VirusTotal Wanna Be - Now with 100% more Hipster
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

malice logo

malice (as seen at this years Blackhat USA Arsenal)

Circle CI License Release GoDoc Gitter Slack

Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.

Try It Out


  • username: malice
  • password: ecilam

Setup Docker (OSX)

Install Docker for Mac


Install with homebrew.

$ brew install caskroom/cask/brew-cask
$ brew cask install virtualbox
$ brew install docker
$ brew install docker-machine
$ docker-machine create --driver virtualbox --engine-storage-driver overlay malice
$ eval $(docker-machine env malice)

Getting Started (OSX)


$ brew install maliceio/tap/malice
Usage: malice [OPTIONS] COMMAND [arg...]

Open Source Malware Analysis Framework

Version: 0.3.11

  blacktop - <>

  --debug, -D      Enable debug mode [$MALICE_DEBUG]
  --help, -h       show help
  --version, -v    print the version

  scan        Scan a file
  watch        Watch a folder
  lookup    Look up a file hash
  elk        Start an ELK docker container
  plugin    List, Install or Remove Plugins
  help        Shows a list of commands or help for one command

Run 'malice COMMAND --help' for more information on a command.

Scan some malware

$ malice scan evil.malware

NOTE: On the first run malice will download all of it's default plugins which can take a while to complete.

Malice will output the results as a markdown table that can be piped or copied into a that will look great on Github see here

Start Malice's Web UI

$ malice elk

You can open the Kibana UI and look at the scan results here: http://localhost (assuming you are using Docker for Mac)


  • Type in malice as the Index name or pattern and click Create.

  • Now click on the Discover Tab and behold!!!


Getting Started (Docker in Docker)

CircleCI Docker Stars Docker Pulls Docker Image

Install/Update all Plugins

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock malice/engine plugin update --all

Scan a file

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                -v `pwd`:/malice/samples \
                -e MALICE_VT_API=$MALICE_VT_API \
                malice/engine scan SAMPLE


Known Issues ⚠️

I have noticed when running the new 5.0+ version of malice/elasticsearch on a linux host you need to increase the memory map areas with the following command

sudo sysctl -w vm.max_map_count=262144

Elasticsearch requires at least 4GB of RAM to run. You can lower it to 2GB by running the following (before running a scan):

$ docker run -d \
         -p 9200:9200 \
         -name malice-elastic \
         -e ES_JAVA_OPTS="-Xms2g -Xmx2g" \


Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue




Apache License (Version 2.0)
Copyright (c) 2013 - 2018 blacktop Joshua Maine