A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

  • Malware Collection
    • Anonymizers
    • Honeypots
    • Malware Corpora
  • Open Source Threat Intelligence
    • Tools
    • Other Resources
  • Detection and Classification
  • Online Scanners and Sandboxes
  • Domain Analysis
  • Browser Malware
  • Documents and Shellcode
  • File Carving
  • Deobfuscation
  • Debugging and Reverse Engineering
  • Network
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Miscellaneous
  • Resources
    • Books
    • Other
  • Related Awesome Lists
  • Contributing
  • Thanks

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org – A free, web based anonymizer.
  • OpenVPN – VPN software and hosting solutions.
  • Privoxy – An open source proxy server with some privacy features.
  • Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot – ICS/SCADA honeypot.
  • Cowrie – SSH honeypot, based on Kippo.
  • DemoHunter – Low interaction Distributed Honeypots.
  • Dionaea – Honeypot designed to trap malware.
  • Glastopf – Web application honeypot.
  • Honeyd – Create a virtual honeynet.
  • HoneyDrive – Honeypot bundle Linux distro.
  • Honeytrap – Opensource system for running, monitoring and managing honeypots.
  • MHN – MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Mnemosyne – A normalizer for honeypot data; supports Dionaea.
  • Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Infosec – CERT-PA – Malware samples collection and analysis.
  • InQuest Labs – Evergrowing searchable corpus of malicious Microsoft documents.
  • Javascript Mallware Collection – Collection of almost 40.000 javascript malware samples
  • Malpedia – A resource providing rapid identification and actionable context for malware investigations.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for analysts.
  • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
  • vduddu malware repo – Collection of various malware files and source code.
  • VirusBay – Community-Based malware repository and social network.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011.
  • VX Underground – Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files.
  • iocextract – Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • MalPipe – Malware/IOC ingestion and processing engine, that enriches collected data.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatConnect – TC Open allows you to see and share open source threat data, with support and validation from our free community.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • ThreatIngestor – Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
  • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.