Awesome Malware Analysis – The Ultimate Resource For Tools, Techniques, And Insights

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

• Malware Collection
  • Anonymizers
  • Honeypots
  • Malware Corpora
• Open Source Threat Intelligence
  • Tools
  • Other Resources
• Detection and Classification
• Online Scanners and Sandboxes
• Domain Analysis
• Browser Malware
• Documents and Shellcode
• File Carving
• Deobfuscation
• Debugging and Reverse Engineering
• Network
• Memory Forensics
• Windows Artifacts
• Storage and Workflow
• Miscellaneous
• Resources
  • Books
  • Other
• Related Awesome Lists
• Contributing
• Thanks

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org – A free, web based anonymizer.
• OpenVPN – VPN software and hosting solutions.
• Privoxy – An open source proxy server with some privacy features.
• Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot – ICS/SCADA honeypot.
• Cowrie – SSH honeypot, based on Kippo.
• DemoHunter – Low interaction Distributed Honeypots.
• Dionaea – Honeypot designed to trap malware.
• Glastopf – Web application honeypot.
• Honeyd – Create a virtual honeynet.
• HoneyDrive – Honeypot bundle Linux distro.
• Honeytrap – Opensource system for running, monitoring and managing honeypots.
• MHN – MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
• Mnemosyne – A normalizer for honeypot data; supports Dionaea.
• Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX – Realtime database of malware and malicious domains.
• Contagio – A collection of recent malware samples and analyses.
• Exploit Database – Exploit and shellcode samples.
• Infosec – CERT-PA – Malware samples collection and analysis.
• InQuest Labs – Evergrowing searchable corpus of malicious Microsoft documents.
• Javascript Mallware Collection – Collection of almost 40.000 javascript malware samples
• Malpedia – A resource providing rapid identification and actionable context for malware investigations.
• Malshare – Large repository of malware actively scrapped from malicious sites.
• Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
• Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
• theZoo – Live malware samples for analysts.
• Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
• vduddu malware repo – Collection of various malware files and source code.
• VirusBay – Community-Based malware repository and social network.
• ViruSign – Malware database that detected by many anti malware programs except ClamAV.
• VirusShare – Malware repository, registration required.
• VX Vault – Active collection of malware samples.
• Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code – Source for the Zeus trojan leaked in 2011.
• VX Underground – Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

• AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
• AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
• Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
• Fileintel – Pull intelligence per file hash.
• Hostintel – Pull intelligence per host.
• IntelMQ – A tool for CERTs for processing incident data using a message queue.
• IOC Editor – A free editor for XML IOC files.
• iocextract – Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
• ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
• MalPipe – Malware/IOC ingestion and processing engine, that enriches collected data.
• Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
• MISP – Malware Information Sharing Platform curated by The MISP Project.
• Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
• PyIOCe – A Python OpenIOC editor.
• RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
• threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
• ThreatConnect – TC Open allows you to see and share open source threat data, with support and validation from our free community.
• ThreatCrowd – A search engine for threats, with graphical visualization.
• ThreatIngestor – Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
• ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
• TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.