A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
- Malware Collection
- Anonymizers
- Honeypots
- Malware Corpora
- Open Source Threat Intelligence
- Tools
- Other Resources
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
- Books
- Other
- Related Awesome Lists
- Contributing
- Thanks
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org – A free, web based anonymizer.
- OpenVPN – VPN software and hosting solutions.
- Privoxy – An open source proxy server with some privacy features.
- Tor – The Onion Router, for browsing the web without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
- Conpot – ICS/SCADA honeypot.
- Cowrie – SSH honeypot, based on Kippo.
- DemoHunter – Low interaction Distributed Honeypots.
- Dionaea – Honeypot designed to trap malware.
- Glastopf – Web application honeypot.
- Honeyd – Create a virtual honeynet.
- HoneyDrive – Honeypot bundle Linux distro.
- Honeytrap – Opensource system for running, monitoring and managing honeypots.
- MHN – MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
- Mnemosyne – A normalizer for honeypot data; supports Dionaea.
- Thug – Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
- Clean MX – Realtime database of malware and malicious domains.
- Contagio – A collection of recent malware samples and analyses.
- Exploit Database – Exploit and shellcode samples.
- Infosec – CERT-PA – Malware samples collection and analysis.
- InQuest Labs – Evergrowing searchable corpus of malicious Microsoft documents.
- Javascript Mallware Collection – Collection of almost 40.000 javascript malware samples
- Malpedia – A resource providing rapid identification and actionable context for malware investigations.
- Malshare – Large repository of malware actively scrapped from malicious sites.
- Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
- Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
- theZoo – Live malware samples for analysts.
- Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
- vduddu malware repo – Collection of various malware files and source code.
- VirusBay – Community-Based malware repository and social network.
- ViruSign – Malware database that detected by many anti malware programs except ClamAV.
- VirusShare – Malware repository, registration required.
- VX Vault – Active collection of malware samples.
- Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
- Zeus Source Code – Source for the Zeus trojan leaked in 2011.
- VX Underground – Massive and growing collection of free malware samples.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
- AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
- AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
- Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
- Fileintel – Pull intelligence per file hash.
- Hostintel – Pull intelligence per host.
- IntelMQ – A tool for CERTs for processing incident data using a message queue.
- IOC Editor – A free editor for XML IOC files.
- iocextract – Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
- ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
- MalPipe – Malware/IOC ingestion and processing engine, that enriches collected data.
- Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- MISP – Malware Information Sharing Platform curated by The MISP Project.
- Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
- PyIOCe – A Python OpenIOC editor.
- RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
- threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
- ThreatConnect – TC Open allows you to see and share open source threat data, with support and validation from our free community.
- ThreatCrowd – A search engine for threats, with graphical visualization.
- ThreatIngestor – Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
- ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
- TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.