fucking awesome malware analysis

A curated list of awesome malware analysis tools and resources. Inspired by 228609  25039? awesome-python) and  31110   5080? awesome-php).

• Malware Collection
  • Anonymizers
  • Honeypots
  • Malware Corpora
• Open Source Threat Intelligence
  • Tools
  • Other Resources
• Detection and Classification
• Online Scanners and Sandboxes
• Domain Analysis
• Browser Malware
• Documents and Shellcode
• File Carving
• Deobfuscation
• Debugging and Reverse Engineering
• Network
• Memory Forensics
• Windows Artifacts
• Storage and Workflow
• Miscellaneous
• Resources
  • Books
  • Other
• Related Awesome Lists
• Contributing
• Thanks

View Chinese translation: 恶意软件分析大合集.md.

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• ? OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some privacy features.
• ? Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Trap and collect your own samples.

•   1261    417? Conpot) - ICS/SCADA honeypot.
•   5271    903? Cowrie) - SSH honeypot, based on Kippo.
•     61     12? DemoHunter) - Low interaction Distributed Honeypots.
•    718    184? Dionaea) - Honeypot designed to trap malware.
•    565    168? Glastopf) - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• ? HoneyDrive - Honeypot bundle Linux distro.
•   1230    174? Honeytrap) - Opensource system for running, monitoring and managing honeypots.
•   2440    631? MHN) - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
•     46     39? Mnemosyne) - A normalizer for honeypot data; supports Dionaea.
•    998    203? Thug) - Low interaction honeyclient, for investigating malicious websites.

Malware samples collected for analysis.

• Clean MX - Realtime database of malware and malicious domains.
• Contagio - A collection of recent malware samples and analyses.
• ? Exploit Database - Exploit and shellcode samples.
• ? Infosec - CERT-PA - Malware samples collection and analysis.
• ? InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
•    686    238? Javascript Mallware Collection) - Collection of almost 40.000 javascript malware samples
• ? Malpedia - A resource providing rapid identification and actionable context for malware investigations.
• ? Malshare - Large repository of malware actively scrapped from malicious sites.
•     94     25? Ragpicker) - Plugin based malware crawler with pre-analysis and reporting functionalities
•  11438   2532? theZoo) - Live malware samples for analysts.
• Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
•      ?      ?? vduddu malware repo) - Collection of various malware files and source code.
• ? VirusBay - Community-Based malware repository and social network.
• ViruSign - Malware database that detected by many anti malware programs except ClamAV.
• ? VirusShare - Malware repository, registration required.
• VX Vault - Active collection of malware samples.
• ? Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
•   1427    697? Zeus Source Code) - Source for the Zeus trojan leaked in 2011.
• VX Underground - Massive and growing collection of free malware samples.

Harvest and analyze IOCs.

•    122     18? AbuseHelper) - An open-source framework for receiving and redistributing abuse feeds and threat intel.
• ? AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
•    657    171? Combine) - Tool to gather Threat Intelligence indicators from publicly available sources.
•    119     25? Fileintel) - Pull intelligence per file hash.
•    265     51? Hostintel) - Pull intelligence per host.
• ? IntelMQ - A tool for CERTs for processing incident data using a message queue.
• ? IOC Editor - A free editor for XML IOC files.
•    513     91? iocextract) - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
•    201     61? ioc_writer) - Python library for working with OpenIOC objects, from Mandiant.
•    104     24? MalPipe) - Malware/IOC ingestion and processing engine, that enriches collected data.
•    228     60? Massive Octo Spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
•   5449   1416? MISP) - Malware Information Sharing Platform curated by The MISP Project.
• ? Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
•     18      7? PyIOCe) - A Python OpenIOC editor.
• ? RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
•     80     27? threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in other resources.
• ? ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
• ? ThreatCrowd - A search engine for threats, with graphical visualization.
•      ?      ?? ThreatIngestor) - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
•     66     13? ThreatTracker) - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
•    173     43? TIQ-test) - Data visualization and statistical analysis of Threat Intelligence feeds.

Threat intelligence and IOC resources.

• ? Autoshun ? list) - Snort plugin and blocklist.
• Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
• ? Fidelis Barncat - Extensive malware config database (must request access).
• CI Army (list) - Network security blocklists.
• ? Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
• Cybercrime tracker - Multiple botnet active tracker.
•    465    117? FireEye IOCs) - Indicators of Compromise shared publicly by FireEye.
• ? FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
• ? HoneyDB - Community driven honeypot sensor data collection and aggregation.
•    213    110? hpfeeds) - Honeypot feed protocol.
• ? Infosec - CERT-PA lists ? IPs - ? Domains - ? URLs) - Blocklist service.
• ? InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
• ? InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
• ? Internet Storm Center (DShield) - Diary and searchable incident database, with a web ? API. (    29     13? unofficial Python library)).
• malc0de - Searchable incident database.
• Malware Domain List - Search and share malicious URLs.
• ? MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
• ? OpenIOC - Framework for sharing threat intelligence.
• ? Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
• ? Ransomware overview - A list of ransomware overview with details, detection and prevention.
• STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from ? MITRE:
  • CAPEC - Common Attack Pattern Enumeration and Classification
  • CybOX - Cyber Observables eXpression
  • MAEC - Malware Attribute Enumeration and Characterization
  • TAXII - Trusted Automated eXchange of Indicator Information
• ? SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
• ? ThreatMiner - Data mining portal for threat intelligence, with search.
• ? threatRECON - Search for indicators, up to 1000 free per month.
• ? ThreatShare - C2 panel tracker
•   4218   1008? Yara rules) - Yara rules repository.
•   1769    294? YETI) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
• ? ZeuS Tracker - ZeuS blocklists.

Antivirus and other malware identification tools

•    204     35? AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files.
• ? Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
•   1416    186? BinaryAlert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
•   4973    567? capa) - Detects capabilities in executable files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
•   7842    738? Detect It Easy(DiE)) - A program for determining types of files.
• Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
• ? ExifTool - Read, write and edit file metadata.
•    290     49? File Scanning Framework) - Modular, recursive file scanning solution.
•   1573    192? fn2yara) - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
•      1      0? Generic File Parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
•    718    132? hashdeep) - Compute digest hashes with a variety of algorithms.
•   1777    195? HashCheck) - Windows shell extension to compute hashes with a variety of algorithms.
•   3429    585? Loki) - Host based scanner for IOCs.
•    192     35? Malfunction) - Catalog and compare malware at a function level.
•   1025    161? Manalyze) - Static analyzer for PE executables.
•    176     40? MASTIFF) - Static analysis framework.
•    618    125? MultiScanner) - Modular file scanning/analysis framework
•    533     80? Nauz File Detector(NFD)) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
•    112     10? nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database.
•     42      9? packerid) - A cross-platform Python alternative to PEiD.
• ? PE-bear - Reversing tool for PE files.
•    612    139? PEframe) - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
• PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
•    499     95? PortEx) - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
•   1344    170? Quark-Engine) - An Obfuscation-Neglect Android Malware Scoring System
• Rootkit Hunter - Detect Linux rootkits.
• ? ssdeep - Compute fuzzy hashes.
• ? totalhash.py - Python script for easy searching of the ? TotalHash.cymru.com database.
• TrID - File identifier.
• ? YARA - Pattern matching tool for analysts.
•   1577    282? Yara rules generator) - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
•      2      0? Yara Finder) - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• ? anlyz.io - Online sandbox.
• ? any.run - Online interactive sandbox.
• ? AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
•    237     38? BoomBox) - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
• Cryptam - Analyze suspicious office documents.
• ? Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
•    271    100? cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
•     22      7? cuckoo-modified-api) - A Python API used to control a cuckoo-modified sandbox.
• ? DeepViz - Multi-format file analyzer with machine-learning classification.
•      ?      ?? detux) - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
•   1076    255? DRAKVUF) - Dynamic malware analysis system.
• ? filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
• firmware.re - Unpacks, scans and analyzes almost any firmware package.
•    734    220? HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files.
• ? Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
• ? Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
• IRMA - An asynchronous and customizable analysis platform for suspicious files.
• ? Joe Sandbox - Deep malware analysis with Joe Sandbox.
• ? Jotti - Free online multi-AV scanner.
•    390    115? Limon) - Sandbox for Analyzing Linux Malware.
•    369    101? Malheur) - Automatic sandboxed analysis of malware behavior.
•   1658    270? malice.io) - Massively scalable malware analysis framework.
•    368     80? malsub) - A Python RESTful API framework for online malware and URL analysis services.
• ? Malware config - Extract, decode and display online the configuration settings from common malwares.
• ? MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
• ? Malwr - Free analysis with an online Cuckoo Sandbox instance.
• ? MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
• ? NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
•   1133    222? Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
• ? PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
• PDF Examiner - Analyse suspicious PDF files.
• ProcDot - A graphical malware analysis tool kit.
•    130     39? Recomposer) - A helper script for safely uploading binaries to sandbox sites.
•    138     40? sandboxapi) - Python library for building integrations with several open source and commercial malware sandboxes.
•    817    104? SEE) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
• ? SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
• ? VirusTotal - Free online analysis of malware samples and URLs
•    139     30? Visualize_Logs) - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
• ? Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Inspect domains and IP addresses.

• ? AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
• ? badips.com - Community based IP blacklist service.
•     38      6? boomerang) - A tool designed for consistent and safe capture of off network web resources.
• ? Cymon - Threat intelligence tracker, with IP/domain/hash search.
• Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
• ? Dig - Free online dig and other network tools.
•   4957    777? dnstwist) - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
•    100     24? IPinfo) - Gather information about an IP or domain by searching online resources.
•    505    101? Machinae) - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
•   1655    258? mailchecker) - Cross-language temporary email detection library.
•     80     22? MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
• Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
• ? NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
• ? PhishStats - Phishing Statistics with search for IP, domain and website title
• ? Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
• ? SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
• ? SpamCop - IP based spam block list.
• ? SpamHaus - Block list based on domains and IPs.
• ? Sucuri SiteCheck - Free Website Malware and Security Scanner.
• ? Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
• TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
• ? URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
• URLQuery - Free URL Scanner.
• ? urlscan.io - Free URL Scanner & domain information.
• ? Whois - DomainTools free online whois search.
• ? Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
• ? ZScalar Zulu - Zulu URL Risk Analyzer.

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

•  14757   1155? Bytecode Viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
• ? Firebug - Firefox extension for web development.
• Java Decompiler - Decompile and inspect Java apps.
•      ?      ?? Java IDX Parser) - Parses Java IDX cache files.
• JSDetox - JavaScript malware analysis tool.
•    163     65? jsunpack-n) - A javascript unpacker that emulates browser functionality.
•   2006    223? Krakatau) - Java decompiler, assembler, and disassembler.
• Malzilla - Analyze malicious web pages.
•    432     92? RABCDAsm) - A "Robust ActionScript Bytecode Disassembler."
• ? SWF Investigator - Static and dynamic analysis of SWF applications.
• swftools - Tools for working with Adobe Flash files.
• xxxswf - A Python script for analyzing Flash files.

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

•    178     41? AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious.
•    623     86? box-js) - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
• diStorm - Disassembler for analyzing malicious shellcode.
• ? InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
• JS Beautifier - JavaScript unpacking and deobfuscation.
• libemu - Library and tools for x86 shellcode emulation.
•     53     16? malpdfobj) - Deconstruct malicious PDFs into a JSON representation.
• OfficeMalScanner - Scan for malicious traces in MS Office documents.
• olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
• ? Origami PDF - A tool for analyzing malicious PDFs, and more.
• ? PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
•     35      9? PDF X-Ray Lite) - A PDF analysis tool, the backend-free version of PDF X-RAY.
• peepdf - Python tool for exploring possibly malicious PDFs.
• ? QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
• ? Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

For extracting files from inside disk and memory images.

•   1133    192? bulk_extractor) - Fast file carving tool.
•    193     22? EVTXtract) - Carve Windows Event Log files from raw binary data.
• Foremost - File carving tool designed by the US Air Force.
•    624     69? hachoir3) - Hachoir is a Python library to view and edit a binary stream field by field.
•    629    100? Scalpel) - Another data carving tool.
•     82     48? SFlock) - Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Reverse XOR and other code obfuscation methods.

• ? Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
•   7008   2691? de4dot) - .NET deobfuscator and unpacker.
• ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
•   3352    456? FLOSS) - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
•     86     18? NoMoreXOR) - Guess a 256 byte XOR key using frequency analysis.
•    270     72? PackerAttacker) - A generic hidden code extractor for Windows malware.
•   3055    626? PyInstaller Extractor) - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
•      ?      ?? uncompyle6) - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
•    670     83? un{i}packer) - Automatic and platform-independent unpacker for Windows binaries based on emulation.
•      ?      ?? unpacker) - Automated malware unpacker for Windows malware based on WinAppDbg.
•      ?      ?? unxor) - Guess XOR keys using known-plaintext attacks.
•    133     24? VirtualDeobfuscator) - Reverse engineering tool for virtualization wrappers.
• XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
• ? XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
•   1406    173? xortool) - Guess XOR key length, as well as the key itself.

Disassemblers, debuggers, and other static and dynamic analysis tools.

•   7659   1088? angr) - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
•      ?      ?? bamfdetect) - Identifies and extracts information from bots and other malware.
•   2081    273? BAP) - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
•   1413    168? BARF) - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
•   2878    453? binnavi) - Binary analysis IDE for reverse engineering based on graph visualization.
• ? Binary ninja - A reversing engineering platform that is an alternative to IDA.
•  11665   1578? Binwalk) - Firmware analysis tool.
•    123     22? BluePill) - Framework for executing and debugging evasive malware and protected executables.
•   7693   1562? Capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
•     44      6? codebro) - Web based code browser using  clang to provide basic code analysis.
•      ?      ?? Cutter) - GUI for Radare2.
•    808    168? DECAF (Dynamic Executable Code Analysis Framework)) - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
•  26848   5153? dnSpy) - .NET assembly editor, decompiler and debugger.
• ? dotPeek - Free .NET Decompiler and Assembly Browser.
• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
•   2258    194? Fibratus) - Tool for exploration and tracing of the Windows kernel.
• ? FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
• GDB - The GNU debugger.
•   7107    742? GEF) - GDB Enhanced Features, for exploiters and reverse engineers.
•  52649   5953? Ghidra) - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
•    170     19? hackers-grep) - A utility to search for strings in PE executables including imports, exports, and debug symbols.
• ? Hopper - The macOS and Linux Disassembler.
• ? IDA Pro - Windows disassembler and debugger, with a free evaluation version.
•    981    226? IDR) - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.
• Immunity Debugger - Debugger for malware analysis and more, with a Python API.
• ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
• Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
• ? LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
• ltrace - Dynamic analysis for Linux executables.
•     85     24? mac-a-mal) - An automated framework for mac malware hunting.
• ? objdump - Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg - An assembly-level debugger for Windows executables.
• ? OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
•    105     42? PANDA) - Platform for Architecture-Neutral Dynamic Analysis.
•   5915    809? PEDA) - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
• ? pestudio - Perform static analysis of Windows executables.
•   1573    192? Pharos) - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
•   3049    276? plasma) - Interactive disassembler for x86/ARM/MIPS.
• ? PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
• ? Process Explorer - Advanced task manager for Windows.
• Process Hacker - Tool that monitors system resources.
• ? Process Monitor - Advanced monitoring tool for Windows programs.
• ? PSTools - Windows command-line tools that help manage and investigate live systems.
•    386     95? Pyew) - Python tool for malware analysis.
•   1657    247? PyREBox) - Python scriptable reverse engineering sandbox by the Talos team at Cisco.
• ? Qiling Framework - Cross platform emulation and sanboxing framework with instruments for binary analysis.
•      ?      ?? QKD) - QEMU with embedded WinDbg server for stealth debugging.
• Radare2 - Reverse engineering framework, with debugger support.
• ? RegShot - Registry compare utility that compares snapshots.
• ? RetDec - Retargetable machine-code decompiler with an ? online decompilation service and ? API that you can use in your tools.
•    285     42? ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks.
•   1128    232? Scylla Imports Reconstructor) - Find and fix the IAT of an unpacked / dumped PE32 malware.
•   3526    441? ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
•     66     15? SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
• ? strace - Dynamic analysis for Linux executables.
•    688    125? StringSifter) - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.
• ? Triton - A dynamic binary analysis (DBA) framework.
•   1029    298? Udis86) - Disassembler library and tool for x86 and x86_64.
•    945    187? Vivisect) - Python tool for malware analysis.
• ? WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
•      ?      ?? X64dbg) - An open-source x64/x32 debugger for windows.

Analyze network interactions.

• ? Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
•     33      5? BroYara) - Use Yara rules from Bro.
•    714    159? CapTipper) - Malicious HTTP traffic explorer.
•    489    112? chopshop) - Protocol analysis and decoding framework.
• ? CloudShark - Web-based tool for packet analysis and malware traffic detection.
•   1830    364? FakeNet-NG) - Next generation dynamic network analysis tool.
• ? Fiddler - Intercepting web proxy designed for "web debugging."
•    188     64? Hale) - Botnet C&C monitor.
• Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
•     95     35? HTTPReplay) - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
• INetSim - Network service emulation, useful when building a malware lab.
•    743    156? Laika BOSS) - Laika BOSS is a file-centric malware analysis and intrusion detection system.
•    371     60? Malcolm) - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
•   1160    216? Malcom) - Malware Communications Analyzer.
•   6660   1105? Maltrail) - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
• ? mitmproxy - Intercept network traffic on the fly.
•   6442   1045? Moloch) - IPv4 traffic capturing, indexing and database system.
• NetworkMiner - Network forensic analysis tool, with a free version.
•    909    102? ngrep) - Search through network traffic like grep.
•    345     61? PcapViz) - Network topology and traffic visualizer.
•     58     13? Python ICAP Yara) - An ICAP Server with yara scanner for URL or content.
•     78     27? Squidmagic) - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
• Tcpdump - Collect network traffic.
• tcpick - Trach and reassemble TCP streams from network traffic.
• tcpxtract - Extract files from network traffic.
• ? Wireshark - The network traffic analysis tool.

Tools for dissecting malware in memory images or running systems.

• ? BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
•    211     48? DAMM) - Differential Analysis of Malware in Memory, built on Volatility.
•    260     42? evolve) - Web interface for the Volatility Memory Forensics Framework.
• ? FindAES - Find AES encryption keys in memory.
•    281     57? inVtero.net) - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
•     52      9? Muninn) - A script to automate portions of analysis using Volatility, and create a readable report.    226     19? Orochi) - Orochi is an open source framework for collaborative forensic memory dump analysis.
• Rekall - Memory analysis framework, forked from Volatility in 2013.
•     49      9? TotalRecall) - Script based on Volatility for automating various malware analysis tasks.
•    194     50? VolDiff) - Run Volatility on memory images before and after malware execution, and report changes.
•   7431   1294? Volatility) - Advanced memory forensics framework.
•    381     82? VolUtility) - Web Interface for Volatility Memory Analysis framework.
•    621    179? WDBGARK) - WinDBG Anti-RootKit Extension.
• ? WinDbg - Live memory inspection and kernel debugging for Windows systems.

•    184     29? AChoir) - A live incident response script for gathering Windows artifacts.
•     49     11? python-evt) - Python library for parsing Windows Event Logs.
• python-registry - Python library for parsing registry files.
• RegRipper (     ?      ?? GitHub)) - Plugin-based registry analysis tool.

•    158     53? Aleph) - Open Source Malware Analysis Pipeline System.
• ? CRITs - Collaborative Research Into Threats, a malware and threat repository.
• ? FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
•    134     43? Malwarehouse) - Store, tag, and search malware.
•    376     60? Polichombr) - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
• stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
• Viper - A binary management and analysis framework for analysts and researchers.

•   6002   1178? al-khaser) - A PoC malware with good intentions that aimes to stress anti-malware systems.
•     39     12? CryptoKnight) - Automated cryptographic algorithm reverse engineering and classification framework.
•    306     59? DC3-MWCP) - The Defense Cyber Crime Center's Malware Configuration Parser framework.
•   6727    931? FLARE VM) - A fully customizable, Windows-based, security distribution for malware analysis.
•    537    198? MalSploitBase) - A database containing exploits used by malware.
• ? Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
•      1      0? Malware Organiser) - A simple tool to organise large malicious/benign files into a organised Structure.
•   3464    467? Pafish) - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
• ? REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
• ? Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
• ? Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Essential malware analysis reading material.

• ? Learning Malware Analysis - Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware
• ? Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
• ? Mastering Malware Analysis - Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks
• ? Mastering Reverse Engineering - Mastering Reverse Engineering: Re-engineer your ethical hacking skills
• ? Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
• ? Practical Reverse Engineering - Intermediate Reverse Engineering.
• ? Real Digital Forensics - Computer Security and Incident Response.
• ? Rootkits and Bootkits - Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats
• ? The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• ? The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
• ? The Rootkit Arsenal - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

•   1668    282? APT Notes) - A collection of papers and notes related to Advanced Persistent Threats.
•    964    282? Ember) - Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
•  10591    742? File Formats posters) - Nice visualization of commonly used file format (including PE & ELF).
• Honeynet Project - Honeypot tools, papers, and other resources.
• Kernel Mode - An active community devoted to malware analysis and kernel development.
• ? Malicious Software - Malware blog and resources by Lenny Zeltser.
• ? Malware Analysis Search - Custom Google search engine from Corey Harrell.
• Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
• ? Malware Analysis, Threat Intelligence and Reverse Engineering - Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description.
•    165     15? Malware Persistence) - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
• Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
• ? Malware Search+++ Firefox extension allows you to easily search some of the most popular malware databases
• ? Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
•   3784    788? RPISEC Malware Analysis) - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
• WindowsIR: Malware - Harlan Carvey's page on Malware.
•    332     73? Windows Registry specification) - Windows registry file format specification.
• ? /r/csirt_tools - Subreddit for CSIRT tools and resources, with a ? malware analysis flair.
• ? /r/Malware - The malware subreddit.
• ? /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

•   8295   1455? Android Security)
•   6387    742? AppSec)
•   9945   1497? CTFs)
•   1233    107? Executable Packing)
•   4039    632? Forensics)
•  13362   1556? "Hacking")
•   8757   1267? Honeypots)
•   1658    438? Industrial Control System Security)
•   7751   1537? Incident-Response)
•   5229    739? Infosec)
•   3149    466? PCAP Tools)
•  22166   4493? Pentesting)
•  12586   1938? Security)
•   8246   1499? Threat Intelligence)
•   3608    495? YARA)

Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.

This list was made possible by:

• Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
• Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
• And everyone else who has sent pull requests or suggested links to add here!

Thanks!

 12101   2585? rshipp/awesome-malware-analysis)