Online Scanners and Sandboxes / Other Resources

• filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation

Other / Other Resources

• Executable Packing (⭐1.1k)

Malware Collection / Honeypots

• HoneyDrive - Honeypot bundle Linux distro.

Malware Collection / Malware Corpora

• Clean MX - Realtime database of malware and malicious domains.

Detection and Classification / Other Resources

• packerid (⭐41) - A cross-platform Python alternative to PEiD.

Debugging and Reverse Engineering / Other Resources

• Qiling Framework - Cross platform emulation and sanboxing framework with instruments for binary analysis.

Detection and Classification / Other Resources

• Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..

Malware Collection / Malware Corpora

• VX Underground - Massive and growing collection of free malware samples.

Detection and Classification / Other Resources

• fn2yara (⭐1.5k) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.

Browser Malware / Other Resources

• Bytecode Viewer (⭐14k) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.

Deobfuscation / Other Resources

• PyInstaller Extractor (⭐2.6k) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.

• uncompyle6 (⭐3.6k) - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.

Debugging and Reverse Engineering / Other Resources

• OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.

• Scylla Imports Reconstructor (⭐1k) - Find and fix the IAT of an unpacked / dumped PE32 malware.

• ScyllaHide (⭐3.3k) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.

Miscellaneous / Other Resources

• Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.

Detection and Classification / Other Resources

• capa (⭐4k) - Detects capabilities in executable files.

Open Source Threat Intelligence / Other Resources

• ThreatShare - C2 panel tracker

Debugging and Reverse Engineering / Other Resources

• BluePill (⭐118) - Framework for executing and debugging evasive malware and protected executables.

Other / Other Resources

• Malware Persistence (⭐160) - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).

Detection and Classification / Other Resources

• PEframe (⭐599) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

Malware Collection / Honeypots

• MHN (⭐2.4k) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.

Domain Analysis / Other Resources

• Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,

Debugging and Reverse Engineering / Other Resources

• StringSifter (⭐659) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.

Malware Collection / Malware Corpora

• Javascript Mallware Collection (⭐653) - Collection of almost 40.000 javascript malware samples

Detection and Classification / Other Resources

• Quark-Engine (⭐1.3k) - An Obfuscation-Neglect Android Malware Scoring System

Malware Collection / Malware Corpora

• InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.

Open Source Threat Intelligence / Other Resources

• InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.

• InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.

Domain Analysis / Other Resources

• AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

Documents and Shellcode / Other Resources

• InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.

Debugging and Reverse Engineering / Other Resources

• Ghidra (⭐49k) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.

Books / Other Resources

• Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks

Detection and Classification / Other Resources

• Nauz File Detector(NFD) (⭐497) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.

Books / Other Resources

• Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware

• Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills

Open Source Threat Intelligence / Tools

• ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.

Domain Analysis / Other Resources

• URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.

Detection and Classification / Other Resources

• PortEx (⭐494) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.

Network / Other Resources

• FakeNet-NG (⭐1.7k) - Next generation dynamic network analysis tool.

Online Scanners and Sandboxes / Other Resources

• BoomBox (⭐231) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.

Online Scanners and Sandboxes / Other Resources

• MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.

Network / Other Resources

• Malcolm (⭐327) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.

Books / Other Resources

• Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats

Open Source Threat Intelligence / Tools

• ThreatIngestor (⭐801) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.

Malware Collection / Honeypots

• Cowrie (⭐5k) - SSH honeypot, based on Kippo.

• DemoHunter (⭐58) - Low interaction Distributed Honeypots.

• Dionaea (⭐688) - Honeypot designed to trap malware.

Open Source Threat Intelligence / Other Resources

• SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.

• YETI (⭐1.7k) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.

Online Scanners and Sandboxes / Other Resources

• PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.

Other / Other Resources

• Ember (⭐905) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.

• Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases

Other / Other Resources

• Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.

• Windows Registry specification (⭐312) - Windows registry file format specification.

Domain Analysis / Other Resources

• SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.

Deobfuscation / Other Resources

• un{i}packer (⭐623) - Automatic and platform-independent unpacker for Windows binaries based on emulation.

Online Scanners and Sandboxes / Other Resources

• MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.

Debugging and Reverse Engineering / Other Resources

• IDR (⭐916) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.

Open Source Threat Intelligence / Other Resources

• MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.

Open Source Threat Intelligence / Other Resources

• HoneyDB - Community driven honeypot sensor data collection and aggregation.

Debugging and Reverse Engineering / Other Resources

• mac-a-mal (⭐82) - An automated framework for mac malware hunting.

Miscellaneous / Other Resources

• CryptoKnight (⭐38) - Automated cryptographic algorithm reverse engineering and classification framework.

Domain Analysis / Other Resources

• PhishStats - Phishing Statistics with search for IP, domain and website title

Malware Collection / Malware Corpora

• Malpedia - A resource providing rapid identification and actionable context for malware investigations.

Debugging and Reverse Engineering / Other Resources

• Cutter - GUI for Radare2.

Detection and Classification / Other Resources

• Yara Finder (⭐0) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes / Other Resources

• malice.io (⭐1.6k) - Massively scalable malware analysis framework.

Malware Collection / Malware Corpora

• VirusBay - Community-Based malware repository and social network.

Detection and Classification / Other Resources

• Generic File Parser (⭐0) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.

Detection and Classification / Other Resources

• Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.

• PE-bear - Reversing tool for PE files.

Browser Malware / Other Resources

• SWF Investigator - Static and dynamic analysis of SWF applications.

Debugging and Reverse Engineering / Other Resources

• dotPeek - Free .NET Decompiler and Assembly Browser.

Detection and Classification / Other Resources

• HashCheck (⭐1.7k) - Windows shell extension to compute hashes with a variety of algorithms.

Open Source Threat Intelligence / Tools

• MalPipe (⭐102) - Malware/IOC ingestion and processing engine, that enriches collected data.

Online Scanners and Sandboxes / Other Resources

• any.run - Online interactive sandbox.

Open Source Threat Intelligence / Tools

• iocextract (⭐495) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.

Domain Analysis / Other Resources

• urlscan.io - Free URL Scanner & domain information.

Malware Collection / Honeypots

• Honeytrap (⭐1.2k) - Opensource system for running, monitoring and managing honeypots.

Malware Collection / Malware Corpora

• vduddu malware repo - Collection of various malware files and source code.

Online Scanners and Sandboxes / Other Resources

• sandboxapi (⭐132) - Python library for building integrations with several open source and commercial malware sandboxes.

Detection and Classification / Other Resources

• Manalyze (⭐997) - Static analyzer for PE executables.

Malware Collection / Malware Corpora

• Infosec - CERT-PA - Malware samples collection and analysis.

Open Source Threat Intelligence / Other Resources

• Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.

Open Source Threat Intelligence / Other Resources

• OpenIOC - Framework for sharing threat intelligence.

Online Scanners and Sandboxes / Other Resources

• SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).

File Carving / Other Resources

• hachoir3 (⭐593) - Hachoir is a Python library to view and edit a binary stream field by field.

Miscellaneous / Other Resources

• Malware Organiser (⭐0) - A simple tool to organise large malicious/benign files into a organised Structure.

Online Scanners and Sandboxes / Other Resources

• Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.

Debugging and Reverse Engineering / Other Resources

• Pharos (⭐1.5k) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.

Open Source Threat Intelligence / Tools

• Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.

Debugging and Reverse Engineering / Other Resources

• Hopper - The macOS and Linux Disassembler.

• ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.

• WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.

Other / Other Resources

• YARA (⭐3.4k)

Debugging and Reverse Engineering / Other Resources

• codebro (⭐42) - Web based code browser using  clang to provide basic code analysis.

• DECAF (Dynamic Executable Code Analysis Framework) (⭐794) - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.

Open Source Threat Intelligence / Tools

• Massive Octo Spice (⭐228) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.

• RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)

Open Source Threat Intelligence / Other Resources

• ThreatMiner - Data mining portal for threat intelligence, with search.

Detection and Classification / Other Resources

• BinaryAlert (⭐1.4k) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.

• ssdeep - Compute fuzzy hashes.

• totalhash.py - Python script for easy searching of the TotalHash.cymru.com database.

Online Scanners and Sandboxes / Other Resources

• anlyz.io - Online sandbox.

• cuckoo-modified-api (⭐19) - A Python API used to control a cuckoo-modified sandbox.

• detux (⭐257) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.

• firmware.re - Unpacks, scans and analyzes almost any firmware package.

• HaboMalHunter (⭐725) - An Automated Malware Analysis Tool for Linux ELF Files.

• Limon (⭐384) - Sandbox for Analyzing Linux Malware.

• malsub (⭐363) - A Python RESTful API framework for online malware and URL analysis services.

• Visualize_Logs (⭐136) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)

Domain Analysis / Other Resources

• badips.com - Community based IP blacklist service.

• boomerang (⭐34) - A tool designed for consistent and safe capture of off network web resources.

• Cymon - Threat intelligence tracker, with IP/domain/hash search.

• Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)

• ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware / Other Resources

• Firebug - Firefox extension for web development.

Debugging and Reverse Engineering / Other Resources

• Binary ninja - A reversing engineering platform that is an alternative to IDA.

• PANDA (⭐102) - Platform for Architecture-Neutral Dynamic Analysis.

• plasma (⭐3k) - Interactive disassembler for x86/ARM/MIPS.

• Process Hacker - Tool that monitors system resources.

• PyREBox (⭐1.6k) - Python scriptable reverse engineering sandbox by the Talos team at Cisco.

• QKD (⭐50) - QEMU with embedded WinDbg server for stealth debugging.

• RegShot - Registry compare utility that compares snapshots.

Network / Other Resources

• PcapViz (⭐328) - Network topology and traffic visualizer.

• Python ICAP Yara (⭐56) - An ICAP Server with yara scanner for URL or content.

• Squidmagic (⭐75) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.

Memory Forensics / Other Resources

• BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.

• DAMM (⭐209) - Differential Analysis of Malware in Memory, built on Volatility.

• inVtero.net (⭐276) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.

Storage and Workflow / Other Resources

• FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.

Books / Other Resources

• Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.

• Practical Reverse Engineering - Intermediate Reverse Engineering.

• Real Digital Forensics - Computer Security and Incident Response.

Other / Other Resources

• Kernel Mode - An active community devoted to malware analysis and kernel development.

File Carving / Other Resources

• SFlock (⭐81) - Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Network / Other Resources

• HTTPReplay (⭐94) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).

Miscellaneous / Other Resources

• FLARE VM (⭐6.1k) - A fully customizable, Windows-based, security distribution for malware analysis.

Domain Analysis / Other Resources

• NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.

Debugging and Reverse Engineering / Other Resources

• Binwalk (⭐10k) - Firmware analysis tool.

• LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.

Debugging and Reverse Engineering / Other Resources

• Triton - A dynamic binary analysis (DBA) framework.

Memory Forensics / Other Resources

• WDBGARK (⭐610) - WinDBG Anti-RootKit Extension.

Network / Other Resources

• CloudShark - Web-based tool for packet analysis and malware traffic detection.

Debugging and Reverse Engineering / Other Resources

• Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.

Malware Collection / Malware Corpora

• Tracker h3x - Agregator for malware corpus tracker and malicious download sites.

• VX Vault - Active collection of malware samples.

Open Source Threat Intelligence / Other Resources

• Cybercrime tracker - Multiple botnet active tracker.

Online Scanners and Sandboxes / Other Resources

• Malware config - Extract, decode and display online the configuration settings from common malwares.

Domain Analysis / Other Resources

• Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.

Open Source Threat Intelligence / Other Resources

• Ransomware overview - A list of ransomware overview with details, detection and prevention.

Miscellaneous / Other Resources

• Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.

Other / Other Resources

• Forensics (⭐3.7k)

Detection and Classification / Other Resources

• File Scanning Framework (⭐283) - Modular, recursive file scanning solution.

Storage and Workflow / Other Resources

• stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.

Documents and Shellcode / Other Resources

• box-js (⭐606) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.

Debugging and Reverse Engineering / Other Resources

• BAP (⭐2k) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.

• FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.

• Process Explorer - Advanced task manager for Windows.

• PSTools - Windows command-line tools that help manage and investigate live systems.

Books / Other Resources

• The Rootkit Arsenal - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Open Source Threat Intelligence / Other Resources

• Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)

Online Scanners and Sandboxes / Other Resources

• ProcDot - A graphical malware analysis tool kit.

Malware Collection / Malware Corpora

• Ragpicker (⭐91) - Plugin based malware crawler with pre-analysis and reporting functionalities

Open Source Threat Intelligence / Tools

• Fileintel (⭐115) - Pull intelligence per file hash.

• Hostintel (⭐258) - Pull intelligence per host.

Domain Analysis / Other Resources

• URLQuery - Free URL Scanner.

Debugging and Reverse Engineering / Other Resources

• RetDec - Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.

Open Source Threat Intelligence / Other Resources

• Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.

• Fidelis Barncat - Extensive malware config database (must request access).

Online Scanners and Sandboxes / Other Resources

• Joe Sandbox - Deep malware analysis with Joe Sandbox.

Memory Forensics / Other Resources

• WinDbg - Live memory inspection and kernel debugging for Windows systems.

Online Scanners and Sandboxes / Other Resources

• NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.

Documents and Shellcode / Other Resources

• QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.

Deobfuscation / Other Resources

• FLOSS (⭐3.1k) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

• unpacker (⭐117) - Automated malware unpacker for Windows malware based on WinAppDbg.

Debugging and Reverse Engineering / Other Resources

• bamfdetect - Identifies and extracts information from bots and other malware.

Storage and Workflow / Other Resources

• Polichombr (⭐373) - A malware analysis platform designed to help analysts to reverse malwares collaboratively.

Miscellaneous / Other Resources

• al-khaser (⭐5.6k) - A PoC malware with good intentions that aimes to stress anti-malware systems.

• MalSploitBase (⭐531) - A database containing exploits used by malware.

Other / Other Resources

• Industrial Control System Security (⭐1.6k)

• Threat Intelligence (⭐7.6k)

Debugging and Reverse Engineering / Other Resources

• ROPMEMU (⭐281) - A framework to analyze, dissect and decompile complex code-reuse attacks.

Malware Collection / Honeypots

• Glastopf (⭐541) - Web application honeypot.

Open Source Threat Intelligence / Tools

• AbuseHelper (⭐113) - An open-source framework for receiving and redistributing abuse feeds and threat intel.

• AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.

Detection and Classification / Other Resources

• Detect It Easy(DiE) (⭐6.9k) - A program for determining types of files.

Domain Analysis / Other Resources

• MaltegoVT (⭐77) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.

Debugging and Reverse Engineering / Other Resources

• Fibratus (⭐2.1k) - Tool for exploration and tracing of the Windows kernel.

• PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.

Domain Analysis / Other Resources

• dnstwist (⭐4.7k) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.

• mailchecker (⭐1.6k) - Cross-language temporary email detection library.

Browser Malware / Other Resources

• Krakatau (⭐2k) - Java decompiler, assembler, and disassembler.

Network / Other Resources

• Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.

Memory Forensics / Other Resources

• evolve (⭐259) - Web interface for the Volatility Memory Forensics Framework.

• VolUtility (⭐375) - Web Interface for Volatility Memory Analysis framework.

Other / Other Resources

• File Formats posters (⭐10k) - Nice visualization of commonly used file format (including PE & ELF).

• Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.

• Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.

Malware Collection / Malware Corpora

• VirusShare - Malware repository, registration required.

Network / Other Resources

• Laika BOSS (⭐723) - Laika BOSS is a file-centric malware analysis and intrusion detection system.

Open Source Threat Intelligence / Other Resources

• FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.

Domain Analysis / Other Resources

• Machinae (⭐499) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.

• TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.

Other / Other Resources

• Incident-Response (⭐7.3k)

Other / Other Resources

• Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.

• RPISEC Malware Analysis (⭐3.7k) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.

Online Scanners and Sandboxes / Other Resources

• SEE (⭐809) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.

Malware Collection / Honeypots

• Honeyd - Create a virtual honeynet.

Open Source Threat Intelligence / Tools

• IOC Editor - A free editor for XML IOC files.

• PyIOCe (⭐16) - A Python OpenIOC editor.

Open Source Threat Intelligence / Tools

• ThreatTracker (⭐64) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.

Open Source Threat Intelligence / Other Resources

• Autoshun (list) - Snort plugin and blocklist.

• STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
  • CAPEC - Common Attack Pattern Enumeration and Classification
  • CybOX - Cyber Observables eXpression
  • MAEC - Malware Attribute Enumeration and Characterization
  • TAXII - Trusted Automated eXchange of Indicator Information

Deobfuscation / Other Resources

• PackerAttacker (⭐263) - A generic hidden code extractor for Windows malware.

• VirtualDeobfuscator (⭐128) - Reverse engineering tool for virtualization wrappers.

Debugging and Reverse Engineering / Other Resources

• angr (⭐7.3k) - Platform-agnostic binary analysis framework developed at UCSB's Seclab.

• BARF (⭐1.4k) - Multiplatform, open source Binary Analysis and Reverse engineering Framework.

• binnavi (⭐2.9k) - Binary analysis IDE for reverse engineering based on graph visualization.

• Capstone (⭐7.2k) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.

• GEF (⭐6.7k) - GDB Enhanced Features, for exploiters and reverse engineers.

• PEDA (⭐5.8k) - Python Exploit Development Assistance for GDB, an enhanced display with added commands.

• SMRT (⭐64) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.

Network / Other Resources

• BroYara (⭐31) - Use Yara rules from Bro.

Network / Other Resources

• Maltrail (⭐5.9k) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.

Malware Collection / Honeypots

• Conpot (⭐1.2k) - ICS/SCADA honeypot.

Detection and Classification / Other Resources

• ClamAV - Open source antivirus engine.

Online Scanners and Sandboxes / Other Resources

• DeepViz - Multi-format file analyzer with machine-learning classification.

• Jotti - Free online multi-AV scanner.

Online Scanners and Sandboxes / Other Resources

• AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.

Debugging and Reverse Engineering / Other Resources

• X64dbg - An open-source x64/x32 debugger for windows.

Detection and Classification / Other Resources

• Malfunction (⭐191) - Catalog and compare malware at a function level.

Other / Other Resources

• APT Notes (⭐1.6k) - A collection of papers and notes related to Advanced Persistent Threats.

Other / Other Resources

• AppSec (⭐6.2k)

Other / Other Resources

• Infosec (⭐5.1k)

Malware Collection / Malware Corpora

• Malshare - Large repository of malware actively scrapped from malicious sites.

• theZoo (⭐11k) - Live malware samples for analysts.

• ViruSign - Malware database that detected by many anti malware programs except ClamAV.

Open Source Threat Intelligence / Tools

• IntelMQ - A tool for CERTs for processing incident data using a message queue.

• MISP (⭐5.1k) - Malware Information Sharing Platform curated by The MISP Project.

• ThreatCrowd - A search engine for threats, with graphical visualization.

Open Source Threat Intelligence / Other Resources

• Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.

• threatRECON - Search for indicators, up to 1000 free per month.

• Yara rules (⭐4k) - Yara rules repository.

Detection and Classification / Other Resources

• Loki (⭐3.3k) - Host based scanner for IOCs.

• MultiScanner (⭐615) - Modular file scanning/analysis framework

• Yara rules generator (⭐1.5k) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes / Other Resources

• Cryptam - Analyze suspicious office documents.

• cuckoo-modified (⭐268) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.

• IRMA - An asynchronous and customizable analysis platform for suspicious files.

• PDF Examiner - Analyse suspicious PDF files.

Domain Analysis / Other Resources

• Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.

• SpamCop - IP based spam block list.

• SpamHaus - Block list based on domains and IPs.

• Sucuri SiteCheck - Free Website Malware and Security Scanner.

Deobfuscation / Other Resources

• de4dot (⭐6.8k) - .NET deobfuscator and unpacker.

Debugging and Reverse Engineering / Other Resources

• dnSpy (⭐26k) - .NET assembly editor, decompiler and debugger.

• hackers-grep (⭐167) - A utility to search for strings in PE executables including imports, exports, and debug symbols.

• strace - Dynamic analysis for Linux executables.

Network / Other Resources

• CapTipper (⭐707) - Malicious HTTP traffic explorer.

Windows Artifacts / Other Resources

• AChoir (⭐177) - A live incident response script for gathering Windows artifacts.

Miscellaneous / Other Resources

• Pafish (⭐3.2k) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

Other / Other Resources

• /r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysis flair.

• CTFs (⭐9.4k)

• "Hacking" (⭐12k)

• Honeypots (⭐8.3k)

• PCAP Tools (⭐3k)

Debugging and Reverse Engineering / Other Resources

• pestudio - Perform static analysis of Windows executables.

Memory Forensics / Other Resources

• VolDiff (⭐192) - Run Volatility on memory images before and after malware execution, and report changes.

Detection and Classification / Other Resources

• PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.

Online Scanners and Sandboxes / Other Resources

• Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.

Network / Other Resources

• chopshop (⭐487) - Protocol analysis and decoding framework.

• Moloch (⭐6.2k) - IPv4 traffic capturing, indexing and database system.

Storage and Workflow / Other Resources

• Aleph (⭐154) - Open Source Malware Analysis Pipeline System.

• CRITs - Collaborative Research Into Threats, a malware and threat repository.

Miscellaneous / Other Resources

• DC3-MWCP (⭐290) - The Defense Cyber Crime Center's Malware Configuration Parser framework.

Malware Collection / Malware Corpora

• Zeus Source Code (⭐1.4k) - Source for the Zeus trojan leaked in 2011.

Open Source Threat Intelligence / Tools

• ioc_writer (⭐199) - Python library for working with OpenIOC objects, from Mandiant.

• threataggregator (⭐78) - Aggregates security threats from a number of sources, including some of those listed below in other resources.

• TIQ-test (⭐166) - Data visualization and statistical analysis of Threat Intelligence feeds.

Open Source Threat Intelligence / Other Resources

• FireEye IOCs (⭐461) - Indicators of Compromise shared publicly by FireEye.

Detection and Classification / Other Resources

• MASTIFF (⭐173) - Static analysis framework.

Online Scanners and Sandboxes / Other Resources

• DRAKVUF (⭐1k) - Dynamic malware analysis system.

• Malheur (⭐365) - Automatic sandboxed analysis of malware behavior.

• Malwr - Free analysis with an online Cuckoo Sandbox instance.

• Noriben (⭐1.1k) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.

Deobfuscation / Other Resources

• Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.

• ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.

• NoMoreXOR (⭐84) - Guess a 256 byte XOR key using frequency analysis.

• unxor (⭐138) - Guess XOR keys using known-plaintext attacks.

• XORBruteForcer - A Python script for brute forcing single-byte XOR keys.

• XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.

• xortool (⭐1.4k) - Guess XOR key length, as well as the key itself.

Network / Other Resources

• Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.

• Fiddler - Intercepting web proxy designed for "web debugging."

• Hale (⭐184) - Botnet C&C monitor.

Miscellaneous / Other Resources

• Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Other / Other Resources

• Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;

• Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;

• And everyone else who has sent pull requests or suggested links to add here!

Open Source Threat Intelligence / Tools

• Combine (⭐650) - Tool to gather Threat Intelligence indicators from publicly available sources.

Malware Collection / Anonymizers

• Anonymouse.org - A free, web based anonymizer.

• OpenVPN - VPN software and hosting solutions.

• Privoxy - An open source proxy server with some privacy features.

• Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Malware Collection / Honeypots

• Mnemosyne (⭐44) - A normalizer for honeypot data; supports Dionaea.

• Thug (⭐967) - Low interaction honeyclient, for investigating malicious websites.

Malware Collection / Malware Corpora

• Contagio - A collection of recent malware samples and analyses.

• Exploit Database - Exploit and shellcode samples.

• Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.

Open Source Threat Intelligence / Other Resources

• CI Army (list) - Network security blocklists.

• hpfeeds (⭐208) - Honeypot feed protocol.

• Internet Storm Center (DShield) - Diary and searchable incident database, with a web API. (unofficial Python library (⭐24)).

• malc0de - Searchable incident database.

• Malware Domain List - Search and share malicious URLs.

• ZeuS Tracker - ZeuS blocklists.

Detection and Classification / Other Resources

• AnalyzePE (⭐201) - Wrapper for a variety of tools for reporting on Windows PE files.

• chkrootkit - Local Linux rootkit detection.

• ExifTool - Read, write and edit file metadata.

• hashdeep (⭐694) - Compute digest hashes with a variety of algorithms.

• nsrllookup (⭐110) - A tool for looking up hashes in NIST's National Software Reference Library database.

• Rootkit Hunter - Detect Linux rootkits.

• TrID - File identifier.

• YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes / Other Resources

• Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.

• Recomposer (⭐130) - A helper script for safely uploading binaries to sandbox sites.

• VirusTotal - Free online analysis of malware samples and URLs

• Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis / Other Resources

• Dig - Free online dig and other network tools.

• IPinfo (⭐95) - Gather information about an IP or domain by searching online resources.

• Whois - DomainTools free online whois search.

• Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware / Other Resources

• Java Decompiler - Decompile and inspect Java apps.

• Java IDX Parser (⭐39) - Parses Java IDX cache files.

• JSDetox - JavaScript malware analysis tool.

• jsunpack-n (⭐158) - A javascript unpacker that emulates browser functionality.

• Malzilla - Analyze malicious web pages.

• RABCDAsm (⭐427) - A "Robust ActionScript Bytecode Disassembler."

• swftools - Tools for working with Adobe Flash files.

• xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode / Other Resources

• AnalyzePDF (⭐171) - A tool for analyzing PDFs and attempting to determine whether they are malicious.

• diStorm - Disassembler for analyzing malicious shellcode.

• JS Beautifier - JavaScript unpacking and deobfuscation.

• libemu - Library and tools for x86 shellcode emulation.

• malpdfobj (⭐51) - Deconstruct malicious PDFs into a JSON representation.

• OfficeMalScanner - Scan for malicious traces in MS Office documents.

• olevba - A script for parsing OLE and OpenXML documents and extracting useful information.

• Origami PDF - A tool for analyzing malicious PDFs, and more.

• PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.

• PDF X-Ray Lite (⭐34) - A PDF analysis tool, the backend-free version of PDF X-RAY.

• peepdf - Python tool for exploring possibly malicious PDFs.

• Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving / Other Resources

• bulk_extractor (⭐1k) - Fast file carving tool.

• EVTXtract (⭐176) - Carve Windows Event Log files from raw binary data.

• Foremost - File carving tool designed by the US Air Force.

• Scalpel (⭐612) - Another data carving tool.

Debugging and Reverse Engineering / Other Resources

• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.

• GDB - The GNU debugger.

• IDA Pro - Windows disassembler and debugger, with a free evaluation version.

• Immunity Debugger - Debugger for malware analysis and more, with a Python API.

• ltrace - Dynamic analysis for Linux executables.

• objdump - Part of GNU binutils, for static analysis of Linux binaries.

• OllyDbg - An assembly-level debugger for Windows executables.

• Process Monitor - Advanced monitoring tool for Windows programs.

• Pyew (⭐380) - Python tool for malware analysis.

• Radare2 - Reverse engineering framework, with debugger support.

• Udis86 (⭐999) - Disassembler library and tool for x86 and x86_64.

• Vivisect (⭐908) - Python tool for malware analysis.

Network / Other Resources

• INetSim - Network service emulation, useful when building a malware lab.

• Malcom (⭐1.1k) - Malware Communications Analyzer.

• mitmproxy - Intercept network traffic on the fly.

• NetworkMiner - Network forensic analysis tool, with a free version.

• ngrep (⭐864) - Search through network traffic like grep.

• Tcpdump - Collect network traffic.

• tcpick - Trach and reassemble TCP streams from network traffic.

• tcpxtract - Extract files from network traffic.

• Wireshark - The network traffic analysis tool.

Memory Forensics / Other Resources

• FindAES - Find AES encryption keys in memory.

• Muninn (⭐51) - A script to automate portions of analysis using Volatility, and create a readable report. Orochi (⭐208) - Orochi is an open source framework for collaborative forensic memory dump analysis.

• Rekall - Memory analysis framework, forked from Volatility in 2013.

• TotalRecall (⭐49) - Script based on Volatility for automating various malware analysis tasks.

• Volatility (⭐7k) - Advanced memory forensics framework.

Windows Artifacts / Other Resources

• python-evt (⭐46) - Python library for parsing Windows Event Logs.

• python-registry - Python library for parsing registry files.

• RegRipper (GitHub) - Plugin-based registry analysis tool.

Storage and Workflow / Other Resources

• Malwarehouse (⭐131) - Store, tag, and search malware.

• Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous / Other Resources

• REMnux - Linux distribution and docker images for malware reverse engineering and analysis.

Books / Other Resources

• Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.

• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.

• The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.

Other / Other Resources

• Honeynet Project - Honeypot tools, papers, and other resources.

• Malicious Software - Malware blog and resources by Lenny Zeltser.

• Malware Analysis Search - Custom Google search engine from Corey Harrell.

• WindowsIR: Malware - Harlan Carvey's page on Malware.

• /r/Malware - The malware subreddit.

• /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

• Android Security (⭐7.9k)

• Pentesting (⭐21k)

• Security (⭐12k)