Table of Contents
  • Home
  • /
  • Blog
  • /
  • 100 Malware Analysis Tools To Identify Malware
January 15, 2024

100 Malware Analysis Tools To Identify Malware

100 Malware Analysis Tools To Identify Malware

Malware represents one of the most dangerous cyber threats faced by individuals, businesses, and governments today. Sophisticated malware enables adversaries to infiltrate systems, covertly persist, escalate privileges, exfiltrate data, and disrupt operations. Defending against advanced malware requires in-depth analysis to understand their capabilities, extract insights and strengthen protection.

Malware analysis could be done by both manual and automated analysis techniques. Skilled analysts use a more manual approach where they use tools like disassemblers and debuggers to analyze malware interactively. As you may think, the manual approach is a laborious process, and it takes a lot of time. There are tools to automate the malware analysis process. Various tools that could do a lot for you.

In this blog post, we will not be covering deep techniques, strategies, or best practices. However, we presented this post with a comprehensive list of tools required to analyze malware. If you want to learn more about malware analysis, this post is not for you. Our primary focus in this post to present a comprehensive list of malware analysis tools.

What is Malware Analysis? What are the Different Types of Malware Analysis?

Malware analysis refers to the processes and techniques to dissect, study, reverse engineer, and analyze malware samples to understand their functionality, anatomy, effects, and capabilities.

It aims to gather tactical and strategic insights from examining malware code that can be used to improve detection, block infections, enable attribution, and inform defense strategies. The core techniques include:

Static Analysis – Static analysis examines the malware code and its composition without executing it. This provides an overview of its building blocks and logic. Techniques like disassembly, unpacking, decompilation, string extraction, binary diffing, and malware triage are used. Static analysis reveals code structure, libraries, APIs, and other artifacts.

Dynamic Analysis – Dynamic analysis executes malware samples in isolated and instrumented environments to observe their runtime behaviors and effects. By monitoring its interactions during execution, dynamic analysis reveals functionalities like persistence mechanisms, network activities, and payload deliveries. Sandboxes, debuggers, and system monitors enable dynamic analysis.

Manual Analysis – Manual analysis entails directly inspecting malware by interactively reverse engineering samples using disassemblers, debuggers, and other tools. Skilled analysts use hands-on techniques to uncover malware intricacies by leveraging their expertise. It provides an in-depth understanding of malware behaviors.

Automated Analysis – Automated analysis employs malware sandboxes and frameworks that execute samples and monitor behaviors automatically. Integration of static and dynamic techniques allows scalable analysis by reducing manual efforts.

Why is Malware Analysis Required?

Malware analysis provides strategic and tactical threat intelligence that enables organizations to achieve the following objectives:

Augment Detection – Malware analysis provides insights into unique malware attributes, allowing the creation of signatures, Indicators of Compromise(IOCs), and detection rules. This improves detection capabilities for countering new malware variants employed in attacks.

Attribute Capabilities – Deep analysis maps malware capabilities like anti-analysis tricks, spreading techniques, and embedded payloads. Attribute knowledge is used for mitigating infections and hardening infrastructure.

Understand Behaviors – Monitoring malware execution reveals critical behaviors like persistence mechanisms, protocols, and keylogging which guide response actions like eradicating infections, and finding victims.

Inform Defensive Strategies – Relating malware capabilities to ATT&CK helps identify security gaps exploited in attacks. This analysis allows implementing tactical controls and improving security posture.

Enable Attribution – Analysis provides TTPs, infrastructure links, and other evidence needed for attribution during response. It supports legal actions and policy responses to deter adversaries.

Organizations must invest in robust malware analysis capabilities to gain an information advantage over sophisticated malware and well-resourced adversaries. The next section provides an overview of effective malware analysis tools to augment capabilities.

Malware Analysis Tools to Identify Malware

So far, we have understood malware analysis, its types, and why it is required. In this section, we will see the tools required to analyze malware. We have presented a list of 100 tools that could help you perform static, dynamic, hybrid, manual, and automated malware analysis.

Here are 100 malware analysis tools to effectively perform analysis for gaining key insights into malware samples:

Sl. No.NameURLShort DescriptionIntroductionFeatures
1Wireshark protocol analyzerWireshark is a network traffic analyzer that lets you inspect packets and protocols to identify malicious communications and payloads delivered over the wire.Wireshark provides deep inspection of network traffic down to the packet level. It can reconstruct sessions and allows filtering and colorizing packets based on protocol analysis. Useful features include following TCP streams, extracting files, matching regular expressions, viewing IO graphs and expert info fields.
2IDA Pro and debuggerIDA Pro is an interactive disassembler and debugger used to reverse engineer and analyze malware code to understand its inner workings and capabilities.IDA Pro renders executable binary files into assembly code that can be analyzed. It allows seamless switching between text and graph views during analysis. Useful analysis features include cross-references, function calls, struct definitions, comment integration and scripting to automate tasks.
3Ghidra source disassemblerGhidra is an open source reverse engineering tool developed by NSA that allows malware analysts to disassemble code down to the source level for analysis.Ghidra’s analysis capabilities include disassembly navigation, cross-references, diffing, decompilation, shellcode analysis and scripting using Python. It integrates a debugger to analyze runtime code flows. Extensible via scripts and plugins.
4OllyDbg debugger and disassemblerOllyDbg is a 32-bit assembler level debugger useful for dynamic analysis of malware by tracing code execution, reverse engineering functionality and analyzing run-time behaviors.Key capabilities of OllyDbg include stepping through assembly code execution, setting breakpoints, bookmarking, analyzing memory stacks, monitoring registry, debugging system API calls and dump process memory. Provides an intuitive user interface.
5Immunity Debugger for malware analysisImmunity Debugger is a malware analysis tool that provides low-level debugging along with system call hooking, runtime tracing and code injection to deobfuscate malware.Immunity Debugger allows fine-grained inspection of malware processes using capabilities like hooking APIs, tracing instruction execution, searching/editing memory and profiling runtimes. Useful for unpacking and deobfuscating malware.
6PE Explorer file analysis and disassemblyPE Explorer enables in-depth inspection and editing of PE file internals including code obfuscations, metadata and anomalies indicative of sophisticated malware.PE Explorer can dissect the structure of malware PE files by unpacking sections, reconstructing imports, reversing headers, decoding strings and patching binaries allowing analysts to uncover layered obfuscations.
7Process Monitor system monitoringProcess Monitor provides real-time monitoring of system events like registry, file system activity initiated by processes, useful for dynamically analyzing malware behaviors.Process Monitor logs real-time system events with details like stack traces and allows filter, search and analysis of the event stream. Timeline, summary and graph tools allow drilling into malware related events. Useful for behavioral analysis.
8Regshot comparisonRegshot performs registry differencing by comparing snapshots before and after malware execution, enabling analysts to pinpoint registry modifications made by malware.Regshot takes registry snapshots before and after running a malware sample, compares the hives using diff views and exports the differences. Useful for identifying persistence mechanisms, configuration data, infected keys etc.
9Sandboxie sandbox environmentSandboxie isolates untrusted programs like malware in a virtual container to analyze runtime behaviors in a contained environment preventing tampering of host system.Sandboxie contains malware in isolated virtualized environments where activities like changes to filesystem, registry, network activities are restricted from tampering host. Useful for dynamic analysis.
10Cuckoo Sandbox malware analysisCuckoo Sandbox is an automated malware analysis system which executes samples in isolated VMs while monitoring system activities to provide insights into malware behaviors.Cuckoo automatically analyzes malware by executing samples and monitoring runtime behaviors using custom modules. It generates detailed analysis reports with timelines, API calls, indicators of compromise and other IOCs.
11INetSim service simulatorINetSim emulates common network services like HTTP, DNS, SMTP that malware uses, enabling analysis of network-based infections tactics and external communications.INetSim provides a simulated network environment mimicking internet services that malware interacts with. It lets analysts inspect network traffic, manipulate responses and replay sessions to uncover malware behaviors.
12Exeinfo PE header analysisExeinfo PE quickly extracts vital metadata like imports, strings and anomalies from malware PE files to assist in triage and enable further targeted analysis.Exeinfo PE examines and carves metadata like imports, exports, resources etc. from PE executable files providing effective first-pass triage of massive malware collections.
13PEview file viewerPEview visually presents the internals of PE files like sections, strings, imports that aids manual inspection and analysis of sophisticated and packed malware samples.PEview parses PE files and presents an intuitive graphical overview of vital aspects like imports, strings, resources etc. It can handle obscured, packed and non-standard PEs aiding malware analysis.
14Malzilla hunting and analysisMalzilla monitors web traffic to detect compromised, infected websites and analyze drive-by malware delivery stopping infections before they reach the endpoint.Malzilla identifies malicious websites delivering malware using behavior analysis and machine learning. It inspects web traffic, cookies, scripts and HTML to detect infections, browser fingerprints user visits.
15VirusTotal malware scansVirusTotal enables collaborative detection of malware by scanning suspicious files and URLs against dozens of antivirus engines and analyzes relationships between detections.VirusTotal scans files using over 70 antivirus tools and analyzes the aggregated output to provide consensus about known and potential malware undetected by individual scanners. Useful for collaborative detection.
16Hybrid Analysis malware analysisHybrid Analysis performs static and dynamic analysis of malware samples by executing them in custom sandboxes, enabling inspection of runtime behaviors.Hybrid Analysis runs malware samples in an isolated sandbox capturing system API calls, network activities etc. It enables analysts to download detailed reports to inspect specific behaviors. Custom modules can be deployed into sandboxes.
17Any.Run online malware sandboxAny.Run allows interactive malware analysis by visually inspecting malware execution flows in a browser based isolated sandbox environment.Any.Run provides an interactive web based malware analysis sandbox that lets analysts inspect the step-by-step execution flows of malware. Useful for analyzing and sharing insights into runtime behaviors.
18Joe Sandboxhttps://www.joesecurity.orgAutomated malware analysisJoe Sandbox offers customizable automated malware analysis by executing samples in various system environments to analyze malicious behaviors.Joe Sandbox performs static and dynamic malware analysis using custom modules tailored to extract specific IOCs. Detailed reports provide analysts actionable information about malware behaviors, timelines, indicators etc.
19YARA pattern matchingYARA enables generically detecting and classifying malware by crafting descriptions of malware families based on shared signatures and characteristics.YARA allows analysts to create rules describing malware families using binary patterns, strings, metadata etc. and scan samples against these rules to categorize and detect variants.
20Radare2 engineering frameworkRadare2 is an open source reverse engineering framework that enables malware analysis via disassembly, debugging, binary inspection and scripting.Radare2 supports reverse engineering malware through disassembly navigation, function graphing, hex editing, debugging and custom scripting using languages like Python and JavaScript.
21x64dbg debuggerx64dbg is an open source Windows debugger useful for analyzing malware assembly code, understanding call flows by tracing execution paths.x64dbg enables low-level inspection of malware processes using assembly stepping, memory and register examination, hooking system API calls, OLLYDBG plugin support and more advanced debugging features.
22SysAnalyzer monitorSysAnalyzer monitors endpoint system activities such as registry, network events initiated by malware and maps them to causal processes enabling behavior analysis.SysAnalyzer logs and correlates system events like process activities, userland API calls, network events with responsible processes providing contextual behavior analysis of malware execution.
23Process Hacker monitoring toolProcess Hacker enables real-time behavioral analysis of malware processes by providing detailed inspection of process activities and events at runtime.Process Hacker reveals granular insights into malware processes through capabilities like thread stacks, memory maps, CPU usage graphs, network connections, service enumeration and plugin extensibility.
24ProcDot relationship visualizationProcDot visually maps parent/child process relationships enabling analysts to understand malware infection chains, persistence mechanisms and process ancestries.ProcDot graphs process creation hierarchies and trees to provide visual representation of ancestries helpful for analyzing malware execution flows, injection techniques and persistence mechanisms.
25API Monitor call loggerAPI Monitor logs invocations of Windows API calls by processes enabling analysts to reveal malware activities and capabilities based on API usage.API Monitor logs API calls to the registry, file system, network etc. made by malware and enables searching, filtering and analyzing API usage to uncover capabilities and activities performed by malware.
26WireShark + NodeJS + traffic analysisTogether Wireshark and NodeJS enable customized inspection and analysis of JavaScript malware network traffic using scripting.WireShark provides packet capture and inspection while NodeJS allows writing scripts to analyze, dissect, visualize and export JavaScript malware network traffic providing programmatic control over analysis.
27Manalyze malware analysisManalyze performs static malware analysis by extracting useful information like indicators of compromise, domains, IP addresses from sample files.Manalyze automatically extracts actionable insights from malware samples via static analysis. It generates JSON reports containing extracted IP addresses, domains, file indicators etc. useful for analysis workflows.
28PE Bear unpacking toolPE Bear unpacks and decrypts packed, compressed sections of PE files to allow further analysis of sophisticated malware samples.PE Bear can automatically unpack compressed and obfuscated sections of PE files like malware executables. Useful for analyzing sophisticated packed malware using out-of-band techniques.
29Volatility forensicsVolatility is a memory forensics framework that enables malware analysis by inspecting runtime artifacts like code injection, hidden processes etc. in memory.Volatility performs forensic analysis on memory dumps by scanning for malware indicators like injected DLLs, hidden processes, code hooks, network artifacts etc. providing runtime visibility.
30FakeNet-NG service spoofingFakeNet-NG emulates network services like HTTP, DNS that malware interacts with, enabling inspection of network-driven infections and external communications.FakeNet-NG provides a customizable simulated network by mimicking services like HTTP, SSH, DNS that malware communicates with. Allows manipulation of responses to analyze behaviors.
31Capture-BAT traffic analysisCapture-BAT reconstructs web artifacts from HTTP traffic to reveal malware delivery sites. It also extracts payload code from malware traffic.Capture-BAT analyzes captured HTTP traffic to extract files, analyze frames/cookies, reconstruct web pages and workflows. Useful for inspecting web-based malware delivery via drive-by downloads etc.
32Procmon Configuration log filteringProcmon Configuration provides reusable configurations for filtering irrelevant events from Procmon traces allowing analysts to focus on malware activities.Procmon Configuration enables streamlining large Procmon logs by filtering out system noise to more rapidly hunt for malware behaviors. Useful preset filters for quick analysis.
33PE Frame file analyzerPE Frame scans and detects anomalies in PE files indicative of sophisticated malware employing packing, obfuscation and anti-analysis tricks.PE Frame analyzes and flags anomalies in PE headers, sections, imports etc. to detect obfuscations like packers, compilers, anomalies employed by malware.
34FLARE VM/REMnux analysis distributionsFLARE VM and REMnux provide customized distributions packaged with tools focused on reverse engineering and dynamic malware analysis.Provide curated toolsets enabling reverse engineering and dynamic analysis of malware using capabilities like monitoring process behaviors, network communications, unpacking samples etc.
35Active Directory Control Paths object analysisActive Directory Control Paths visually analyzes AD objects impacted by malware activities, useful for tracking lateral movement tactics.Graphs Active Directory objects like GPOs modified after infection to visually track malware’s interactions and lateral movement through AD to uncover tactics.
36SysInspector process monitoringSysInspector provides in-depth monitoring of malware processes, logging granular process activities, events and runtime attributes.SysInspector logs malware process activities like opened handles, DLLs loaded, network connections etc. for fine-grained dynamic analysis, useful for deobfuscation.
37Capa capabilities analysisCapa identifies malware capabilities by analyzing executable files against common attacker behaviors as enumerated in MITRE ATT&CK.Capa inspects malware executables for presence of capabilities like persistence mechanisms, anti-analysis tricks, lateral movement techniques etc. as documented in the ATT&CK framework.
38FLOSS malware analysisFLOSS automatically extracts indicators of behaviors and other IOCs from malware samples using signature based static analysis.FLOSS uses static analysis to surface contextual information like behaviors, strings, function signatures and relationships between malware samples to support analysis.
39BinaryAI malware analysis sandboxBinaryAI offers automated static and dynamic analysis of malware samples in sandboxed environments with customizable reporting.BinaryAI analyzes malware by executing samples in isolated sandbox environments and monitoring behaviors. Custom reports provide analysis. Integrates with other systems.
40Loki scannerLoki scans for Indicators of Compromise associated with malware like MD5 hashes, domain names, mutexes etc. against various threat intel sources.Loki matches files and scenarios against threat intel sources like malware domains, URLs, virus signatures, registry artifacts to detect threats.
41Cerberus analysis platformCerberus provides an integrated platform for collaborative malware analysis with web dashboard, APIs, integrations with sandboxes like Cuckoo.Cerberus enables malware analysis workflow automation with a dashboard, REST API, sandbox integration, YARA rules and shared IOC repositories.
42MISP intelligence platformMISP enables collaborative tracking of malware campaigns, incidents and related indicators to map adversary infrastructure.MISP allows teams to store, share and correlate indicators of compromise associated with malware like file hashes, C2s, domains etc.
43GreyNoise scannerGreyNoise provides context and reputation data on IPs, domains associated with malware campaigns gleaned from Internet-wide scanners and threat feeds.GreyNoise enriches malware infrastructure indicators like IPs, domains with context about sightings, activities, associations etc. curated from diverse data sources.
44ThreatStream intel analysisThreatStream enriches alerts with threat intelligence to detect Indicators of Compromise linked to malware using reputation scoring algorithms.ThreatStream integrates threat data feeds with security alerts to detect IOCs associated with malware, leveraging reputation scores and other analytics.
45ReversingLabs TitaniumCloud reputation serviceReversingLabs TitaniumCloud analyzes samples against known malware using signatures, static analysis and machine learning models to assign reputation.ReversingLabs inspects malware samples using signatures, static analysis and machine learning engines to identify known threats, classify new ones and assign reputation.
46Rekall analysis frameworkRekall is an advanced forensic memory analysis framework for extracting malware artifacts and examining ransomware encryption capabilities.Rekall performs deep memory analysis to extract artifacts left in memory by malware like injected modules, hidden entities, code hooks etc. Useful for memory forensics.
47VolDiff forensics diffingVolDiff compares memory captures before and after malware execution to isolate introduced artifacts aiding analysis.VolDiff diffs memory captures like crash dumps, hibernation files before and after infections to pinpoint changes made by malware execution.
48Malheur malware sample analysisMalheur analyzes malware samples using clustering algorithms to correlate them with known families based on shared behaviors.Malheur profiles and clusters malware samples based on extracted features to identify related samples, campaigns and correlates them to known families.
49Malfunction analysisMalfunction identifies malware components like libraries, anomalies in memory using machine learning techniques aiding memory forensic analysis.Malfunction uses machine learning approaches on memory captures to detect patterns indicative of malware behaviors like injections, hidden processes etc.
50Muninn malware analysisMuninn provides visual, interactive analysis of malware memory artifacts like injected modules, process hollowing discovered through memory forensics.Muninn enables visually analyzing the runtime footprint of malware processes using an interactive memory map analyzer useful for memory dumps analysis.
51Malworx malware analysisMalworx analyzes memory dumps for indicators of malware activity like reflective DLLs, hollowed processes and code injection tactics.Malworx inspects memory captures for stealth techniques employed by malware like reflective DLL loading, process hollowing, code injection. Useful for analyzing fileless malware.
52MFTF File Table analysisMFTF parses NTFS metadata like MAC timestamps to uncover temporal anomalies indicative of malware behaviors on the filesystem.MFTF checks the Master File Table for timeline inconsistencies like file backdating that can reveal malware activities like execution hijacking, timestomping etc.
53malwasm malware analysismalwasm analyzes potentially malicious WebAssembly modules by disassembling, decompiling and generating call flows to understand behaviors.malwasm enables inspection of WebAssembly binaries through static analysis techniques like disassembly, control flow graphs, function call trees to reveal behaviors of WASM based malware.
54Malzilla traffic analysisMalzilla monitors web traffic and analyze websites for indicators of compromise associated with drive-by downloads, phishing pages etc.Malzilla identifies malicious websites delivering malware payloads by inspecting web traffic patterns, HTML, obfuscated JavaScript code, redirects and other properties.
55MalScan file scannerMalScan scans suspicious files against malware databases and sandboxes to assign reputation scores and identify malware IOCs.MalScan analyzes files using VirusTotal, YARA rules and Cuckoo sandboxing to extract IOCs, assign threat scores and determine malware detections.
56Assemblyline malware analysisAssemblyline provides an automated analysis pipeline for malware samples, extracting IOCs, executing samples and assigning reputation.Assemblyline analyzes malware by executing samples in sandboxes, extracting signatures and assigning reputation scores using static and dynamic analysis techniques.
57DOSfuscation executable analysisDOSfuscation detects code obfuscation tricks employed by DOS-based malware to evade static analysis and reverse engineering.DOSfuscation analyzes DOS executables for anti-debugging, anti-disassembly and code obfuscation techniques like self-modifying code used by retro malware.
58unXecuter malware analysisunXecuter performs static analysis, sandboxing, call tracing on Linux/Unix ELF malware samples to extract IOCs and analyze behaviors.unXecuter analyzes Linux/Unix ELF malware using techniques like function disassembly, strings extraction, sandbox execution, system call tracing etc. to understand behaviors.
59viper analysis frameworkviper provides a framework for analyzing malware samples using capabilities like disassembly, unpacking, strings extraction to ease reverse engineering.viper streamlines malware reverse engineering tasks like binary inspection, disassembly listing, strings extraction, YARA scanning by integrating common tools and techniques.
60MASTIFF malware analysisMASTIFF enables in-depth static analysis of malware samples by extracting useful information like strings, metadata, domains, IP addresses.MASTIFF performs comprehensive static analysis on executable malware samples to extract indicators, metadata, section hashes useful for threat hunting.
61Manalyze malware analysisManalyze automates static malware analysis by extracting actionable IOCs from sample files using disassembly, emulation and other techniques.Manalyze analyzes malware samples via static analysis to extract network IOCs, file indicators, registry artifacts and other insights useful for hunting.
62PEV file analysisPEV extracts vital metadata from PE files like imports, strings, version info etc. enabling rapid triage and deeper analysis of malware samples.PEV quickly extracts useful information from PE file headers and sections to enable high-level triage before performing in-depth malware analysis.
63Limon evasionLimon analyzes malware executables for sandbox evasion techniques like debugger detection, VM checks, sleep tricks used to evade analysis.Limon identifies anti-analysis techniques employed by malware like environment checks, time delays, debugger detection that can uncover sandbox and emulator evasion.
64jsunpack-n malware analysisjsunpack-n unpacks obfuscated JavaScript malware code to deobfuscate payloads allowing analysts to inspect functionality.jsunpack-n unpacks heavily obfuscated JavaScript malware code through emulation and other techniques revealing the inner workings of the malicious payload.
65Malfunction malware detectionMalfunction employs machine learning techniques to identify malware related anomalies and patterns in memory captures for analysis.Malfunction leverages machine learning approaches to detect malware footprints like libraries, hidden entities, suspicious process behaviors from memory dumps.
66Malwasm malware analysisMalwasm analyzes WebAssembly malware modules by disassembling, decompiling and generating call graphs to understand logic.Malwasm enables static analysis of WebAssembly (WASM) malware files by disassembling code, generating call flows and control flow graphs to reveal functionalities.
67Malwoverview scannerMalwoverview scans suspicious files against dozens of anti-malware engines and provides an aggregated verdict based on consensus.Malwoverview integrates multiple anti-malware scanners and provides a unified view of detections to compare malware catching capabilities between vendors.
68ViperMonkey script malware analysisViperMonkey emulates and analyzes potentially malicious Python scripts to detect malware behaviors and tactics.ViperMonkey detects malware behaviors in Python scripts like suspicious API usage, network interactions, file operations using emulation and static analysis.
69malsub URL detectionmalsub extracts features from URLs and trains machine learning models to classify and detect malicious URLs used by malware.malsub analyzes URL lexical patterns, WHOIS info, geolocation data to train ML models that can accurately classify and detect malicious URLs.
70Malzilla website detectionMalzilla analyzes web traffic, site content and JavaScript code to detect malicious, compromised websites engaged in drive-by downloads.Malzilla identifies malicious websites delivering malware using indicators like obfuscated scripts, questionable links, redirects, page contents and other properties.
71MalDyVE malware detectionMalDyVE classifies JavaScript malware by analyzing opcode sequences using recurrent neural networks and machine learning approaches.MalDyVE extracts opcode sequences from JavaScript files and uses machine learning approaches to detect and classify JavaScript-based malware variants.
72Mal-Net malware detectionMal-Net applies convolutional neural networks to PE file byte sequences to detect malware based on structural patterns identified through machine learning.Mal-Net treats PE files as images and uses CNNs to learn malware signatures from byte sequences, enabling detection based on file structure.
73MalConv detectionMalConv uses convolutional neural networks to detect malware by learning discriminative features from raw byte sequences of PE files independent of signatures.MalConv leverages CNNs to directly analyze byte sequences of PE files and detect malware based on intrinsic patterns learned through deep learning approaches.
74JStap analysisJStap enables static analysis of JavaScript code by extracting syntax structures like tokens, ASTs and call graphs to map malware logic.JStap parses JavaScript extracting language artifacts like abstract syntax trees, control flow graphs and function call mappings to uncover malware behaviors.
75FireHOL IP Lists reputationFireHOL provides numerous curated blocklists of known malicious, compromised or abused IPs associated with malware campaigns.FireHOL compiles diverse public and private IP reputation lists categorized by threats like malware, phishing, bots, anonymizers etc. useful for blocking.
76MalShare repositoryMalShare provides a repository of malware samples that can be searched, shared and analyzed using included reports and analytics.MalShare operates a searchable malware repository containing over 1 million samples. It includes malware analysis reports powered by Falcon Sandbox to aid research.
77VirusShare repositoryVirusShare enables searching and downloading malware samples from an online repository populated with submissions from security community.VirusShare provides a searchable malware repository sourced from community submissions. Samples can be downloaded along with analysis reports.
78VirusBay repositoryVirusBay collects and tracks malware observed in the wild and allows searching, downloading sampled tied to campaigns and threat actors.VirusBay provides a searchable malware repository with additional context like campaign attribution, sample relationships and integration with analysis services.
79Hybrid Analysis malware analysisHybrid Analysis performs static and dynamic malware analysis in isolated sandbox environments and provides customizable reports.Hybrid Analysis executes malware samples while monitoring system behaviors using an isolated sandbox. Custom reports provide detailed analysis.
80Intezer Analyze analysisIntezer Analyze provides in-depth static malware analysis to classify samples, detect code reuse, and reveal malware family traits.Intezer statically analyzes malware to profile and correlate samples using code similarity analysis. Detects code overlaps, genealogies, and authorship.
81IRMA malware analysisIRMA performs static malware analysis to extract useful information from samples like strings, imports, metadata, resources etc.IRMA leverages static analysis techniques like disassembly, unpacking, and emulation to extract information from malware samples to aid further analysis.
82CAPE Sandbox malware analysisCAPE Sandbox automates malware analysis by executing samples and monitoring activities to extract behavioral indicators and other IOCs.CAPE sandbox detonates malware in isolated environments while monitoring API calls, network activities etc. and provides configurable reports.
83URLhaus URL trackingURLhaus tracks and analyzes malicious URLs involved in malware delivery, phishing and other threats providing additional context.URLhaus monitors and catalogs malicious URLs used for malware distribution, phishing etc. providing additional insights like hosting ASNs, IPs, volume data.
84MalwareBazaar repositoryMalwareBazaar collects and tracks malware samples observed in the wild and assigns threat levels based on static analysis.MalwareBazaar sources malware samples from diverse feeds, analyzes using static techniques and assigns threat scores to prioritize triage.
85MalwareConfig configuration dumpMalwareConfig extracts and catalogs configuration data from malware samples like C2 servers, encryption keys, providing insights into operations.MalwareConfig extracts configuration information from malware samples like botnet IPs, RC4 keys, API keys etc. revealing infrastructure and capabilities.
86Malware Patrol URL trackingMalware Patrol tracks and documents malicious URLs involved in distributing malware, phishing kits and other threats.Malware Patrol monitors and investigates sites distributing malware like exploit kits, phishing pages, and other drive-by download vectors.
87Das Malwerk behavior enumerationDas Malwerk provides in-depth documentation of malware behaviors, capabilities and patterns extracted from samples using reverse engineering.Das Malwerk analyzes malware samples to enumerate behaviors, capabilities, patterns and documents tactics, techniques and procedures employed.
88Malpedia wikiMalpedia provides an encyclopedia with profiles of malware families, technical details like IOCs, TTPs sourced from analysis of samples.Malpedia documents known malware families with information like capabilities, technical details, YARA rules sourced from malware reverse engineering efforts.
89MalwareAnalysisForHedgehogs analysis bookMalwareAnalysisForHedgehogs offers a practical handbook covering tools and techniques for malware analysis using real sample workflows.The book teaches a methodology for malware analysis using disassembly, debugging, and dynamic techniques with walkthroughs of real-world samples.
90WindowsIR anti-malware-tools analysis toolkitThis project curates a toolkit of utilities useful for dynamic malware analysis like sandboxes, memory forensics tools.This toolkit compilation provides a selection of open source tools for analyzing malware using techniques like behavioral analysis, memory forensics etc.
91REMnux analysis Linux distroREMnux provides a Linux distribution pre-configured with reverse engineering and malware analysis tools.REMnux offers a curated collection of tools for analyzing malware using capabilities like static analysis, dynamic tracing, disassembly, debugging etc.
92Cymmetria MazeHunter huntingMazeHunter inspects network traffic using deception techniques to detect malware communications and lateral movement patterns.MazeHunter analyzes inbound traffic to deceptive systems looking for patterns of reconnaissance, exploitation, and lateral movement associated with malware.
93Valkyrie Comodo analysisValkyrie uses machine learning techniques to classify unknown file reputation against known malware samples and attributes.Valkyrie analyzes file properties and assigns reputation scores to samples using Bayesian and deep learning models trained on large corpuses of malware.
94MITRE ATT&CK behavior knowledge baseMITRE ATT&CK documents post-compromise adversary tactics, techniques and procedures, mapping malware capabilities.MITRE ATT&CK catalogs adversary TTPs including malware capabilities like defense evasion, execution, persistence, collection mapped to real-world observations.
95Virustotal Graph relationship analysisVirustotal Graph allows pivoting on relationships between malware samples like shared infrastructure, code overlaps, campaign ties.Virustotal Graph analyzes connections between malware samples based on shared code segments, infrastructural links, submissions pattern enabling pivoting.
96VMRay Analyzer malware analysisVMRay Analyzer performs automated static and dynamic analysis of malware samples within isolated sandbox environments.VMRay Analyzer detonates and analyzes malware using integrated static and dynamic techniques providing execution reports and customizable exports.
97Crowd Inspect triageCrowd Inspect provides quick triage of malware samples by extracting indicators and overhead metadata through static techniques.Crowd Inspect performs rapid automated static analysis on malware to extract strings, metadata, headers, sections and other information aiding triage.
98Reverse.IT malware offers automated static and dynamic malware analysis capabilities with customizable reports and analyzes malware using sandbox executions, static analysis and provides customizable reports with visualizations and detailed technical breakdowns.
99FireEye AX preventionFireEye AX detects and blocks malware at the network level using machine learning models trained on large volumes of samples.FireEye AX leverages machine learning techniques to model malware behaviors and detect malicious network traffic patterns.
100ThreatGrid malware analysis with customizable reportsThreatGrid performs automated static and dynamic malware analysis using sandbox executions and provides actionable reports.ThreatGrid analyzes malware samples by detonating them within instrumented environments and delivers customizable reports with malware behaviors, indicators etc.

We hope this post serves the purpose and becomes a good source of information for the list of malware analysis tools. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website,, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.  

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription