Skip to content
Go to file


Failed to load latest commit information.
Latest commit message
Commit time


Identifies and extracts information from bots and other malware. Information is returned in a readable json format. bamfdetect works by reading files into RAM, applying any applicable preprocessors, then applying Yara signatures from modules to determine which module it matches. After a match is located, the module can then extract the configuration from the file.

Currently, only a preprocess for UPX files is supported. This preprocessor writes the file data to a temporary file, then calls upx -d on the temporary file, and rereads the data from that temporary file.

Currently Supported Malware

  • Abaddon
  • Alina
  • Andromeda
  • Backoff
  • BlackShades
  • BlackWorm
  • Bozok
  • CyberGate
  • Cythosia
  • DarkComet
  • Dendroid
  • Dexter
  • DiamondFox
  • Easter JackPOS
  • Elise
  • Evora
  • Genome
  • GlassRAT
  • Herpesnet
  • JackPOS
  • Maazben
  • MadnessPro
  • Nanocore
  • njRat
  • pBot
  • PoisonIvy
  • Pony
  • ProjectHook
  • Solar
  • VertexNet
  • vSkimmer
  • XtremeRAT

Module Development

Until I have time to write a guide for writing modules, please use existing modules as a means of writing your own.


cloud@strife:~$ bamfdetect -h
usage: bamfdetect [-h] [-v] [-d] [-r] [-l] [-m MODULE] [-t THREADS]
                  [path [path ...]]

Identifies and extracts information from bots

positional arguments:
  path                  Paths to files or directories to scan

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -d, --detect          Only detect files
  -r, --recursive       Scan paths recursively
  -l, --list            List available modules
  -m MODULE, --module MODULE
                        Modules to use, if not definedall modules are used
  -t THREADS, --threads THREADS
                        Number of threads to use

bamfdetect v1.6.15 by Brian Wallace (@botnet_hunter)


  • pefile (python module)
  • yara (python module)
  • rarfile
  • upx (binary)
  • pycrypto
  • pbkdf2


PE files will be checked if they are UPX compressed before being scanned. If they are, they will be written to a temporary file, then decompressed with the UPX utility. Yara rules and extraction will then be applied to the resulting data.

This project has been moved from


Identifies and extracts information from bots and other malware




No packages published


You can’t perform that action at this time.