Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Malware Collection
Open Source Threat Intelligence
- Tools
- Other Resources
Detection and Classification
Online Scanners and Sandboxes
Domain Analysis
Browser Malware
Documents and Shellcode
File Carving
Deobfuscation
Debugging and Reverse Engineering
Network
Memory Forensics
Windows Artifacts
Storage and Workflow
Miscellaneous
Resources
- Books
- Other
Related Awesome Lists
Contributing
Thanks

View Chinese translation: 恶意软件分析大合集.md.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

Anonymouse.org - A free, web based anonymizer.
OpenVPN - VPN software and hosting solutions.
Privoxy - An open source proxy server with some privacy features.
Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

Conpot - ICS/SCADA honeypot.
Cowrie - SSH honeypot, based on Kippo.
DemoHunter - Low interaction Distributed Honeypots.
Dionaea - Honeypot designed to trap malware.
Glastopf - Web application honeypot.
Honeyd - Create a virtual honeynet.
HoneyDrive - Honeypot bundle Linux distro.
Honeytrap - Opensource system for running, monitoring and managing honeypots.
MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
Mnemosyne - A normalizer for honeypot data; supports Dionaea.
Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

Clean MX - Realtime database of malware and malicious domains.
Contagio - A collection of recent malware samples and analyses.
Exploit Database - Exploit and shellcode samples.
Infosec - CERT-PA - Malware samples collection and analysis.
InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
Malpedia - A resource providing rapid identification and actionable context for malware investigations.
Malshare - Large repository of malware actively scrapped from malicious sites.
Ragpicker - Plugin based malware crawler with pre-analysis and reporting functionalities
theZoo - Live malware samples for analysts.
Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
vduddu malware repo - Collection of various malware files and source code.
VirusBay - Community-Based malware repository and social network.
ViruSign - Malware database that detected by many anti malware programs except ClamAV.
VirusShare - Malware repository, registration required.
VX Vault - Active collection of malware samples.
Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
Zeus Source Code - Source for the Zeus trojan leaked in 2011.
VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

AbuseHelper - An open-source framework for receiving and redistributing abuse feeds and threat intel.
AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
Fileintel - Pull intelligence per file hash.
Hostintel - Pull intelligence per host.
IntelMQ - A tool for CERTs for processing incident data using a message queue.
IOC Editor - A free editor for XML IOC files.
iocextract - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
MalPipe - Malware/IOC ingestion and processing engine, that enriches collected data.
Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
MISP - Malware Information Sharing Platform curated by The MISP Project.
Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
PyIOCe - A Python OpenIOC editor.
RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
ThreatCrowd - A search engine for threats, with graphical visualization.
ThreatIngestor - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
ThreatTracker - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Autoshun (list) - Snort plugin and blocklist.
Bambenek Consulting Feeds - OSINT feeds based on malicious DGA algorithms.
Fidelis Barncat - Extensive malware config database (must request access).
CI Army (list) - Network security blocklists.
Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
Cybercrime tracker - Multiple botnet active tracker.
FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
HoneyDB - Community driven honeypot sensor data collection and aggregation.
hpfeeds - Honeypot feed protocol.
Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
Internet Storm Center (DShield) - Diary and searchable incident database, with a web API. (unofficial Python library).
malc0de - Searchable incident database.
Malware Domain List - Search and share malicious URLs.
MetaDefender Threat Intelligence Feed - List of the most looked up file hashes from MetaDefender Cloud.
OpenIOC - Framework for sharing threat intelligence.
Proofpoint Threat Intelligence - Rulesets and more. (Formerly Emerging Threats.)
Ransomware overview - A list of ransomware overview with details, detection and prevention.
STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
- CAPEC - Common Attack Pattern Enumeration and Classification
- CybOX - Cyber Observables eXpression
- MAEC - Malware Attribute Enumeration and Characterization
- TAXII - Trusted Automated eXchange of Indicator Information
SystemLookup - SystemLookup hosts a collection of lists that provide information on the components of legitimate and potentially unwanted programs.
ThreatMiner - Data mining portal for threat intelligence, with search.
threatRECON - Search for indicators, up to 1000 free per month.
ThreatShare - C2 panel tracker
Yara rules - Yara rules repository.
YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
ZeuS Tracker - ZeuS blocklists.

Detection and Classification

Antivirus and other malware identification tools

AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
BinaryAlert - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
capa - Detects capabilities in executable files.
chkrootkit - Local Linux rootkit detection.
ClamAV - Open source antivirus engine.
Detect It Easy(DiE) - A program for determining types of files.
Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
ExifTool - Read, write and edit file metadata.
File Scanning Framework - Modular, recursive file scanning solution.
fn2yara - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
hashdeep - Compute digest hashes with a variety of algorithms.
HashCheck - Windows shell extension to compute hashes with a variety of algorithms.
Loki - Host based scanner for IOCs.
Malfunction - Catalog and compare malware at a function level.
Manalyze - Static analyzer for PE executables.
MASTIFF - Static analysis framework.
MultiScanner - Modular file scanning/analysis framework
[Nauz File

awesome-malware-analysis