[[
wikihub
]]
Search
⌘K
Explore
People
For Agents
Sign in
Explore
People
For Agents
Sign in
@harrisonqian / Awesome / wiki/security/malware-analysis.md
Suggest edit
Cancel
Submit suggestion
Title
Name
Note
--- visibility: public --- # Malware Analysis **repo:** [rshipp/awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis) **category:** [[security|Security]] **related:** [[hacking|Hacking]] · [[ctf|Ctf]] · [[application-security|Application Security]] --- # Awesome Malware Analysis [](https://github.com/sindresorhus/awesome) A curated list of awesome malware analysis tools and resources. Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php). [](https://twitter.com/githubbers/status/1182017616740663296) - [Malware Collection](#malware-collection) - [Anonymizers](#anonymizers) - [Honeypots](#honeypots) - [Malware Corpora](#malware-corpora) - [Open Source Threat Intelligence](#open-source-threat-intelligence) - [Tools](#tools) - [Other Resources](#other-resources) - [Detection and Classification](#detection-and-classification) - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes) - [Domain Analysis](#domain-analysis) - [Browser Malware](#browser-malware) - [Documents and Shellcode](#documents-and-shellcode) - [File Carving](#file-carving) - [Deobfuscation](#deobfuscation) - [Debugging and Reverse Engineering](#debugging-and-reverse-engineering) - [Network](#network) - [Memory Forensics](#memory-forensics) - [Windows Artifacts](#[windows](/@harrisonqian/awesome/wiki/platforms/windows)-artifacts) - [Storage and Workflow](#storage-and-workflow) - [Miscellaneous](#miscellaneous) - [Resources](#resources) - [Books](#books) - [Other](#other) - [Related [Awesome](/@harrisonqian/awesome/wiki/miscellaneous/awesome) Lists](#related-awesome-lists) - [Contributing](#contributing) - [Thanks](#thanks) View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大合集.md). --- ## Malware Collection ### Anonymizers *Web traffic anonymizers for analysts.* * [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer. * [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions. * [Privoxy](http://www.privoxy.org/) - An open source proxy server with some privacy features. * [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web without leaving traces of the client IP. ### Honeypots *Trap and collect your own samples.* * [Conpot](https://github.com/mushorg/conpot) - ICS/SCADA honeypot. * [Cowrie](https://github.com/micheloosterhof/cowrie) - SSH honeypot, based on Kippo. * [DemoHunter](https://github.com/RevengeComing/DemonHunter) - Low interaction Distributed [Honeypots](/@harrisonqian/awesome/wiki/security/honeypots). * [Dionaea](https://github.com/DinoTools/dionaea) - Honeypot designed to trap malware. * [Glastopf](https://github.com/mushorg/glastopf) - Web application honeypot. * [Honeyd](http://www.honeyd.org/) - Create a virtual honeynet. * [HoneyDrive](https://bruteforce.gr/honeydrive/) - Honeypot bundle [Linux](/@harrisonqian/awesome/wiki/platforms/linux) distro. * [Honeytrap](https://github.com/honeytrap/honeytrap) - Opensource system for running, monitoring and managing [honeypots](/@harrisonqian/awesome/wiki/security/honeypots). * [MHN](https://github.com/pwnlandia/mhn) - MHN is a centralized server for management and data collection of [honeypots](/@harrisonqian/awesome/wiki/security/honeypots). MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface. * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for honeypot data; supports Dionaea. * [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for investigating malicious websites. ### Malware Corpora *Malware samples collected for analysis.* * [Clean MX](http://support.clean-mx.com/clean-mx/viruses.php) - Realtime database of malware and malicious domains. * [Contagio](http://contagiodump.blogspot.com/) - A collection of recent malware samples and analyses. * [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode samples. * [Infosec - CERT-PA](https://infosec.cert-pa.it/analyze/submission.html) - Malware samples collection and analysis. * [InQuest Labs](https://labs.inquest.net) - Evergrowing searchable corpus of malicious Microsoft documents. * [Javascript Mallware Collection](https://github.com/HynekPetrak/javascript-malware-collection) - Collection of almost 40.000 [javascript](/@harrisonqian/awesome/wiki/programming-languages/javascript) malware samples * [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) - A resource providing rapid identification and actionable context for malware investigations. * [Malshare](https://malshare.com) - Large repository of malware actively scrapped from malicious sites. * [Ragpicker](https://github.com/robbyFux/Ragpicker) - Plugin based malware crawler with pre-analysis and reporting functionalities * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for analysts. * [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker and malicious download sites. * [vduddu malware repo](https://github.com/vduddu/Malware) - Collection of various malware files and source code. * [VirusBay](https://beta.virusbay.io/) - Community-Based malware repository and social network. * [ViruSign](http://www.virussign.com/) - Malware [database](/@harrisonqian/awesome/wiki/databases/database) that detected by many anti malware programs except ClamAV. * [VirusShare](https://virusshare.com/) - Malware repository, registration required. * [VX Vault](http://vxvault.net) - Active collection of malware samples. * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list of malware sample sources put together by Lenny Zeltser. * [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus trojan leaked in 2011. * [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples. ## Open Source Threat Intelligence ### Tools *Harvest and analyze IOCs.* * [AbuseHelper](https://github.com/abusesa/abusehelper) - An open-source framework for receiving and redistributing abuse feeds and threat intel. * [AlienVault Open Threat Exchange](https://otx.alienvault.com/) - Share and collaborate in developing Threat Intelligence. * [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat Intelligence indicators from publicly available sources. * [Fileintel](https://github.com/keithjjones/fileintel) - Pull intelligence per file hash. * [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host. * [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) - A tool for CERTs for processing incident data using a message queue. * [IOC Editor](https://www.fireeye.com/services/freeware/ioc-editor.html) - A free editor for XML IOC files. * [iocextract](https://github.com/InQuest/python-iocextract) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool. * [ioc_writer](https://github.com/mandiant/ioc_writer) - [Python](/@harrisonqian/awesome/wiki/programming-languages/python) library for working with OpenIOC objects, from Mandiant. * [MalPipe](https://github.com/silascutler/MalPipe) - Malware/IOC ingestion and processing engine, that enriches collected data. * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework). * [MISP](https://github.com/MISP/MISP) - Malware Information Sharing Platform curated by [The MISP Project](http://www.misp-project.org/). * [Pulsedive](https://pulsedive.com) - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds. * [PyIOCe](https://github.com/pidydx/PyIOCe) - A [Python](/@harrisonqian/awesome/wiki/programming-languages/python) OpenIOC editor. * [RiskIQ](https://community.riskiq.com/) - Research, connect, tag and share IPs and domains. (Was PassiveTotal.) * [threataggregator](https://github.com/jpsenior/threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in [other resources](#other-resources). * [ThreatConnect](https://threatconnect.com/free/) - TC Open allows you to see and share open source threat data, with support and validation from our free community. * [ThreatCrowd](https://www.threatcrowd.org/) - A search engine for threats, with graphical visualization. * [ThreatIngestor](https://github.com/InQuest/ThreatIngestor/) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more. * [ThreatTracker](https://github.com/michael-yip/ThreatTracker) - A [Python](/@harrisonqian/awesome/wiki/programming-languages/python) script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines. * [TIQ-test](https://github.com/mlsecproject/tiq-test) - [Data visualization](/@harrisonqian/awesome/wiki/miscellaneous/data-visualization) and statistical analysis of Threat Intelligence feeds. ### Other Resources *Threat intelligence and IOC resources.* * [Autoshun](https://www.autoshun.org/) ([list](https://www.autoshun.org/files/shunlist.csv)) - Snort plugin and blocklist. * [Bambenek Consulting Feeds](http://osint.bambenekconsulting.com/feeds/) - OSINT feeds based on malicious DGA algorithms. * [Fidelis Barncat](https://www.fidelissecurity.com/resources/fidelis-barncat) - Extensive malware config database (must request access). * [CI Army](http://cinsscore.com/) ([list](http://cinsscore.com/list/ci-badguys.txt)) - Network security blocklists. * [Critical Stack- Free Intel Market](https://intel.criticalstack.com) - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators. * [Cybercrime tracker](http://cybercrime-tracker.net/) - Multiple botnet active tracker. * [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise shared publicly by FireEye. * [FireHOL IP Lists](https://iplists.firehol.org/) - [Analytics](/@harrisonqian/awesome/wiki/miscellaneous/analytics) for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps. * [HoneyDB](https://riskdiscovery.com/honeydb) - Community driven honeypot sensor data collection and aggregation. * [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol. * [Infosec - CERT-PA lists](https://infosec.cert-pa.it/analyze/statistics.html) ([IPs](https://infosec.cert-pa.it/analyze/listip.txt) - [Domains](https://infosec.cert-pa.it/analyze/listdomains.txt) - [URLs](https://infosec.cert-pa.it/analyze/listurls.txt)) - Blocklist service. * [InQuest REPdb](https://labs.inquest.net/repdb) - Continuous aggregation of IOCs from a variety of open reputation sources. * [InQuest IOCdb](https://labs.inquest.net/iocdb) - Continuous aggregation of IOCs from a variety of blogs, [Github](/@harrisonqian/awesome/wiki/development-environment/github) repos, and Twitter. * [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and searchable incident database, with a web [API](https://dshield.org/api/). ([unofficial Python library](https://github.com/rshipp/python-dshield)). * [malc0de](http://malc0de.com/database/) - Searchable incident [database](/@harrisonqian/awesome/wiki/databases/database). * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share malicious URLs. * [MetaDefender Threat Intelligence Feed](https://www.opswat.com/developers/threat-intelligence-feed) - List of the most looked up file hashes from MetaDefender Cloud. * [OpenIOC](https://www.fireeye.com/services/freeware.html) - Framework for sharing threat intelligence. * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - Rulesets and more. (Formerly Emerging Threats.) * [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - A list of ransomware overview with details, detection and prevention. * [STIX - Structured Threat Information eXpression](http://stixproject.[github](/@harrisonqian/awesome/wiki/development-environment/github).io) - Standardized language to represent and share cyber threat information. Related efforts from [MITRE](https://www.mitre.org/): - [CAPEC - Common Attack Pattern Enumeration and Classification](http://capec.mitre.org/) - [CybOX - Cyber [Observables](/@harrisonqian/awesome/wiki/programming-languages/observables) eXpression](http://cyboxproject.[github](/@harrisonqian/awesome/wiki/development-environment/github).io) - [MAEC - Malware Attribute Enumeration and Characterization](http://maec.mitre.org/) - [TAXII - Trusted Automated eXchange of Indicator Information](http://taxiiproject.[github](/@harrisonqian/awesome/wiki/development-environment/github).io) * [SystemLookup](https://www.systemlookup.com/) - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs. * [ThreatMiner](https://www.threatminer.org/) - Data mining portal for threat intelligence, with search. * [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000 free per month. * [ThreatShare](https://threatshare.io/) - C2 panel tracker * [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository. * [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize [observables](/@harrisonqian/awesome/wiki/programming-languages/observables), indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS blocklists. ## Detection and Classification *Antivirus and other malware identification tools* * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files. * [Assemblyline](https://cybercentrecanada.[github](/@harrisonqian/awesome/wiki/development-environment/github).io/assemblyline4_docs/) - A scalable file triage and malware analysis system integrating the cyber [security](/@harrisonqian/awesome/wiki/security/security) community's best tools.. * [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules. * [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. * [chkrootkit](http://www.chkrootkit.org/) - Local [Linux](/@harrisonqian/awesome/wiki/platforms/linux) rootkit detection. * [ClamAV](http://www.clamav.net/) - Open source antivirus engine. * [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for determining types of files. * [Exeinfo PE](http://exeinfo.pe.hu/) - Packer, compressor detector, unpack info, internal exe tools. * [ExifTool](https://sno.phy.queensu.ca/~phil/exiftool/) - Read, write and edit file metadata. * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - Modular, recursive file scanning solution. * [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program. * [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files. * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with a variety of algorithms. * [HashCheck](https://github.com/gurnec/HashCheck) - [Windows](/@harrisonqian/awesome/wiki/platforms/windows) [shell](/@harrisonqian/awesome/wiki/development-environment/shell) extension to compute hashes with a variety of algorithms. * [Loki](https://github.com/Neo23x0/Loki) - Host based scanner for IOCs. * [Malfunction](https://github.com/Dynetics/Malfunction) - Catalog and compare malware at a function level. * [Manalyze](https://github.com/JusticeRage/Manalyze) - Static analyzer for PE executables. * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis framework. * [MultiScanner](https://github.com/mitre/multiscanner) - Modular file scanning/analysis framework * [Nauz File Detector(NFD)](https://github.com/horsicq/Nauz-File-Detector) - Linker/Compiler/Tool detector for [Windows](/@harrisonqian/awesome/wiki/platforms/windows), [Linux](/@harrisonqian/awesome/wiki/platforms/linux) and MacOS. * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database. * [packerid](https://github.com/sooshie/packerid) - A [cross-platform](/@harrisonqian/awesome/wiki/platforms/cross-platform) Python alternative to PEiD. * [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - Reversing tool for PE files. * [PEframe](https://github.com/guelfoweb/peframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents. * [PEV](http://pev.sourceforge.net/) - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries. * [PortEx](https://github.com/katjahahn/PortEx) - [Java](/@harrisonqian/awesome/wiki/programming-languages/java) library to analyse PE files with a special focus on malware analysis and PE malformation robustness. * [Quark-Engine](https://github.com/quark-engine/quark-engine) - An Obfuscation-Neglect [Android](/@harrisonqian/awesome/wiki/platforms/android) Malware Scoring System * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect [Linux](/@harrisonqian/awesome/wiki/platforms/linux) rootkits. * [ssdeep](https://ssdeep-project.[github](/@harrisonqian/awesome/wiki/development-environment/github).io/ssdeep/) - Compute fuzzy hashes. * [totalhash.py](https://gist.[github](/@harrisonqian/awesome/wiki/development-environment/github).com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database. * [TrID](http://mark0.net/soft-trid-e.html) - File identifier. * [YARA](https://plusvic.[github](/@harrisonqian/awesome/wiki/development-environment/github).io/yara/) - Pattern matching tool for analysts. * [Yara rules generator](https://github.com/Neo23x0/yarGen) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives. * [Yara Finder](https://github.com/uppusaikiran/yara-finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion. ## Online Scanners and Sandboxes *Web-based multi-AV scanners, and malware sandboxes for automated analysis.* * [anlyz.io](https://sandbox.anlyz.io/) - Online sandbox. * [any.run](https://app.any.run/) - Online interactive sandbox. * [AndroTotal](https://andrototal.org/) - Free online analysis of APKs against multiple mobile antivirus apps. * [BoomBox](https://github.com/nbeede/BoomBox) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant. * [Cryptam](http://www.cryptam.com/) - Analyze suspicious office documents. * [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, [self hosted](/@harrisonqian/awesome/wiki/miscellaneous/self-hosted) sandbox and automated analysis system. * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author. * [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control a cuckoo-modified sandbox. * [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with machine-learning classification. * [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs. * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis system. * [filescan.io](https://www.filescan.io/) - Static malware analysis, VBA/[Powershell](/@harrisonqian/awesome/wiki/development-environment/powershell)/VBS/JS Emulation * [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package. * [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files. * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware analysis tool, powered by VxSandbox. * [Intezer](https://analyze.intezer.com) - Detect, analyze, and categorize malware by identifying code reuse and code similarities. * [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable analysis platform for suspicious files. * [Joe Sandbox](https://www.joesecurity.org) - Deep malware analysis with Joe Sandbox. * [Jotti](https://virusscan.jotti.org/en) - Free online multi-AV scanner. * [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing [Linux](/@harrisonqian/awesome/wiki/platforms/linux) Malware. * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis of malware behavior. * [malice.io](https://github.com/maliceio/malice) - Massively scalable malware analysis framework. * [malsub](https://github.com/diogo-fernan/malsub) - A [Python](/@harrisonqian/awesome/wiki/programming-languages/python) RESTful API framework for online malware and URL analysis services. * [Malware config](https://malwareconfig.com/) - Extract, decode and display online the configuration settings from common malwares. * [MalwareAnalyser.io](https://malwareanalyser.io/) - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and [machine learning](/@harrisonqian/awesome/wiki/computer-science/machine-learning). * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox instance. * [MetaDefender Cloud](https://metadefender.opswat.com/ ) - Scan a file, hash, IP, URL or domain address for malware for free. * [NetworkTotal](https://www.networktotal.com/index.html) - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro. * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment. * [PacketTotal](https://packettotal.com/) - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within. * [PDF Examiner](http://www.pdfexaminer.com/) - Analyse suspicious PDF files. * [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit. * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper script for safely uploading binaries to sandbox sites. * [sandboxapi](https://github.com/InQuest/python-sandboxapi) - [Python](/@harrisonqian/awesome/wiki/programming-languages/python) library for building integrations with several open source and commercial malware sandboxes. * [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. * [SEKOIA Dropper Analysis](https://malware.sekoia.fr/) - Online dropper analysis (Js, VBScript, Microsoft Office, PDF). * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free automated sandboxes and services, compiled by Lenny Zeltser. ## Domain Analysis *Inspect domains and IP addresses.* * [AbuseIPDB](https://www.abuseipdb.com/) - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. * [badips.com](https://www.badips.com/) - Community based IP blacklist service. * [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed for consistent and safe capture of off network web resources. * [Cymon](https://cymon.io/) - Threat intelligence tracker, with IP/domain/hash search. * [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as much metadata as possible for a website and to assess its good standing. * [Dig](https://networking.ringofsaturn.com/) - Free online dig and other network tools. * [dnstwist](https://github.com/elceef/dnstwist) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage. * [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information about an IP or domain by searching online resources. * [Machinae](https://github.com/hurricanelabs/machinae) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator. * [mailchecker](https://github.com/FGRibreau/mailchecker) - Cross-language temporary email detection library. * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports. * [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs. * [NormShield Services](https://services.normshield.com/) - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts. * [PhishStats](https://phishstats.info/) - Phishing Statistics with search for IP, domain and website title * [Spyse](https://spyse.com/) - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info, * [SecurityTrails](https://securitytrails.com/) - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools. * [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list. * [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on domains and IPs. * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware and Security Scanner. * [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain or network owner. (Previously SenderBase.) * [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool for gathering information about URLs, IPs, or hashes. * [URLhaus](https://urlhaus.abuse.ch/) - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. * [URLQuery](http://urlquery.net/) - Free URL Scanner. * [urlscan.io](https://urlscan.io/) - Free URL Scanner & domain information. * [Whois](https://whois.domaintools.com/) - DomainTools free online whois search. * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free online tools for researching malicious websites, compiled by Lenny Zeltser. * [ZScalar Zulu](https://zulu.zscaler.com/#) - Zulu URL Risk Analyzer. ## Browser Malware *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* * [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support. * [Firebug](https://getfirebug.com/) - Firefox extension for web development. * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect [Java](/@harrisonqian/awesome/wiki/programming-languages/java) [apps](/@harrisonqian/awesome/wiki/platforms/apps). * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses [Java](/@harrisonqian/awesome/wiki/programming-languages/java) IDX cache files. * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - [JavaScript](/@harrisonqian/awesome/wiki/programming-languages/javascript) malware analysis tool. * [jsunpack-n](https://github.com/urule99/jsunpack-n) - A [javascript](/@harrisonqian/awesome/wiki/programming-languages/javascript) unpacker that emulates browser functionality. * [Krakatau](https://github.com/Storyyeller/Krakatau) - [Java](/@harrisonqian/awesome/wiki/programming-languages/java) decompiler, assembler, and disassembler. * [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages. * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust ActionScript Bytecode Disassembler." * [SWF Investigator](https://labs.adobe.com/technologies/swfinvestigator/) - Static and dynamic analysis of SWF applications. * [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash files. * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A Python script for analyzing Flash files. ## Documents and Shellcode *Analyze malicious JS and shellcode from PDFs and Office documents. See also the [browser malware](#browser-malware) section.* * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious. * [box-js](https://github.com/CapacitorSet/box-js) - A tool for studying [JavaScript](/@harrisonqian/awesome/wiki/programming-languages/javascript) malware, featuring JScript/WScript support and ActiveX emulation. * [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing malicious shellcode. * [InQuest Deep File Inspection](https://labs.inquest.net/dfi) - Upload common malware lures for Deep File Inspection and heuristical analysis. * [JS Beautifier](http://jsbeautifier.org/) - [JavaScript](/@harrisonqian/awesome/wiki/programming-languages/javascript) unpacking and deobfuscation. * [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode emulation. * [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs into a JSON representation. * [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for malicious traces in MS Office documents. * [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE and OpenXML documents and extracting useful information. * [Origami PDF](https://code.google.com/archive/p/origami-pdf) - A tool for analyzing malicious PDFs, and more. * [PDF Tools](https://blog.didierstevens.com/programs/pdf-tools/) - pdfid, pdf-parser, and more from Didier Stevens. * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool, the backend-free version of PDF X-RAY. * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - [Python](/@harrisonqian/awesome/wiki/programming-languages/python) tool for exploring possibly malicious PDFs. * [QuickSand](https://www.quicksand.io/) - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables. * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - Mozilla's JavaScript engine, for debugging malicious JS. ## File Carving *For extracting files from inside disk and memory images.* * [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file carving tool. * [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve [Windows](/@harrisonqian/awesome/wiki/platforms/windows) Event Log files from raw binary data. * [Foremost](http://foremost.sourceforge.net/) - File carving tool designed by the US Air Force. * [hachoir3](https://github.com/vstinner/hachoir3) - Hachoir is a [Python](/@harrisonqian/awesome/wiki/programming-languages/python) library to view and edit a binary stream field by field. * [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving tool. * [SFlock](https://github.com/jbremer/sflock) - Nested archive extraction/unpacking (used in Cuckoo Sandbox). ## Deobfuscation *Reverse XOR and other code obfuscation methods.* * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more. * [de4dot](https://github.com/0xd4d/de4dot) - .NET deobfuscator and unpacker. * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) & [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) - Two tools from Alexander Hanel for working with single-byte XOR encoded files. * [FLOSS](https://github.com/fireeye/flare-floss) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically --- *truncated — [full list on GitHub](https://github.com/rshipp/awesome-malware-analysis)*