Table of Contents
January 15, 2024
|28m
100 Malware Analysis Tools To Identify Malware
Malware represents one of the most dangerous cyber threats faced by individuals, businesses, and governments today. Sophisticated malware enables adversaries to infiltrate systems, covertly persist, escalate privileges, exfiltrate data, and disrupt operations. Defending against advanced malware requires in-depth analysis to understand their capabilities, extract insights and strengthen protection.
Malware analysis could be done by both manual and automated analysis techniques. Skilled analysts use a more manual approach where they use tools like disassemblers and debuggers to analyze malware interactively. As you may think, the manual approach is a laborious process, and it takes a lot of time. There are tools to automate the malware analysis process. Various tools that could do a lot for you.
In this blog post, we will not be covering deep techniques, strategies, or best practices. However, we presented this post with a comprehensive list of tools required to analyze malware. If you want to learn more about malware analysis, this post is not for you. Our primary focus in this post to present a comprehensive list of malware analysis tools.
What is Malware Analysis? What are the Different Types of Malware Analysis?
Malware analysis refers to the processes and techniques to dissect, study, reverse engineer, and analyze malware samples to understand their functionality, anatomy, effects, and capabilities.
It aims to gather tactical and strategic insights from examining malware code that can be used to improve detection, block infections, enable attribution, and inform defense strategies. The core techniques include:
Static Analysis – Static analysis examines the malware code and its composition without executing it. This provides an overview of its building blocks and logic. Techniques like disassembly, unpacking, decompilation, string extraction, binary diffing, and malware triage are used. Static analysis reveals code structure, libraries, APIs, and other artifacts.
Dynamic Analysis – Dynamic analysis executes malware samples in isolated and instrumented environments to observe their runtime behaviors and effects. By monitoring its interactions during execution, dynamic analysis reveals functionalities like persistence mechanisms, network activities, and payload deliveries. Sandboxes, debuggers, and system monitors enable dynamic analysis.
Manual Analysis – Manual analysis entails directly inspecting malware by interactively reverse engineering samples using disassemblers, debuggers, and other tools. Skilled analysts use hands-on techniques to uncover malware intricacies by leveraging their expertise. It provides an in-depth understanding of malware behaviors.
Automated Analysis – Automated analysis employs malware sandboxes and frameworks that execute samples and monitor behaviors automatically. Integration of static and dynamic techniques allows scalable analysis by reducing manual efforts.
Why is Malware Analysis Required?
Malware analysis provides strategic and tactical threat intelligence that enables organizations to achieve the following objectives:
Augment Detection – Malware analysis provides insights into unique malware attributes, allowing the creation of signatures, Indicators of Compromise(IOCs), and detection rules. This improves detection capabilities for countering new malware variants employed in attacks.
Attribute Capabilities – Deep analysis maps malware capabilities like anti-analysis tricks, spreading techniques, and embedded payloads. Attribute knowledge is used for mitigating infections and hardening infrastructure.
Understand Behaviors – Monitoring malware execution reveals critical behaviors like persistence mechanisms, protocols, and keylogging which guide response actions like eradicating infections, and finding victims.
Inform Defensive Strategies – Relating malware capabilities to ATT&CK helps identify security gaps exploited in attacks. This analysis allows implementing tactical controls and improving security posture.
Enable Attribution – Analysis provides TTPs, infrastructure links, and other evidence needed for attribution during response. It supports legal actions and policy responses to deter adversaries.
Organizations must invest in robust malware analysis capabilities to gain an information advantage over sophisticated malware and well-resourced adversaries. The next section provides an overview of effective malware analysis tools to augment capabilities.
Malware Analysis Tools to Identify Malware
So far, we have understood malware analysis, its types, and why it is required. In this section, we will see the tools required to analyze malware. We have presented a list of 100 tools that could help you perform static, dynamic, hybrid, manual, and automated malware analysis.
Here are 100 malware analysis tools to effectively perform analysis for gaining key insights into malware samples:
| Sl. No. | Name | URL | Short Description | Introduction | Features |
| 1 | Wireshark | https://www.wireshark.org/ | Network protocol analyzer | Wireshark is a network traffic analyzer that lets you inspect packets and protocols to identify malicious communications and payloads delivered over the wire. | Wireshark provides deep inspection of network traffic down to the packet level. It can reconstruct sessions and allows filtering and colorizing packets based on protocol analysis. Useful features include following TCP streams, extracting files, matching regular expressions, viewing IO graphs and expert info fields. |
| 2 | IDA Pro | https://www.hex-rays.com/products/ida/ | Disassembler and debugger | IDA Pro is an interactive disassembler and debugger used to reverse engineer and analyze malware code to understand its inner workings and capabilities. | IDA Pro renders executable binary files into assembly code that can be analyzed. It allows seamless switching between text and graph views during analysis. Useful analysis features include cross-references, function calls, struct definitions, comment integration and scripting to automate tasks. |
| 3 | Ghidra | https://ghidra-sre.org/ | Open source disassembler | Ghidra is an open source reverse engineering tool developed by NSA that allows malware analysts to disassemble code down to the source level for analysis. | Ghidra’s analysis capabilities include disassembly navigation, cross-references, diffing, decompilation, shellcode analysis and scripting using Python. It integrates a debugger to analyze runtime code flows. Extensible via scripts and plugins. |
| 4 | OllyDbg | http://www.ollydbg.de/ | x86 debugger and disassembler | OllyDbg is a 32-bit assembler level debugger useful for dynamic analysis of malware by tracing code execution, reverse engineering functionality and analyzing run-time behaviors. | Key capabilities of OllyDbg include stepping through assembly code execution, setting breakpoints, bookmarking, analyzing memory stacks, monitoring registry, debugging system API calls and dump process memory. Provides an intuitive user interface. |
| 5 | Immunity Debugger | https://www.immunityinc.com/products/debugger/ | Debugger for malware analysis | Immunity Debugger is a malware analysis tool that provides low-level debugging along with system call hooking, runtime tracing and code injection to deobfuscate malware. | Immunity Debugger allows fine-grained inspection of malware processes using capabilities like hooking APIs, tracing instruction execution, searching/editing memory and profiling runtimes. Useful for unpacking and deobfuscating malware. |
| 6 | PE Explorer | http://www.heaventools.com/overview.htm | PE file analysis and disassembly | PE Explorer enables in-depth inspection and editing of PE file internals including code obfuscations, metadata and anomalies indicative of sophisticated malware. | PE Explorer can dissect the structure of malware PE files by unpacking sections, reconstructing imports, reversing headers, decoding strings and patching binaries allowing analysts to uncover layered obfuscations. |
| 7 | Process Monitor | https://docs.microsoft.com/en-us/sysinternals/downloads/procmon | Real-time system monitoring | Process Monitor provides real-time monitoring of system events like registry, file system activity initiated by processes, useful for dynamically analyzing malware behaviors. | Process Monitor logs real-time system events with details like stack traces and allows filter, search and analysis of the event stream. Timeline, summary and graph tools allow drilling into malware related events. Useful for behavioral analysis. |
| 8 | Regshot | https://sourceforge.net/projects/regshot/ | Registry comparison | Regshot performs registry differencing by comparing snapshots before and after malware execution, enabling analysts to pinpoint registry modifications made by malware. | Regshot takes registry snapshots before and after running a malware sample, compares the hives using diff views and exports the differences. Useful for identifying persistence mechanisms, configuration data, infected keys etc. |
| 9 | Sandboxie | https://www.sandboxie.com/ | Isolated sandbox environment | Sandboxie isolates untrusted programs like malware in a virtual container to analyze runtime behaviors in a contained environment preventing tampering of host system. | Sandboxie contains malware in isolated virtualized environments where activities like changes to filesystem, registry, network activities are restricted from tampering host. Useful for dynamic analysis. |
| 10 | Cuckoo Sandbox | https://cuckoosandbox.org/ | Automated malware analysis | Cuckoo Sandbox is an automated malware analysis system which executes samples in isolated VMs while monitoring system activities to provide insights into malware behaviors. | Cuckoo automatically analyzes malware by executing samples and monitoring runtime behaviors using custom modules. It generates detailed analysis reports with timelines, API calls, indicators of compromise and other IOCs. |
| 11 | INetSim | https://www.inetsim.org/ | Network service simulator | INetSim emulates common network services like HTTP, DNS, SMTP that malware uses, enabling analysis of network-based infections tactics and external communications. | INetSim provides a simulated network environment mimicking internet services that malware interacts with. It lets analysts inspect network traffic, manipulate responses and replay sessions to uncover malware behaviors. |
| 12 | Exeinfo PE | http://exeinfo.pe.hu/ | PE header analysis | Exeinfo PE quickly extracts vital metadata like imports, strings and anomalies from malware PE files to assist in triage and enable further targeted analysis. | Exeinfo PE examines and carves metadata like imports, exports, resources etc. from PE executable files providing effective first-pass triage of massive malware collections. |
| 13 | PEview | http://wjradburn.com/software/ | PE file viewer | PEview visually presents the internals of PE files like sections, strings, imports that aids manual inspection and analysis of sophisticated and packed malware samples. | PEview parses PE files and presents an intuitive graphical overview of vital aspects like imports, strings, resources etc. It can handle obscured, packed and non-standard PEs aiding malware analysis. |
| 14 | Malzilla | http://malzilla.sourceforge.net/ | Malware hunting and analysis | Malzilla monitors web traffic to detect compromised, infected websites and analyze drive-by malware delivery stopping infections before they reach the endpoint. | Malzilla identifies malicious websites delivering malware using behavior analysis and machine learning. It inspects web traffic, cookies, scripts and HTML to detect infections, browser fingerprints user visits. |
| 15 | VirusTotal | https://www.virustotal.com/ | Online malware scans | VirusTotal enables collaborative detection of malware by scanning suspicious files and URLs against dozens of antivirus engines and analyzes relationships between detections. | VirusTotal scans files using over 70 antivirus tools and analyzes the aggregated output to provide consensus about known and potential malware undetected by individual scanners. Useful for collaborative detection. |
| 16 | Hybrid Analysis | https://www.hybrid-analysis.com/ | Online malware analysis | Hybrid Analysis performs static and dynamic analysis of malware samples by executing them in custom sandboxes, enabling inspection of runtime behaviors. | Hybrid Analysis runs malware samples in an isolated sandbox capturing system API calls, network activities etc. It enables analysts to download detailed reports to inspect specific behaviors. Custom modules can be deployed into sandboxes. |
| 17 | Any.Run | https://app.any.run/ | Interactive online malware sandbox | Any.Run allows interactive malware analysis by visually inspecting malware execution flows in a browser based isolated sandbox environment. | Any.Run provides an interactive web based malware analysis sandbox that lets analysts inspect the step-by-step execution flows of malware. Useful for analyzing and sharing insights into runtime behaviors. |
| 18 | Joe Sandbox | https://www.joesecurity.org | Automated malware analysis | Joe Sandbox offers customizable automated malware analysis by executing samples in various system environments to analyze malicious behaviors. | Joe Sandbox performs static and dynamic malware analysis using custom modules tailored to extract specific IOCs. Detailed reports provide analysts actionable information about malware behaviors, timelines, indicators etc. |
| 19 | YARA | https://virustotal.github.io/yara/ | Malware pattern matching | YARA enables generically detecting and classifying malware by crafting descriptions of malware families based on shared signatures and characteristics. | YARA allows analysts to create rules describing malware families using binary patterns, strings, metadata etc. and scan samples against these rules to categorize and detect variants. |
| 20 | Radare2 | https://www.radare.org/ | Reverse engineering framework | Radare2 is an open source reverse engineering framework that enables malware analysis via disassembly, debugging, binary inspection and scripting. | Radare2 supports reverse engineering malware through disassembly navigation, function graphing, hex editing, debugging and custom scripting using languages like Python and JavaScript. |
| 21 | x64dbg | https://x64dbg.com/ | x64/x32 debugger | x64dbg is an open source Windows debugger useful for analyzing malware assembly code, understanding call flows by tracing execution paths. | x64dbg enables low-level inspection of malware processes using assembly stepping, memory and register examination, hooking system API calls, OLLYDBG plugin support and more advanced debugging features. |
| 22 | SysAnalyzer | https://www.sysanalyzer.com/ | System monitor | SysAnalyzer monitors endpoint system activities such as registry, network events initiated by malware and maps them to causal processes enabling behavior analysis. | SysAnalyzer logs and correlates system events like process activities, userland API calls, network events with responsible processes providing contextual behavior analysis of malware execution. |
| 23 | Process Hacker | https://processhacker.sourceforge.io/ | System monitoring tool | Process Hacker enables real-time behavioral analysis of malware processes by providing detailed inspection of process activities and events at runtime. | Process Hacker reveals granular insights into malware processes through capabilities like thread stacks, memory maps, CPU usage graphs, network connections, service enumeration and plugin extensibility. |
| 24 | ProcDot | https://www.procdot.com/ | Process relationship visualization | ProcDot visually maps parent/child process relationships enabling analysts to understand malware infection chains, persistence mechanisms and process ancestries. | ProcDot graphs process creation hierarchies and trees to provide visual representation of ancestries helpful for analyzing malware execution flows, injection techniques and persistence mechanisms. |
| 25 | API Monitor | http://www.rohitab.com/apimonitor | API call logger | API Monitor logs invocations of Windows API calls by processes enabling analysts to reveal malware activities and capabilities based on API usage. | API Monitor logs API calls to the registry, file system, network etc. made by malware and enables searching, filtering and analyzing API usage to uncover capabilities and activities performed by malware. |
| 26 | WireShark + NodeJS | https://www.wireshark.org/ + https://nodejs.org/en/ | Network traffic analysis | Together Wireshark and NodeJS enable customized inspection and analysis of JavaScript malware network traffic using scripting. | WireShark provides packet capture and inspection while NodeJS allows writing scripts to analyze, dissect, visualize and export JavaScript malware network traffic providing programmatic control over analysis. |
| 27 | Manalyze | https://github.com/JusticeRage/Manalyze | Static malware analysis | Manalyze performs static malware analysis by extracting useful information like indicators of compromise, domains, IP addresses from sample files. | Manalyze automatically extracts actionable insights from malware samples via static analysis. It generates JSON reports containing extracted IP addresses, domains, file indicators etc. useful for analysis workflows. |
| 28 | PE Bear | https://hshrzd.wordpress.com/pe-bear/ | PE unpacking tool | PE Bear unpacks and decrypts packed, compressed sections of PE files to allow further analysis of sophisticated malware samples. | PE Bear can automatically unpack compressed and obfuscated sections of PE files like malware executables. Useful for analyzing sophisticated packed malware using out-of-band techniques. |
| 29 | Volatility | https://www.volatilityfoundation.org/ | Memory forensics | Volatility is a memory forensics framework that enables malware analysis by inspecting runtime artifacts like code injection, hidden processes etc. in memory. | Volatility performs forensic analysis on memory dumps by scanning for malware indicators like injected DLLs, hidden processes, code hooks, network artifacts etc. providing runtime visibility. |
| 30 | FakeNet-NG | https://github.com/fireeye/flare-fakenet-ng | Network service spoofing | FakeNet-NG emulates network services like HTTP, DNS that malware interacts with, enabling inspection of network-driven infections and external communications. | FakeNet-NG provides a customizable simulated network by mimicking services like HTTP, SSH, DNS that malware communicates with. Allows manipulation of responses to analyze behaviors. |
| 31 | Capture-BAT | https://www.honeynet.org/node/315/ | HTTP traffic analysis | Capture-BAT reconstructs web artifacts from HTTP traffic to reveal malware delivery sites. It also extracts payload code from malware traffic. | Capture-BAT analyzes captured HTTP traffic to extract files, analyze frames/cookies, reconstruct web pages and workflows. Useful for inspecting web-based malware delivery via drive-by downloads etc. |
| 32 | Procmon Configuration | https://swiftonthesecurity.com/protips/ | Procmon log filtering | Procmon Configuration provides reusable configurations for filtering irrelevant events from Procmon traces allowing analysts to focus on malware activities. | Procmon Configuration enables streamlining large Procmon logs by filtering out system noise to more rapidly hunt for malware behaviors. Useful preset filters for quick analysis. |
| 33 | PE Frame | https://github.com/guelfoweb/peframe | PE file analyzer | PE Frame scans and detects anomalies in PE files indicative of sophisticated malware employing packing, obfuscation and anti-analysis tricks. | PE Frame analyzes and flags anomalies in PE headers, sections, imports etc. to detect obfuscations like packers, compilers, anomalies employed by malware. |
| 34 | FLARE VM/REMnux | https://github.com/fireeye/flare-vm | Malware analysis distributions | FLARE VM and REMnux provide customized distributions packaged with tools focused on reverse engineering and dynamic malware analysis. | Provide curated toolsets enabling reverse engineering and dynamic analysis of malware using capabilities like monitoring process behaviors, network communications, unpacking samples etc. |
| 35 | Active Directory Control Paths | https://github.com/ANSSI-FR/AD-control-paths | AD object analysis | Active Directory Control Paths visually analyzes AD objects impacted by malware activities, useful for tracking lateral movement tactics. | Graphs Active Directory objects like GPOs modified after infection to visually track malware’s interactions and lateral movement through AD to uncover tactics. |
| 36 | SysInspector | https://docs.microsoft.com/en-us/sysinternals/downloads/sysinspector | Malware process monitoring | SysInspector provides in-depth monitoring of malware processes, logging granular process activities, events and runtime attributes. | SysInspector logs malware process activities like opened handles, DLLs loaded, network connections etc. for fine-grained dynamic analysis, useful for deobfuscation. |
| 37 | Capa | https://github.com/fireeye/capa/ | Malware capabilities analysis | Capa identifies malware capabilities by analyzing executable files against common attacker behaviors as enumerated in MITRE ATT&CK. | Capa inspects malware executables for presence of capabilities like persistence mechanisms, anti-analysis tricks, lateral movement techniques etc. as documented in the ATT&CK framework. |
| 38 | FLOSS | https://github.com/fireeye/flare-floss | Automated malware analysis | FLOSS automatically extracts indicators of behaviors and other IOCs from malware samples using signature based static analysis. | FLOSS uses static analysis to surface contextual information like behaviors, strings, function signatures and relationships between malware samples to support analysis. |
| 39 | BinaryAI | https://www.binaryai.com/ | Online malware analysis sandbox | BinaryAI offers automated static and dynamic analysis of malware samples in sandboxed environments with customizable reporting. | BinaryAI analyzes malware by executing samples in isolated sandbox environments and monitoring behaviors. Custom reports provide analysis. Integrates with other systems. |
| 40 | Loki | https://github.com/Neo23x0/Loki | IOC scanner | Loki scans for Indicators of Compromise associated with malware like MD5 hashes, domain names, mutexes etc. against various threat intel sources. | Loki matches files and scenarios against threat intel sources like malware domains, URLs, virus signatures, registry artifacts to detect threats. |
| 41 | Cerberus | https://github.com/ChiefSecurity/Cerberus | Malware analysis platform | Cerberus provides an integrated platform for collaborative malware analysis with web dashboard, APIs, integrations with sandboxes like Cuckoo. | Cerberus enables malware analysis workflow automation with a dashboard, REST API, sandbox integration, YARA rules and shared IOC repositories. |
| 42 | MISP | https://www.misp-project.org/ | Threat intelligence platform | MISP enables collaborative tracking of malware campaigns, incidents and related indicators to map adversary infrastructure. | MISP allows teams to store, share and correlate indicators of compromise associated with malware like file hashes, C2s, domains etc. |
| 43 | GreyNoise | https://www.greynoise.io/ | Internet scanner | GreyNoise provides context and reputation data on IPs, domains associated with malware campaigns gleaned from Internet-wide scanners and threat feeds. | GreyNoise enriches malware infrastructure indicators like IPs, domains with context about sightings, activities, associations etc. curated from diverse data sources. |
| 44 | ThreatStream | https://www.anomali.com/products/threatstream | Threat intel analysis | ThreatStream enriches alerts with threat intelligence to detect Indicators of Compromise linked to malware using reputation scoring algorithms. | ThreatStream integrates threat data feeds with security alerts to detect IOCs associated with malware, leveraging reputation scores and other analytics. |
| 45 | ReversingLabs TitaniumCloud | https://www.reversinglabs.com/ | File reputation service | ReversingLabs TitaniumCloud analyzes samples against known malware using signatures, static analysis and machine learning models to assign reputation. | ReversingLabs inspects malware samples using signatures, static analysis and machine learning engines to identify known threats, classify new ones and assign reputation. |
| 46 | Rekall | http://www.rekall-forensic.com/ | Memory analysis framework | Rekall is an advanced forensic memory analysis framework for extracting malware artifacts and examining ransomware encryption capabilities. | Rekall performs deep memory analysis to extract artifacts left in memory by malware like injected modules, hidden entities, code hooks etc. Useful for memory forensics. |
| 47 | VolDiff | https://github.com/aim4r/VolDiff | Memory forensics diffing | VolDiff compares memory captures before and after malware execution to isolate introduced artifacts aiding analysis. | VolDiff diffs memory captures like crash dumps, hibernation files before and after infections to pinpoint changes made by malware execution. |
| 48 | Malheur | https://github.com/rieck/malheur | Automatic malware sample analysis | Malheur analyzes malware samples using clustering algorithms to correlate them with known families based on shared behaviors. | Malheur profiles and clusters malware samples based on extracted features to identify related samples, campaigns and correlates them to known families. |
| 49 | Malfunction | https://github.com/Dynetics/Malfunction | Memory analysis | Malfunction identifies malware components like libraries, anomalies in memory using machine learning techniques aiding memory forensic analysis. | Malfunction uses machine learning approaches on memory captures to detect patterns indicative of malware behaviors like injections, hidden processes etc. |
| 50 | Muninn | https://github.com/ytisf/muninn | Visual malware analysis | Muninn provides visual, interactive analysis of malware memory artifacts like injected modules, process hollowing discovered through memory forensics. | Muninn enables visually analyzing the runtime footprint of malware processes using an interactive memory map analyzer useful for memory dumps analysis. |
| 51 | Malworx | https://github.com/alexxsandro/malworx | Memory malware analysis | Malworx analyzes memory dumps for indicators of malware activity like reflective DLLs, hollowed processes and code injection tactics. | Malworx inspects memory captures for stealth techniques employed by malware like reflective DLL loading, process hollowing, code injection. Useful for analyzing fileless malware. |
| 52 | MFTF | https://github.com/Nettitude/mftf | Master File Table analysis | MFTF parses NTFS metadata like MAC timestamps to uncover temporal anomalies indicative of malware behaviors on the filesystem. | MFTF checks the Master File Table for timeline inconsistencies like file backdating that can reveal malware activities like execution hijacking, timestomping etc. |
| 53 | malwasm | https://github.com/an4kein/malwasm | WebAssembly malware analysis | malwasm analyzes potentially malicious WebAssembly modules by disassembling, decompiling and generating call flows to understand behaviors. | malwasm enables inspection of WebAssembly binaries through static analysis techniques like disassembly, control flow graphs, function call trees to reveal behaviors of WASM based malware. |
| 54 | Malzilla | https://malzilla.sourceforge.io/ | Web traffic analysis | Malzilla monitors web traffic and analyze websites for indicators of compromise associated with drive-by downloads, phishing pages etc. | Malzilla identifies malicious websites delivering malware payloads by inspecting web traffic patterns, HTML, obfuscated JavaScript code, redirects and other properties. |
| 55 | MalScan | https://github.com/v3n0m-Scanner/MalScan | Malicious file scanner | MalScan scans suspicious files against malware databases and sandboxes to assign reputation scores and identify malware IOCs. | MalScan analyzes files using VirusTotal, YARA rules and Cuckoo sandboxing to extract IOCs, assign threat scores and determine malware detections. |
| 56 | Assemblyline | https://bitbucket.org/cse-assemblyline/assemblyline/src/master/ | Automated malware analysis | Assemblyline provides an automated analysis pipeline for malware samples, extracting IOCs, executing samples and assigning reputation. | Assemblyline analyzes malware by executing samples in sandboxes, extracting signatures and assigning reputation scores using static and dynamic analysis techniques. |
| 57 | DOSfuscation | https://github.com/nccgroup/DOSfuscation | DOS executable analysis | DOSfuscation detects code obfuscation tricks employed by DOS-based malware to evade static analysis and reverse engineering. | DOSfuscation analyzes DOS executables for anti-debugging, anti-disassembly and code obfuscation techniques like self-modifying code used by retro malware. |
| 58 | unXecuter | https://github.com/vxunderground/MalwareSourceCode/tree/master/unXecuter | Linux/Unix malware analysis | unXecuter performs static analysis, sandboxing, call tracing on Linux/Unix ELF malware samples to extract IOCs and analyze behaviors. | unXecuter analyzes Linux/Unix ELF malware using techniques like function disassembly, strings extraction, sandbox execution, system call tracing etc. to understand behaviors. |
| 59 | viper | https://github.com/viper-framework/viper | Binary analysis framework | viper provides a framework for analyzing malware samples using capabilities like disassembly, unpacking, strings extraction to ease reverse engineering. | viper streamlines malware reverse engineering tasks like binary inspection, disassembly listing, strings extraction, YARA scanning by integrating common tools and techniques. |
| 60 | MASTIFF | https://github.com/KoreLogicSecurity/mastiff | Static malware analysis | MASTIFF enables in-depth static analysis of malware samples by extracting useful information like strings, metadata, domains, IP addresses. | MASTIFF performs comprehensive static analysis on executable malware samples to extract indicators, metadata, section hashes useful for threat hunting. |
| 61 | Manalyze | https://github.com/JusticeRage/Manalyze | Static malware analysis | Manalyze automates static malware analysis by extracting actionable IOCs from sample files using disassembly, emulation and other techniques. | Manalyze analyzes malware samples via static analysis to extract network IOCs, file indicators, registry artifacts and other insights useful for hunting. |
| 62 | PEV | https://github.com/merces/pev | PE file analysis | PEV extracts vital metadata from PE files like imports, strings, version info etc. enabling rapid triage and deeper analysis of malware samples. | PEV quickly extracts useful information from PE file headers and sections to enable high-level triage before performing in-depth malware analysis. |
| 63 | Limon | https://github.com/monnappa22/Limon | Sandbox evasion | Limon analyzes malware executables for sandbox evasion techniques like debugger detection, VM checks, sleep tricks used to evade analysis. | Limon identifies anti-analysis techniques employed by malware like environment checks, time delays, debugger detection that can uncover sandbox and emulator evasion. |
| 64 | jsunpack-n | https://github.com/urule99/jsunpack-n | JavaScript malware analysis | jsunpack-n unpacks obfuscated JavaScript malware code to deobfuscate payloads allowing analysts to inspect functionality. | jsunpack-n unpacks heavily obfuscated JavaScript malware code through emulation and other techniques revealing the inner workings of the malicious payload. |
| 65 | Malfunction | https://github.com/Dynetics/Malfunction | Memory malware detection | Malfunction employs machine learning techniques to identify malware related anomalies and patterns in memory captures for analysis. | Malfunction leverages machine learning approaches to detect malware footprints like libraries, hidden entities, suspicious process behaviors from memory dumps. |
| 66 | Malwasm | https://github.com/an4kein/malwasm | WebAssembly malware analysis | Malwasm analyzes WebAssembly malware modules by disassembling, decompiling and generating call graphs to understand logic. | Malwasm enables static analysis of WebAssembly (WASM) malware files by disassembling code, generating call flows and control flow graphs to reveal functionalities. |
| 67 | Malwoverview | http://malwoverview.sourceforge.net/ | Multi-AV scanner | Malwoverview scans suspicious files against dozens of anti-malware engines and provides an aggregated verdict based on consensus. | Malwoverview integrates multiple anti-malware scanners and provides a unified view of detections to compare malware catching capabilities between vendors. |
| 68 | ViperMonkey | https://github.com/decalage2/ViperMonkey | Python script malware analysis | ViperMonkey emulates and analyzes potentially malicious Python scripts to detect malware behaviors and tactics. | ViperMonkey detects malware behaviors in Python scripts like suspicious API usage, network interactions, file operations using emulation and static analysis. |
| 69 | malsub | https://github.com/diogo-fernan/malsub | Malicious URL detection | malsub extracts features from URLs and trains machine learning models to classify and detect malicious URLs used by malware. | malsub analyzes URL lexical patterns, WHOIS info, geolocation data to train ML models that can accurately classify and detect malicious URLs. |
| 70 | Malzilla | http://malzilla.sourceforge.net/ | Malicious website detection | Malzilla analyzes web traffic, site content and JavaScript code to detect malicious, compromised websites engaged in drive-by downloads. | Malzilla identifies malicious websites delivering malware using indicators like obfuscated scripts, questionable links, redirects, page contents and other properties. |
| 71 | MalDyVE | https://github.com/SatyendraBanjare/MalDyVE | JavaScript malware detection | MalDyVE classifies JavaScript malware by analyzing opcode sequences using recurrent neural networks and machine learning approaches. | MalDyVE extracts opcode sequences from JavaScript files and uses machine learning approaches to detect and classify JavaScript-based malware variants. |
| 72 | Mal-Net | https://github.com/ECUST-Huangzq/Mal-Net | PE malware detection | Mal-Net applies convolutional neural networks to PE file byte sequences to detect malware based on structural patterns identified through machine learning. | Mal-Net treats PE files as images and uses CNNs to learn malware signatures from byte sequences, enabling detection based on file structure. |
| 73 | MalConv | https://github.com/ColumbiaOSS/MalConv | Malware detection | MalConv uses convolutional neural networks to detect malware by learning discriminative features from raw byte sequences of PE files independent of signatures. | MalConv leverages CNNs to directly analyze byte sequences of PE files and detect malware based on intrinsic patterns learned through deep learning approaches. |
| 74 | JStap | http://jstap.sourceforge.net/ | JavaScript analysis | JStap enables static analysis of JavaScript code by extracting syntax structures like tokens, ASTs and call graphs to map malware logic. | JStap parses JavaScript extracting language artifacts like abstract syntax trees, control flow graphs and function call mappings to uncover malware behaviors. |
| 75 | FireHOL IP Lists | https://iplists.firehol.org/ | IP reputation | FireHOL provides numerous curated blocklists of known malicious, compromised or abused IPs associated with malware campaigns. | FireHOL compiles diverse public and private IP reputation lists categorized by threats like malware, phishing, bots, anonymizers etc. useful for blocking. |
| 76 | MalShare | https://malshare.com/ | Malware repository | MalShare provides a repository of malware samples that can be searched, shared and analyzed using included reports and analytics. | MalShare operates a searchable malware repository containing over 1 million samples. It includes malware analysis reports powered by Falcon Sandbox to aid research. |
| 77 | VirusShare | https://virusshare.com/ | Malware repository | VirusShare enables searching and downloading malware samples from an online repository populated with submissions from security community. | VirusShare provides a searchable malware repository sourced from community submissions. Samples can be downloaded along with analysis reports. |
| 78 | VirusBay | https://beta.virusbay.io/ | Malware repository | VirusBay collects and tracks malware observed in the wild and allows searching, downloading sampled tied to campaigns and threat actors. | VirusBay provides a searchable malware repository with additional context like campaign attribution, sample relationships and integration with analysis services. |
| 79 | Hybrid Analysis | https://www.hybrid-analysis.com/ | Online malware analysis | Hybrid Analysis performs static and dynamic malware analysis in isolated sandbox environments and provides customizable reports. | Hybrid Analysis executes malware samples while monitoring system behaviors using an isolated sandbox. Custom reports provide detailed analysis. |
| 80 | Intezer Analyze | https://analyze.intezer.com/ | Malware analysis | Intezer Analyze provides in-depth static malware analysis to classify samples, detect code reuse, and reveal malware family traits. | Intezer statically analyzes malware to profile and correlate samples using code similarity analysis. Detects code overlaps, genealogies, and authorship. |
| 81 | IRMA | http://irma.quarkslab.com/ | Static malware analysis | IRMA performs static malware analysis to extract useful information from samples like strings, imports, metadata, resources etc. | IRMA leverages static analysis techniques like disassembly, unpacking, and emulation to extract information from malware samples to aid further analysis. |
| 82 | CAPE Sandbox | https://github.com/kevoreilly/CAPEv2 | Automated malware analysis | CAPE Sandbox automates malware analysis by executing samples and monitoring activities to extract behavioral indicators and other IOCs. | CAPE sandbox detonates malware in isolated environments while monitoring API calls, network activities etc. and provides configurable reports. |
| 83 | URLhaus | https://urlhaus.abuse.ch/ | Malicious URL tracking | URLhaus tracks and analyzes malicious URLs involved in malware delivery, phishing and other threats providing additional context. | URLhaus monitors and catalogs malicious URLs used for malware distribution, phishing etc. providing additional insights like hosting ASNs, IPs, volume data. |
| 84 | MalwareBazaar | https://bazaar.abuse.ch/ | Malware repository | MalwareBazaar collects and tracks malware samples observed in the wild and assigns threat levels based on static analysis. | MalwareBazaar sources malware samples from diverse feeds, analyzes using static techniques and assigns threat scores to prioritize triage. |
| 85 | MalwareConfig | https://malwareconfig.com/ | Malware configuration dump | MalwareConfig extracts and catalogs configuration data from malware samples like C2 servers, encryption keys, providing insights into operations. | MalwareConfig extracts configuration information from malware samples like botnet IPs, RC4 keys, API keys etc. revealing infrastructure and capabilities. |
| 86 | Malware Patrol | https://www.malwarepatrol.net/ | Malicious URL tracking | Malware Patrol tracks and documents malicious URLs involved in distributing malware, phishing kits and other threats. | Malware Patrol monitors and investigates sites distributing malware like exploit kits, phishing pages, and other drive-by download vectors. |
| 87 | Das Malwerk | https://malwerk.netlify.app/ | Malware behavior enumeration | Das Malwerk provides in-depth documentation of malware behaviors, capabilities and patterns extracted from samples using reverse engineering. | Das Malwerk analyzes malware samples to enumerate behaviors, capabilities, patterns and documents tactics, techniques and procedures employed. |
| 88 | Malpedia | https://malpedia.caad.fkie.fraunhofer.de/ | Malware wiki | Malpedia provides an encyclopedia with profiles of malware families, technical details like IOCs, TTPs sourced from analysis of samples. | Malpedia documents known malware families with information like capabilities, technical details, YARA rules sourced from malware reverse engineering efforts. |
| 89 | MalwareAnalysisForHedgehogs | https://github.com/marcoramilli/MalwareAnalysisForHedgehogs | Malware analysis book | MalwareAnalysisForHedgehogs offers a practical handbook covering tools and techniques for malware analysis using real sample workflows. | The book teaches a methodology for malware analysis using disassembly, debugging, and dynamic techniques with walkthroughs of real-world samples. |
| 90 | WindowsIR anti-malware-tools | https://github.com/WindowsIR/anti-malware-tools | Malware analysis toolkit | This project curates a toolkit of utilities useful for dynamic malware analysis like sandboxes, memory forensics tools. | This toolkit compilation provides a selection of open source tools for analyzing malware using techniques like behavioral analysis, memory forensics etc. |
| 91 | REMnux | https://remnux.org/ | Malware analysis Linux distro | REMnux provides a Linux distribution pre-configured with reverse engineering and malware analysis tools. | REMnux offers a curated collection of tools for analyzing malware using capabilities like static analysis, dynamic tracing, disassembly, debugging etc. |
| 92 | Cymmetria MazeHunter | https://cymmetria.com/product/ | Malware hunting | MazeHunter inspects network traffic using deception techniques to detect malware communications and lateral movement patterns. | MazeHunter analyzes inbound traffic to deceptive systems looking for patterns of reconnaissance, exploitation, and lateral movement associated with malware. |
| 93 | Valkyrie Comodo | https://www.valkyrie.comodo.com/ | File analysis | Valkyrie uses machine learning techniques to classify unknown file reputation against known malware samples and attributes. | Valkyrie analyzes file properties and assigns reputation scores to samples using Bayesian and deep learning models trained on large corpuses of malware. |
| 94 | MITRE ATT&CK | https://attack.mitre.org/ | Adversary behavior knowledge base | MITRE ATT&CK documents post-compromise adversary tactics, techniques and procedures, mapping malware capabilities. | MITRE ATT&CK catalogs adversary TTPs including malware capabilities like defense evasion, execution, persistence, collection mapped to real-world observations. |
| 95 | Virustotal Graph | https://www.virustotal.com/gui/graph | Malware relationship analysis | Virustotal Graph allows pivoting on relationships between malware samples like shared infrastructure, code overlaps, campaign ties. | Virustotal Graph analyzes connections between malware samples based on shared code segments, infrastructural links, submissions pattern enabling pivoting. |
| 96 | VMRay Analyzer | https://www.vmray.com/ | Automated malware analysis | VMRay Analyzer performs automated static and dynamic analysis of malware samples within isolated sandbox environments. | VMRay Analyzer detonates and analyzes malware using integrated static and dynamic techniques providing execution reports and customizable exports. |
| 97 | Crowd Inspect | https://www.crowdstrike.com/endpoint-security-products/crowdstrike-inspect/ | Malware triage | Crowd Inspect provides quick triage of malware samples by extracting indicators and overhead metadata through static techniques. | Crowd Inspect performs rapid automated static analysis on malware to extract strings, metadata, headers, sections and other information aiding triage. |
| 98 | Reverse.IT | https://www.reverse.it/ | Online malware analysis | Reverse.it offers automated static and dynamic malware analysis capabilities with customizable reports and exports. | Reverse.it analyzes malware using sandbox executions, static analysis and provides customizable reports with visualizations and detailed technical breakdowns. |
| 99 | FireEye AX | https://www.fireeye.com/products/ax-network-threat-prevention.html | Malware prevention | FireEye AX detects and blocks malware at the network level using machine learning models trained on large volumes of samples. | FireEye AX leverages machine learning techniques to model malware behaviors and detect malicious network traffic patterns. |
| 100 | ThreatGrid | https://www.threatgrid.com/ | Automated malware analysis with customizable reports | ThreatGrid performs automated static and dynamic malware analysis using sandbox executions and provides actionable reports. | ThreatGrid analyzes malware samples by detonating them within instrumented environments and delivers customizable reports with malware behaviors, indicators etc. |
We hope this post serves the purpose and becomes a good source of information for the list of malware analysis tools. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
