Malware Analysis and Incident Response Tools

The idea of this repository is to serve as a base of all the tools that we might be using or I recommend to be used for performing different malware analysis and incident response tasks. The list will be updated with new tools regularly.

ONLINE SCANNERS

• VirusTotal
• HYBRID ANALYSIS
• Any > Run
  • Latest malware trends
• Malcore
• Malwr — (uses Cuckoo in background)
• Malware.id

PORTABLE EXECUTABLE (PE)

• CFF Explorer
• PE-Bear — by Hasherzade
• Detect-It-Easy — by Hors
• Dependency Walker
• PE Studio
• PPEE — or "puppy", which is a Professional PE file Explorer
• Resource Hacker
• Cerbero
• PE Explorer v2 — by Zodiacon
• CAPA — by FireEye FLARE Team
• Malwoverview
• XPEViewer

PACKERS, DECRYPTERS, COMPRESSORS, EXTRACTORS, ETC

• Exeinfo PE — (old version) or here (latest)
• PEiD — (password = tuts4you) + signatures
• ASPack — (trail)
• Detect it Easy (DiE) or here
• TitanMist
• Reflective PE Packer: Amber
• pyinstxtractor — a Python script to extract the contents of a PyInstaller generated executable file.
• pyinstxtractor-ng — a tool to extract the contents of a Pyinstaller generated executable file. Both Linux ELFs and Windows PE executables are supported.
• etc

DYNAMIC ANALYSIS

• Microsoft SysInternals Suite
• Process Hacker
• ProcDOT or here
  • Save as PNG
  • Save as SVG
• RegShot
• Noriben
• X64dbg
  • Themes:
    • https://github.com/Dump-GUY/x64dbg---Dark-Theme
    • https://github.com/Fmk0/templates
• Immunity Debugger
• Rundll32 (LOLBin)
• Injector (Reflective DLL Injection)
• API Monitor
• PE Capture
• Tiny_tracer
• VISION-ProcMon 
  • blog
• Pe-sieve
• Hollows-hunter
• ReverseKit
• Mal_unpack
• etc

NETWORKING

• Mandiant ApateDNS
• WinDump
• CaptureBAT
• Fiddler — get the classic version

INCIDENT RESPONSE

• Skadi — open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images.
• CyLR — Live Response Collection tool by Alan Orlikoski and Jason Yegge
• Velociraptor
• VolatileDataCollector
• KAPE
• Yara
• YExtend
• IOC Editor
• IOC Finder
• Yara rules
• YaraRET
• Yara Endpoint
• ClamAV
• Osquery
• GRR
• DumpIt (readings: 1, 2)
• Memdump — similar to SysInternals
• Beagle
• Thor-Lite

REVERSE ENGINEERING AND DECOMPILERS

• Ghidra
• IDA Pro
  • Plugins:
    • https://github.com/herosi/CTO
• dnSpyEx — .NET Decompiler and Debugger
• Malcat
• Binary Ninja
• ExtremeDumper — for .NET Executables
• Cutter
• Rizin
• Vb decompiler
• P32Dasm — vb decompiler
• Online VB Script DeObfuscator/Obfuscator
• Visual Basic decompiler
• Online Decompiler
• Import Hash Generator
• MonoDevelop
• Decompiler Explorer
• etc

MEMORY FORENSICS: Acquisition and Analysis

• Rekall
• Volatility
• Volatility Workbench
• Volatility Repository — profiles, plugins, community plugins, etc
• Rekall
• VolWeb
• FireEye Redline
• Belkasoft RAM Capturer — (free requires registration)
• MAGNET RAM Capture — (requires registration)
• Memoryze — by FireEye (requires registration)
• Surge — Collect by Volexity (Commercial)
• OSForensics — by PassMark Software (commercial)
• WinPmem — (open source), part of Rekall Memory forensic framework
• FTK Imager — by AccessData (free requires registration)
• Comae Memory Toolkit (DumpIt) — (free requires registration)
• MemProcFS
  • MemProcFS-Analyzer
  • MemProcFS-Hunter
• Trufflepig Forensics
• VSTriage
• etc

EMAIL FORENSICS: Analysis, etc

• EmlRender

MALWARE SAMPLES and CODE REPOSITORIES

• Any > Run
• Malware Bazaar
• Virusshare
• Anti-X Code and Research

EMULATORS, SANDBOXES, AND ANTI-X

• Qiling
• Blobrunner
• Frida
• Windows 10 Sandbox
• Shadow Defender
• CAPEv2 — Malware Configuration And Payload Extraction
• DRAKVUF Sandbox
• Cuckoo — No longer maintained, use CAPEv2 instead
• AssemblyLine4
• VMwareCloak
• Linux Malware Analysis Sandbox
• etc

MISC UTILITIES

• bstrings
• BinText
• StringSifter
• Graphivz
• Viper
• Ssdeep
• Visual Studio Code
• Exe_to_dll
• Awesome Docker
• sshx — A secure web-based, collaborative terminal
• etc

DOCUMENTATION, DATASTRUCTURES, APIs, AND LISTS

• Vergilius Project
• Windows APIs used by Malware
• https://github.com/rshipp/awesome-malware-analysis
• NtDoc

RECOMMENDED COURSES

• Life of Binaries
• Intro to x86 — (Assembly x86)
• Intro to x64 — (Assembly 64)
• Intro to x64 — (Assembly 64)
• Intro to Reverse Engineering — (RE) Malware
• Intro to Reverse Engineering — (RE) Software
• Dynamic Malware Analysis
• Ransomware 101

RECOMMENDED VIDEOS AND CHANNELS

• Learn x64 Assembly
• My YouTube Channel — (will be updated)
• John Hammond - Malware Analysis
• OALabs
• Hasherzade
• MalwareAnalysisForHedgehogs
• All Things IDA
• Hex-Rays

CODE AND WHITE PAPERS

• VXUG Papers — Lots of great research papers all in one place
• Kernel Data Structures — I depend on this reference
• LoadLibrary-GetProcAddress-Replacements
• zerosum0x0 Defcon25 Workshop
• Windows Internals
• PROCESSINFOCLASS Native APIs

USEFUL TIPS AND TRICKS

• Yara Generation Tip
• Win32-shellcode
• Dealing with exceptions in x64dbg

Something missing? You recommend somthing? Please let me know…