Malware Analysis
Important! This list is up to date (DIC-2020). π΅
Windows Malware Analysis Tools
Static Analysis
- HxD - Hex viewer and editor
- 010 Editor - Advanced hex viewer and editor
- Sysinternals Suite - Extracts strings from a file
- HashMyFiles - Calculate MD5/SHA1/CRC32 hashes of your files
- DiE/Detect it Easy - Packer identifier (recommended)
- PEiD - Packer identifier
- PeStudio - Advanced PE viewer and more (recommended)
- PEBear - PE viewer
- CFF Explorer - PE editor
- Resource Hacker - Resource editor
- oledump.py - OLE files analyzer
- OfficeMalScanner - Office files malware scanner
- PDFiD - PDF string scanner and identifier
- PDFStreamDumper - PDF malicious file scanner
- PDFParser - PDF file data extractor
- Malwoverview.py - Incident response tool to perform an initial and quick triage in a directory containing malware samples and more
- YARA - The pattern matching swiss knife for malware researchers
Dynamic Analysis
- Process Explorer - Advanced Task Manager
- Process Hacker - Advanced Task Manager
- Process Monitor/ProcMon - Monitors for system processes events
- Regshot - Registry compare utility
- API Monitor - Monitors for Windows API functions (memory dump, breakpoints and more)
- APIMiner - Logs Windows API functions of an executed program
- Pinitor - API Monitor based on instrumentation
- PE-Sieve - Scans for malicious implants
- TCPView - Displays network connections
- Fiddler - free web debugging proxy for any browser, system or platform
- FakeNet-NG - Emulates services/open ports for malware behavior analysis purposes
- INetSim - Emulates services/open ports for malware behavior analysis purposes
- ApateDNS - Control DNS responses
- Wireshark - Network Sniffer and Protocol Analyzer
- MiTMProxy - Interactive SSL/TLS-capable intercepting HTTP proxy (great for HTTPS inspection)
- NetworkMiner - Sniffer and PCAP parser
- ProcDot - A new way of visual malware analysis
- WinJa - A lightweight but powerful tool for discovering malware hiding on your system
- CMD Watcher - Watches for the CMD, PowerShell, and other processes, suspends it, extracts the command line data, then optionally kills it
Reverse Engineering
- IDA Free/Pro - Disassembler and debugger
- radare2 - Free and open source disassembler and debugger
- Cutter - GUI for radare2
- x64dbg - User-Mode debugger
- OllyDbg - User-Mode debugger
- WinDbg - Kernel-Mode debugger
- WinDBG2IDA - Shows WinDBG steps in IDA(Plugin)
- dnSpy - .NET debugger and assembly editor
- ILSpy - .NET Decompiler
- de4dot - .NET deobfuscator and unpacker
- RetDec - Retargetable machine-code decompiler based on LLVM
- IDR - Active Delphi Reconstructor) Delphi decompiler
- Ghidra - NSA software reverse engineering framework
- Binary Ninja - A New Type of Reversing Platform
Deobfuscation
- FLOSS - Automatically extract obfuscated strings from malware
- NoMoreXor - Tool to help guess files 256 byte XOR key by using frequency analysis
- PackerAttacker - C++ application that uses memory and code hooks to detect packers
- UniPacker - Automatic and platform-independent unpacker for Windows binaries based on emulation
- unpacker - WinAppDbg script to automate malware unpacking
- XorSearch - Program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file
Packing
- UPX/Ultimate Packer eXecutables - Windows PE Packer
- Alterante EXE Packer - based on the UPX packer
- ASProtect - PE Packer (great for .NET based PE executables)
- Enigma Protector - A professional system for licensing and protecting executable files for Windows
- MPRESS - .NET based PE packer
- ExeStealth - Delphi, Visual Basic and C++ PE packer
- Themida - Advanced Windows software protection system
- MEW - LZMA algorithm based PE packer
- VMProtect - VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software
- Obsidium - Windows PE Packer
Forensics
- WinDD - Hard drive forensics acquisition tool
- WinPmem - Memory forensics acquisition tool
- DumpIt- Memory forensics acquisition tool
- FTK Imager - Hard drive and memory forensics acquisition tool
- Autopsy - Hard drive forensics analysis tool
- Volatility - Memory forensics analysis framework
- Memoryze - Find evil in live memory
- Rekall - Memory forensic framework
- Redline - Memory forensics accelerated live response
- FOG Project - free open-source network computer cloning and management solution
Other
- Sysinternals Suite - Microsoftβs tool to analyze Windows system internals
- Cuckoo Sandbox - Free and open-source automated malware analysis sandbox
- Flare-VM - Windows-based Malware analysis security distribution
CheatSheet
Network
Reverse Engineer
- Tips for Reverse Engineering Malicious Code β Lenny Zeltser
- Reverse Engineering Cheat Sheet β WinDBG Commands and More
- Reverse Engineering Tips
- Hex and Regex Cheat Sheet
- IDA Pro Shortcuts β Hex Rays
- Malware Analysis Cheat Sheet β SANS Poster
- Analyzing Malicious Documents β Lenny Zeltser
System
- Windows Forensics Analysis β SANS Poster
- Hunting Process Injection by Windows API Calls β MalwareAnalysis.co
- List of File Signatures β Wikipedia
- APT Groups and Operations
- Ransomware Overview
- APTnotes
- PDF Tricks
- PE101
- Evidence Collection Cheat Sheet β SANS Poster
- ARM Assembly β Azeria Labs
- Dalvik Opcodes
- Windows Registry Forensics β Mindmap
- Antivirus Event Analysis
- NTFS Cheat Sheet
- FAT Cheat Sheet
- APFS Cheat Sheet
- Digital Forensics Cheat Sheet
FAQ
Malware Analysis Samples
No Registration
- Malware-Samples - GitHub Repository
- TheZoo - GitHub Repository (Recommended)
- Objective See Collection - MacOS malware samples.
- TakeDefense
- DasMalwarek
- Android Malware - GitHub repository of Android malware samples
- Contagio Mobile - Mobile malware mini dump
- Packet Total - PCAP based malware sources
- URLhaus - Online and real-world malware campaign samples
Registration Required
- VirusBay Community (Recommended)
- Any.Run
- Hybrid Analysis File Collection
- MalShare
- Malware Analysis Center
Sandbox
Free Malware Analysis Sandboxes
- Hybrid Analysis
- SNDBOX
- Any.Run
- anlyz.io
- YOMI β by YOROI
- Noriben β Portable, simple, malware analysis sandbox
- AVC-UnDroid β Online APK analyzer
- SandDroid β Android Sandbox
Paid Malware Analysis Sandboxes