer program that takes an executable file as input, and attempts to create a high-level source file that can be recompiled successfully.
It is therefore the opposite of a compiler, which takes a source file and makes an executable. Generic Decompiler
Java Decompiler
.NET Decompiler
Delphi Decompiler
Python Decompiler
Bytecode Analysis
Bytecode Analysis Tools
Malware Analysis Tools for Reconstruction
Import Reconstruction Tools
- AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
- AVCaesar – Malware.lu online scanner and malware repository.
- Cryptam – Analyze suspicious office documents.
- Cuckoo Sandbox – Open source, self-hosted sandbox, and automated analysis system.
- cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
- DeepViz – Multi-format file analyzer with machine-learning classification.
- detux – A sandbox developed to do traffic analysis of Linux malware and capture IOCs.
- DRAKVUF – Dynamic malware analysis system.
- firmware.re – Unpacks, scans and analyzes almost any firmware package.
- HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
- Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
- IRMA – An asynchronous and customizable analysis platform for suspicious files.
- Joe Sandbox – Deep malware analysis with Joe Sandbox.
- Jotti – Free online multi-AV scanner.
- Limon – Sandbox for Analyzing Linux Malware.
- Malheur – Automatic sandboxed analysis of malware behavior.
- malsub – A Python RESTful API framework for online malware and URL analysis services.
- Malware config – Extract, decode, and display online the configuration settings from common malware.
- Malwr – Free analysis with an online Cuckoo Sandbox instance.
- MASTIFF Online – Online static analysis of malware.
- Metadefender.com – Scan a file, hash, or IP address for malware (free).
- NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
- Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
- PDF Examiner – Analyse suspicious PDF files.
- ProcDot – A graphical malware analysis tool kit.
- Recomposer – A helper script for safely uploading binaries to sandbox sites.
- Sand droid – Automatic and complete Android application analysis system.
- SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
- VirusTotal – Free online analysis of malware samples and URLs
- Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
- Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.
Document Analysis
Document Analysis Tools
Scripting
Scripting
Android
Android tools
Yara
Yara Resources
Memory Forensics Malware Analysis Tools
Tools for dissecting malware in memory images or running systems.
- BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, and raw memory analysis.
- DAMM – Differential Analysis of Malware in Memory, built on Volatility.
- evolve – Web interface for the Volatility Memory Forensics Framework.
- FindAES – Find AES encryption keys in memory.
- inVtero.net – The high-speed memory analysis framework developed in .NET supports all Windows x64, including code integrity and write support.
- Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
- Rekall – Memory analysis framework, forked from Volatility in 2013.
- TotalRecall – Script based on Volatility for automating various malware analysis tasks.
- VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
- Volatility – Advanced memory forensics framework.
- VolUtility – Web Interface for Volatility Memory Analysis framework.
- WDBGARK – WinDBG Anti-RootKit Extension.
- WinDbg – Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts
- AChoir – A live incident response script for gathering Windows artifacts.
- python-evt – Python library for parsing Windows Event Logs.
- python-registry – Python library for parsing registry files.
- RegRipper (GitHub) – Plugin-based registry analysis tool.
Storage and Workflow
- Aleph – Open Source Malware Analysis Pipeline System.
- CRITs – Collaborative Research Into Threats, a malware and threat repository.
- FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
- Malwarehouse – Store, tag, and search malware.
- Polichombr – A malware analysis platform designed to help analysts reverse malware collaboratively.
- stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
- Viper – A binary management and analysis framework for analysts and researchers.
Malware samples
Malware samples were collected for analysis.
- Clean MX – Realtime database of malware and malicious domains.
- Contagio – A collection of recent malware samples and analyses.
- Exploit Database – Exploit and shellcode samples.
- Malshare – Large repository of malware actively scrapped from malicious sites.
- MalwareDB – Malware samples repository.
- Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
- Ragpicker – Plugin-based malware crawler with pre-analysis and reporting functionalities
- theZoo – Live malware samples for analysts.
- Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
- ViruSign – Malware database that is detected by many anti-malware programs except ClamAV.
- VirusShare – Malware repository, registration required.
- VX Vault – Active collection of malware samples.
- Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
- Zeus Source Code – The source for the Zeus trojan leaked in 2011.
Domain Malware Analysis Tools
Inspect domains and IP addresses.
- badips.com – Community-based IP blacklist service.
- boomerang – A tool designed for the consistent and safe capture of off-network web resources.
- Cymon – Threat intelligence tracker, with IP/domain/hash search.
- Desenmascara.me– One-click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- Dig – Free online dig and other network tools.
- dnstwist – Domain name permutation engine for detecting typo squatting, phishing, and corporate espionage.
- IPinfo – Gather information about an IP or domain by searching online resources.
- Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
- mailchecker – Cross-language temporary email detection library.
- MaltegoVT – Maltego transforms for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
- Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
- NormShield Services – Free API Services for detecting possible phishing domains, blacklisted IP addresses, and breached accounts.
- SpamCop – IP-based spam block list.
- SpamHaus – Block list based on domains and IPs.
- Sucuri SiteCheck – Free Website Malware and Security Scanner.
- Talos Intelligence – Search for IP, domain, or network owner. (Previously SenderBase.)
- TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
- URLQuery – Free URL Scanner.
- Whois – DomainTools free online whois search.
- Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
- ZScalar Zulu – Zulu URL Risk Analyzer.
Books
Most Important Books Reverse Engineering Books
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
- box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
- diStorm – Disassembler for analyzing malicious shellcode.
- JS Beautifier – JavaScript unpacking and deobfuscation.
- JS Deobfuscator – Deobfuscate simple Javascript that uses eval or document. write to conceal its code.
- libemu – Library and tools for x86 shellcode emulation.
- malpdfobj – Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner – Scan for malicious traces in MS Office documents.
- olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF – A tool for analyzing malicious PDFs, and more.
- PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf – Python tool for exploring possibly malicious PDFs.
- QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
- Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.
Practice Reverse Engineering. Be careful with malware.
Open Source Threat Intelligence Tool
Harvest and analyze IOCs.
- AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
- AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
- Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
- Fileintel – Pull intelligence per file hash.
- Hostintel – Pull intelligence per host.
- IntelMQ – A tool for CERTs for processing incident data using a message queue.
- IOC Editor– A free editor for XML IOC files.
- ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
- Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- MISP – Malware Information Sharing Platform curated by The MISP Project.
- Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
- PyIOCe – A Python OpenIOC editor.
- RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
- threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
- ThreatCrowd – A search engine for threats, with graphical visualization.
- ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
- TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.
Other Resources
Credits
This list is Created with the help of the following Awesome People.
FAQ
1.What is the best online sandbox for malware analysis?
People often say that Cuckoo Sandbox is one of the best online sandboxes for looking at malware. It’s an automated, open-source system that lets researchers watch how malicious files act in a controlled setting.
It is widely used in the cybersecurity industry because it can be changed and expanded. Hybrid Analysis and Joe Sandbox are also strong options because they give a lot of information about how malware works and what it does.
2. Where can I practice malware analysis?
For malware research to be done safely, it needs to be done in a separate area. REMnux is a set of tools for Linux that can be used to figure out how bad software works.
VirusBay is a website that is run by the community and lets people work together on malware samples. TheZoo has a collection of live bugs that can be used as real-world examples.
Always use a controlled, offline setting, such as a virtual machine, to keep things safe and stop infections from happening by accident.
View Comments
Thank you so much.