Top 50 Awesome List

rshipp/awesome-malware-analysis

Security  2 years ago  9k
Defund the Police.
View byDAY/WEEK/README
View on Github

Aug 19th, 2020

Malware Collection

Malware Corpora

  • VX Underground - Massive and growing collection of free malware samples.
  • Aug 15th, 2020

    Browser Malware

  • Bytecode Viewerstars13.3k - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
  • Detection and Classification

  • fn2yarastars1.3k - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
  • Deobfuscation

  • uncompyle6stars2.8k - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
  • PyInstaller Extractorstars1.2k - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
  • Aug 13th, 2020

    Miscellaneous

  • Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
  • Jul 17th, 2020

    Detection and Classification

  • capastars2.4k - Detects capabilities in executable files.
  • Jun 21st, 2020

    Open Source Threat Intelligence

    Other Resources

  • ThreatShare - C2 panel tracker
  • Jun 2nd, 2020

    Debugging and Reverse Engineering

  • BluePillstars90 - Framework for executing and debugging evasive malware and protected executables.
  • Apr 1st, 2020

    Other

  • Malware Persistencestars103 - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
  • Dec 27th, 2019

    Malware Collection

    Honeypots

  • MHNstars2.3k - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Nov 21st, 2019

    Domain Analysis

  • Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • Nov 11th, 2019

    Malware Collection

    Malware Corpora

  • Javascript Mallware Collectionstars496 - Collection of almost 40.000 javascript malware samples
  • Nov 1st, 2019

    Malware Collection

    Malware Corpora

  • InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
  • Open Source Threat Intelligence

    Tools

  • ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
  • Open Source Threat Intelligence

    Other Resources

  • InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
  • InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
  • Online Scanners and Sandboxes

  • BoomBoxstars212 - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
  • Domain Analysis

  • URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
  • Documents and Shellcode

  • InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
  • Network

  • Malcolmstars182 - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
  • Books

  • Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
  • Oct 31st, 2019

    Detection and Classification

  • Detect It Easy(DiE)stars4k - A program for determining types of files.
  • Oct 15th, 2019

    Books

  • Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
  • Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
  • Sep 16th, 2019

    Domain Analysis

  • AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
  • Sep 4th, 2019

    Network

  • FakeNet-NGstars1.4k - Next generation dynamic network analysis tool.
  • Jul 17th, 2019

    Online Scanners and Sandboxes

  • MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • May 4th, 2019

    Books

  • Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
  • Mar 13th, 2019

    Open Source Threat Intelligence

    Tools

  • ThreatIngestorstars596 - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
  • Mar 6th, 2019

    Malware Collection

    Honeypots

  • DemoHunterstars50 - Low interaction Distributed Honeypots.
  • Dionaeastars607 - Honeypot designed to trap malware.
  • Malware Collection

    Malware Corpora

  • Malpedia - A resource providing rapid identification and actionable context for malware investigations.
  • Open Source Threat Intelligence

    Other Resources

  • SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
  • YETIstars1.3k - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
  • Detection and Classification

  • Assemblyline - A scalable distributed file analysis framework.
  • Manalyzestars850 - Static analyzer for PE
  • Online Scanners and Sandboxes

  • MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
  • PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • Domain Analysis

  • SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
  • File Carving

  • hachoir3stars500 - Hachoir is a Python library to view and edit a binary stream field by field.
  • Deobfuscation

  • un{i}packerstars487 - Automatic and platform-independent unpacker for Windows binaries based on emulation.
  • Other

  • Emberstars714 - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
  • Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases
  • Feb 16th, 2019

    Other

  • Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
  • Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.
  • Windows Registry specification - Windows registry file format specification.
  • Dec 27th, 2018

    Open Source Threat Intelligence

    Other Resources

  • MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
  • Nov 15th, 2018

    Open Source Threat Intelligence

    Other Resources

  • HoneyDB - Community driven honeypot sensor data collection and aggregation.
  • Oct 6th, 2018

    Miscellaneous

  • CryptoKnightstars34 - Automated cryptographic algorithm reverse engineering and classification framework.
  • Oct 5th, 2018

    Domain Analysis

  • PhishStats - Phishing Statistics with search for IP, domain and website title
  • Aug 13th, 2018

    Online Scanners and Sandboxes

  • malice.iostars1.4k - Massively scalable malware analysis framework.
  • Jul 10th, 2018

    Malware Collection

    Malware Corpora

  • VirusBay - Community-Based malware repository and social network.
  • Jul 9th, 2018

    Detection and Classification

  • Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  • Jun 22nd, 2018

    Network

  • ngrepstars687 - Search through network traffic like grep.
  • Jun 9th, 2018

    Browser Malware

  • SWF Investigator - Static and dynamic analysis of SWF applications.
  • Detection and Classification

  • Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
  • Jun 2nd, 2018

    Detection and Classification

  • HashCheckstars1.4k - Windows shell extension to compute hashes with a variety of algorithms.
  • May 9th, 2018

    Open Source Threat Intelligence

    Tools

  • MalPipestars93 - Malware/IOC ingestion and processing engine, that enriches collected data.
  • Apr 25th, 2018

    Online Scanners and Sandboxes

  • any.run - Online interactive sandbox.
  • Apr 20th, 2018

    Open Source Threat Intelligence

    Tools

  • iocextractstars361 - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
  • Apr 4th, 2018

    Domain Analysis

  • urlscan.io - Free URL Scanner & domain information.
  • Mar 16th, 2018

    Malware Collection

    Honeypots

  • Honeytrapstars1.1k - Opensource system for running, monitoring and managing honeypots.
  • Mar 14th, 2018

    Malware Collection

    Malware Corpora

  • vduddu malware repo - Collection of various malware files and source code.
  • Online Scanners and Sandboxes

  • sandboxapistars115 - Python library for building integrations with several open source and commercial malware sandboxes.
  • Mar 12th, 2018

    Malware Collection

    Malware Corpora

  • Infosec - CERT-PA - Malware samples collection and analysis.
  • Open Source Threat Intelligence

    Other Resources

  • Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
  • Nov 28th, 2017

    Open Source Threat Intelligence

    Other Resources

  • OpenIOC - Framework for sharing threat intelligence.
  • Memory Forensics

  • FindAES - Find AES encryption keys in memory.
  • Miscellaneous

  • Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
  • Online Scanners and Sandboxes

  • SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
  • Nov 16th, 2017

    Online Scanners and Sandboxes

  • Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
  • Oct 22nd, 2017

    Open Source Threat Intelligence

    Tools

  • Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • Oct 19th, 2017

    Network

  • Fiddler - Intercepting web proxy designed for "web debugging."
  • Oct 17th, 2017

    Related Awesome Lists

  • YARAstars2.3k
  • Sep 25th, 2017

    Online Scanners and Sandboxes

  • anlyz.io - Online sandbox.
  • Limonstars362 - Sandbox for Analyzing Linux Malware.
  • cuckoo-modified-apistars15 - A Python API used to control a cuckoo-modified sandbox.
  • detuxstars248 - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • firmware.re - Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunterstars682 - An Automated Malware Analysis Tool for Linux ELF Files.
  • malsubstars347 - A Python RESTful API framework for online malware and URL analysis services.
  • Malware config - Extract, decode and display online the configuration settings from common malwares.
  • Open Source Threat Intelligence

    Other Resources

  • ThreatMiner - Data mining portal for threat intelligence, with search.
  • Ransomware overview - A list of ransomware overview with details, detection and prevention.
  • Domain Analysis

  • badips.com - Community based IP blacklist service.
  • Cymon - Threat intelligence tracker, with IP/domain/hash search.
  • boomerangstars33 - A tool designed for consistent and safe capture of off network web resources.
  • Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
  • ZScalar Zulu - Zulu URL Risk Analyzer.
  • Other

  • Kernel Mode - An active community devoted to malware analysis and kernel development.
  • Malware Collection

    Malware Corpora

  • Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
  • Malshare - Large repository of malware actively scrapped from malicious sites.
  • Detection and Classification

  • BinaryAlertstars1.3k - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • ExifTool - Read, write and edit file metadata.
  • Debugging and Reverse Engineering

  • Binary ninja - A reversing engineering platform that is an alternative to IDA.
  • Network

  • CloudShark - Web-based tool for packet analysis and malware traffic detection.
  • PcapVizstars278 - Network topology and traffic visualizer.
  • Python ICAP Yarastars52 - An ICAP Server with yara scanner for URL or content.
  • Squidmagicstars73 - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
  • Memory Forensics

  • BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • inVtero.netstars258 - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Storage and Workflow

  • FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Miscellaneous

  • FLARE VMstars4.1k - A fully customizable, Windows-based, security distribution for malware analysis.
  • Books

  • Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
  • Practical Reverse Engineering - Intermediate Reverse Engineering.
  • Real Digital Forensics - Computer Security and Incident Response.
  • Open Source Threat Intelligence

    Tools

  • RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • Browser Malware

  • Firebug - Firefox extension for web development.
  • Sep 24th, 2017

    Malware Collection

    Malware Corpora

  • ViruSign - Malware database that detected by many anti malware programs except ClamAV.
  • Aug 10th, 2017

    File Carving

  • SFlockstars73 - Nested archive extraction/unpacking (used in Cuckoo Sandbox).
  • Network

  • HTTPReplaystars88 - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
  • Jul 18th, 2017

    Domain Analysis

  • Dig - Free online dig and other network tools.
  • Apr 8th, 2017

    Debugging and Reverse Engineering

  • Binwalkstars8.5k - Firmware analysis tool.
  • Mar 26th, 2017

    Malware Collection

    Honeypots

  • HoneyDrive - Honeypot bundle Linux distro.
  • Storage and Workflow

  • Alephstars141 - Open Source Malware Analysis Pipeline System.
  • Mar 23rd, 2017

    Memory Forensics

  • WDBGARKstars519 - WinDBG Anti-RootKit Extension.
  • Dec 16th, 2016

    Malware Collection

    Malware Corpora

  • VX Vault - Active collection of malware samples.
  • Open Source Threat Intelligence

    Other Resources

  • Cybercrime tracker - Multiple botnet active tracker.
  • Dec 15th, 2016

    Miscellaneous

  • Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
  • Dec 7th, 2016

    Related Awesome Lists

  • Forensicsstars2.1k
  • Nov 25th, 2016

    Detection and Classification

  • File Scanning Frameworkstars257 - Modular, recursive file scanning solution.
  • Nov 20th, 2016

    Storage and Workflow

  • stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Nov 16th, 2016

    Other

  • APT Notesstars1.4k - A collection of papers and notes related to Advanced Persistent Threats.
  • Nov 14th, 2016

    Documents and Shellcode

  • box-jsstars516 - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • Nov 13th, 2016

    Debugging and Reverse Engineering

  • BAPstars1.7k - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
  • Online Scanners and Sandboxes

  • Visualize_Logsstars131 - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • Books

  • The Rootkit Arsenal - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
  • Storage and Workflow

  • Viper - A binary management and analysis framework for analysts and researchers.
  • Oct 10th, 2016

    Open Source Threat Intelligence

    Other Resources

  • Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
  • Online Scanners and Sandboxes

  • ProcDot - A graphical malware analysis tool kit.
  • Sep 29th, 2016

    Malware Collection

    Malware Corpora

  • Ragpickerstars81 - Plugin based malware crawler with pre-analysis and reporting functionalities
  • Sep 11th, 2016

    Open Source Threat Intelligence

    Tools

  • Fileintelstars101 - Pull intelligence per file hash.
  • Hostintelstars233 - Pull intelligence per host.
  • Aug 28th, 2016

    Open Source Threat Intelligence

    Other Resources

  • Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
  • Domain Analysis

  • URLQuery - Free URL Scanner.
  • Aug 21st, 2016

    Domain Analysis

  • TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
  • Jul 30th, 2016

    Open Source Threat Intelligence

    Other Resources

  • Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
  • Fidelis Barncat - Extensive malware config database (must request access).
  • Jul 1st, 2016

    Open Source Threat Intelligence

    Other Resources

  • Autoshun (list) - Snort plugin and blocklist.
  • Online Scanners and Sandboxes

  • Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Documents and Shellcode

  • QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Deobfuscation

  • FLOSSstars2.4k - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • unpackerstars105 - Automated malware unpacker for Windows malware based on WinAppDbg.
  • Debugging and Reverse Engineering

  • bamfdetectstars146 - Identifies and extracts information from bots and other malware.
  • Memory Forensics

  • WinDbg - Live memory inspection and kernel debugging for Windows systems.
  • Storage and Workflow

  • Polichombrstars339 - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • Miscellaneous

  • al-khaserstars4.2k - A PoC malware with good intentions that aimes to stress anti-malware systems.
  • MalSploitBasestars493 - A database containing exploits used by malware.
  • Jun 5th, 2016

    Malware Collection

    Malware Corpora

  • Open Malware Project - Sample information and downloads. Formerly Offensive Computing.
  • Related Awesome Lists

  • Industrial Control System Securitystars1.1k
  • Threat Intelligencestars5.4k
  • May 26th, 2016

    Open Source Threat Intelligence

    Tools

  • AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
  • AbuseHelperstars106 - An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • ThreatTrackerstars59 - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • Online Scanners and Sandboxes

  • AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
  • Domain Analysis

  • MaltegoVTstars72 - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Malware Collection

    Honeypots

  • Glastopfstars476 - Web application honeypot.
  • May 18th, 2016

    Network

  • Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
  • Other

  • Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
  • Apr 17th, 2016

    Open Source Threat Intelligence

    Tools

  • IntelMQ - A tool for CERTs for processing incident data using a message queue.
  • Domain Analysis

  • dnstwiststars3.5k - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • mailcheckerstars1.4k - Cross-language temporary email detection library.
  • Browser Malware

  • Krakataustars1.6k - Java decompiler, assembler, and disassembler.
  • Memory Forensics

  • evolvestars248 - Web interface for the Volatility Memory Forensics Framework.
  • VolUtilitystars341 - Web Interface for Volatility Memory Analysis framework.
  • Other

  • File Formats postersstars5.9k - Nice visualization of commonly used file format (including PE & ELF).
  • Apr 16th, 2016

    Network

  • Laika BOSSstars700 - Laika BOSS is a file-centric malware analysis and intrusion detection system.
  • Apr 12th, 2016

    Domain Analysis

  • Whois - DomainTools free online whois search.
  • Documents and Shellcode

  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • Deobfuscation

  • XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  • Mar 31st, 2016

    Open Source Threat Intelligence

    Other Resources

  • FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
  • Mar 21st, 2016

    Malware Collection

    Malware Corpora

  • VirusShare - Malware repository, registration required.
  • Domain Analysis

  • SpamHaus - Block list based on domains and IPs.
  • Documents and Shellcode

  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • Mar 16th, 2016

    Domain Analysis

  • Machinaestars477 - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • Feb 27th, 2016

    Related Awesome Lists

  • Incident-Responsestars5.4k
  • Jan 22nd, 2016

    Other

  • Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
  • RPISEC Malware Analysisstars3.2k - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
  • Jan 21st, 2016

    Online Scanners and Sandboxes

  • SEEstars789 - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • Network

  • Maltrailstars4.7k - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • Malware Collection

    Honeypots

  • Cowriestars42 - SSH honeypot, based on Kippo.
  • Dec 29th, 2015

    Open Source Threat Intelligence

    Tools

  • PyIOCestars15 - A Python OpenIOC editor.
  • IOC Editor - A free editor for XML IOC files.
  • Malware Collection

    Honeypots

  • Honeyd - Create a virtual honeynet.
  • Open Source Threat Intelligence

    Other Resources

  • CI Army (list) - Network security blocklists.
  • Dec 28th, 2015

    Open Source Threat Intelligence

    Other Resources

  • STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
  • Windows Artifacts

  • RegRipper (GitHub) - Plugin-based registry analysis tool.
  • Deobfuscation

  • PackerAttackerstars247 - A generic hidden code extractor for Windows malware.
  • VirtualDeobfuscatorstars95 - Reverse engineering tool for virtualization wrappers.
  • Network

  • BroYarastars31 - Use Yara rules from Bro.
  • Debugging and Reverse Engineering

  • BARFstars1.3k - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • Capstonestars5.9k - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • angrstars6.1k - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
  • codebrostars40 - Web based code browser using
  • binnavistars2.8k - Binary analysis IDE for reverse engineering based on graph visualization.
  • Nov 14th, 2015

    Online Scanners and Sandboxes

  • DeepViz - Multi-format file analyzer with machine-learning classification.
  • Jotti - Free online multi-AV scanner.
  • Malware Collection

    Honeypots

  • Conpotstars1k - ICS/SCADA honeypot.
  • Detection and Classification

  • ClamAV - Open source antivirus engine.
  • Browser Malware

  • jsunpack-nstars146 - A javascript unpacker that emulates browser functionality.
  • Other

  • Malware Analysis Search - Custom Google search engine from Corey Harrell.
  • Oct 2nd, 2015

    Detection and Classification

  • Malfunctionstars186 - Catalog and compare malware at a function level.
  • Oct 1st, 2015

    Related Awesome Lists

  • AppSecstars5.1k
  • Sep 25th, 2015

    Related Awesome Lists

  • Infosecstars4.1k
  • Sep 22nd, 2015

    Other

  • /r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysis flair.
  • Miscellaneous

  • Pafishstars2.4k - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • Deobfuscation

  • de4dotstars6k - .NET deobfuscator and unpacker.
  • Windows Artifacts

  • AChoirstars159 - A live incident response script for gathering Windows artifacts.
  • Detection and Classification

  • Lokistars2.6k - Host based scanner for IOCs.
  • Malware Collection

    Malware Corpora

  • theZoostars9k - Live malware samples for analysts.
  • Online Scanners and Sandboxes

  • IRMA - An asynchronous and customizable analysis platform for suspicious files.
  • PDF Examiner - Analyse suspicious PDF files.
  • Cryptam - Analyze suspicious office documents.
  • cuckoo-modifiedstars259 - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • Open Source Threat Intelligence

    Other Resources

  • threatRECON - Search for indicators, up to 1000 free per month.
  • Yara rulesstars3.2k - Yara rules repository.
  • Domain Analysis

  • SpamCop - IP based spam block list.
  • Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Sucuri SiteCheck - Free Website Malware and Security Scanner.
  • Open Source Threat Intelligence

    Tools

  • Massive Octo Spicestars224 - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • ThreatCrowd - A search engine for threats, with graphical visualization.
  • Related Awesome Lists

  • CTFsstars7.3k
  • "Hacking"stars8.9k
  • Honeypotsstars6.3k
  • PCAP Toolsstars2.6k
  • Network

  • CapTipperstars676 - Malicious HTTP traffic explorer.
  • May 18th, 2015

    Memory Forensics

  • VolDiffstars184 - Run Volatility on memory images before and after malware execution, and report changes.
  • Online Scanners and Sandboxes

  • AVCaesar - Malware.lu online scanner and malware repository.
  • Open Source Threat Intelligence

    Tools

  • MISPstars4k - Malware Information Sharing Platform curated by The MISP Project.
  • May 17th, 2015

    Storage and Workflow

  • CRITs - Collaborative Research Into Threats, a malware and threat repository.
  • Network

  • chopshopstars466 - Protocol analysis and decoding framework.
  • Molochstars5.3k - IPv4 traffic capturing, indexing and database system.
  • Open Source Threat Intelligence

    Tools

  • Combinestars627 - Tool to gather Threat Intelligence indicators from publicly available sources.
  • TIQ-teststars158 - Data visualization and statistical analysis of Threat Intelligence feeds.
  • Miscellaneous

  • DC3-MWCPstars225 - The Defense Cyber Crime Center's Malware Configuration Parser framework.
  • Online Scanners and Sandboxes

  • Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
  • May 15th, 2015

    Miscellaneous

  • Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.
  • Online Scanners and Sandboxes

  • Malheurstars336 - Automatic sandboxed analysis of malware behavior.
  • Noribenstars914 - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • DRAKVUFstars815 - Dynamic malware analysis system.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • Network

  • Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
  • Halestars168 - Botnet C&C monitor.
  • Open Source Threat Intelligence

    Tools

  • ioc_writerstars182 - Python library for working with OpenIOC objects, from Mandiant.
  • threataggregatorstars73 - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • Open Source Threat Intelligence

    Other Resources

  • FireEye IOCsstars438 - Indicators of Compromise shared publicly by FireEye.
  • Malware Collection

    Malware Corpora

  • Zeus Source Codestars1.2k - Source for the Zeus trojan leaked in 2011.
  • Thanks

  • Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
  • Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
  • And everyone else who has sent pull requests or suggested links to add here!
  • Deobfuscation

  • Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • unxorstars124 - Guess XOR keys using known-plaintext attacks.
  • xortoolstars1.1k - Guess XOR key length, as well as the key itself.
  • NoMoreXORstars74 - Guess a 256 byte XOR key using frequency analysis.
  • May 9th, 2015

    Online Scanners and Sandboxes

  • Recomposerstars126 - A helper script for safely uploading binaries to sandbox sites.
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
  • VirusTotal - Free online analysis of malware samples and URLs
  • File Carving

  • EVTXtractstars153 - Carve Windows Event Log files from raw binary data.
  • bulk_extractorstars702 - Fast file carving tool.
  • Foremost - File carving tool designed by the US Air Force.
  • Scalpelstars515 - Another data carving tool.
  • Windows Artifacts

  • python-evtstars35 - Python library for parsing Windows Event Logs.
  • python-registry - Python library for parsing registry files.
  • Other

  • WindowsIR: Malware - Harlan Carvey's page on Malware.
  • Honeynet Project - Honeypot tools, papers, and other resources.
  • Malicious Software - Malware blog and resources by Lenny Zeltser.
  • /r/Malware - The malware subreddit.
  • /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
  • Storage and Workflow

  • Malwarehousestars124 - Store, tag, and search malware.
  • Malware Collection

    Honeypots

  • Mnemosynestars41 - A normalizer for honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for investigating malicious websites.
  • Memory Forensics

  • Muninnstars46 - A script to automate portions of analysis using Volatility, and create a readable report.
  • DAMMstars201 - Differential Analysis of Malware in Memory, built on Volatility.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecallstars46 - Script based on Volatility for automating various malware analysis tasks.
  • Volatilitystars5.6k - Advanced memory forensics framework.
  • Network

  • Malcomstars1.1k - Malware Communications Analyzer.
  • INetSim - Network service emulation, useful when building a malware lab.
  • mitmproxy - Intercept network traffic on the fly.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • Wireshark - The network traffic analysis tool.
  • Documents and Shellcode

  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • PDF X-Ray Litestars33 - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • malpdfobjstars47 - Deconstruct malicious PDFs into a JSON representation.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • libemu - Library and tools for x86 shellcode emulation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • AnalyzePDFstars156 - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
  • Open Source Threat Intelligence

    Other Resources

  • hpfeedsstars200 - Honeypot feed protocol.
  • Internet Storm Center (DShield) - Diary and searchable incident database, with a web API. (unofficial Python librarystars22).
  • malc0de - Searchable incident database.
  • Malware Domain List - Search and share malicious URLs.
  • ZeuS Tracker - ZeuS blocklists.
  • Browser Malware

  • JSDetox - JavaScript malware analysis tool.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser