The Best Malware Analysis Tools for Security Researchers & Malware Analysts 2022

Security professionals need to be able to use malware analysis tools to identify sophisticated threats and cyberattacks.

We will be displaying some Malware Analysis Tools, Books, and Resources.

• 
  Malware Analysis Courses
  
• 
  Hex Editors
  
• 
  Disassemblers
  
• 
  Classification and Detection
  
• 
  Dynamic binary Instrumentation
  
• 
  Dynamic Analys
  
• 
  Deobfuscation
  
• 
  Debugging
  
• 
  Malware Analysis Courses
  
• 
  Reverse Engineering
  
• 
  Binary Analysis
  
• 
  Decompiler
  
• 
  Bytecode Analy
  
• 
  Reconstruction
  
• 
  Memory Forensics
  
• 
  Windows Artifacts
  
• 
  Workflow and Storage
  
• 
  Malware examples
  
• 
  Courses
  
• 
  Domain Analysis
  
• 
  Books
  

Malware Analysis Courses

We have listed here the top courses for malware analysis and reverse engineering.

Hex Editors

The hex editor, also known as byteeditor or binary file editor, is a program designed to allow manipulation of fundamental binary data within a computer file. Hexadecimal is a common numerical format used to represent binary data.

Disassemblers

A Disassembler computer program converts machine language to assembly language. This is the opposite operation of an assembler.

Disassemblers are different from decompilers, as they target a higher-level language than an assembly language. The output of disassembly is usually formatted to be easy for humans rather than suitable for use by an assembler. This makes it primarily a reverse engineering tool.

Classification and Detection

• – Wrapper to access a range of reporting tools on Windows PE files.
• A distributed, scalable file analysis framework.
• – An open-source, serverless AWS pipeline which scans uploaded files and issues alerts based upon a set YARA rules.
• ClamAV – Open source antivirus engine.
• The program to determine the types of files.
• – View, edit and write metadata.
• File Scanner Framework Modular, Recursive File Scanning Solution
• – Calculate digest hashes using a range of algorithms.
• – A host-based scanner to scan IOCs.
• – Search and compare malware at the function level.
• MASTIFF – Static analysis framework.
• MultiScanner – Modular file scanning/analysis platform
• is a tool to look up hashes within NIST’s National Software Reference Library.
• – An alternative to PEiD that is cross-platform.
• A toolkit for working with PE files that provides feature-rich tools to analyze suspicious binaries.
• – Detect Linux rootkits.
• Compute fuzzy hashes.
• TotalHash.py Python script to search the Database.
• – File ID.
• – A pattern matching tool for analysts.
• Yara rule generator — Generate yara laws based upon a collection of malware samples. It also contains a string database to prevent false positives

Dynamic binary Instrumentation

Dynamic Binary Instrumentation Tools

Mac Encrypt

Mac Decrypting tools

Emulator

Emulator Tool

Document Analysis

Tool for Document Based Malware Analysis

Dynamic Analys

This class is for people starting out in malware analysis, or those who wish to learn more about the types of malware artifacts that can be found using various tools.

This class is hands-on and students will learn how to use different tools to identify malware: Communicating, Persisting and Hiding.

Deobfuscation Malware Analytic Tools

Other code obfuscation techniques and reverse XOR.

• – An malware analysis tool to reverse obfuscation.
• .NET unpacker and deobfuscator.
• & – Alexander Hanel has two tools for working with single-byte XOR encoded file.
• FLOSS– FireEye Labs Obfuscated String Solver employs advanced stat analysis techniques to deobfuscate strings in malware binaries.
• – Find a 256-byte XOR key by frequency analysis
• – This is a generic hidden code extractor that can be used to remove Windows malware.
• – Automatic malware removal for Windows malware using WinAppDbg.
• – Use known-plaintext attacks to guess XOR keys
• – A reverse engineering tool to create virtualization wrappers.
• – A Python script for brute forcing single-byte XOR keys.
• – A few programs by Didier Stevens to find XORed information.
• – Guess the XOR key length as well as key itself.

Debugging

This List contains tools to disassemble, debug, and analyze static and dynamic data. Cross-Platform Debugging Tool

Windows Only Debugging Tools

Linux Only Debugging Tools

Reverse Engineering

• anger – A platform-agnostic, binary analysis framework was developed by UCSB Seclab.
• bamfdetect – Identifies and extracts data from bots.
• – A multiplatform, open-source (MIT) binary analysis tool developed by Cylab at CMU.
• – Open source, multiplatform Binary Analysis and Reverse Engineering Framework.
• – A binary analysis tool for reverse engineering that uses graph visualization.
• Binary ninja – An alternative to IDA.
• – Software analysis tool.
• – GUI for Pyew and Radare. ()
• – A disassembly framework that allows binary analysis and reverse engineering. It supports many languages and has bindings.
• Web-based code browser that uses clang for basic code analysis
• A binary analysis platform that uses QEMU. DroidScope now extends DECAF.
• Evan’s Debugger (EDB). – An modular debugger that uses a Qt GUI.
• Fibratus – A tool for exploring and tracking the Windows kernel.
• Reports opens TCP/IP ports and UDP ports on a live system, and maps them back to their owning applications.
• – The GNU Debugger.
• GEF – BDB Enhanced Features for reverse engineers and exploiters.
• hackers–grep – This utility searches for strings within PE executables. It includes imports and exports as well debug symbols.
• – The macOS and Linux Disassembler.
• – Windows disassembler, debugger and free trial version.
• – A Python API that allows you to use this Debugger for malware analysis, and other purposes.
• ILSpy – ILSpy, the free-source.NET assembly browser/decompiler is .
• – DSL to reverse engineer and dissect file formats/network protocols/data structures.
• – – – provides cross-platform support to modify, parse and abstract ELF and MachO files.
• Dynamic analysis of Linux executables
• Part of GNU Binutils for static analysis and compilation of Linux binaries.
• – An assembly-level debugger for Windows executables.
• Platform for Architecture Neutral Dynamic Analysis.
• Exploit Development Assistance For GDB, an enhanced display that includes additional commands
• Perform static analysis on Windows executables.
• – Automated static analysis can be performed with the Pharos binary analysis framework.
• – Interactive disassembler for x86/ARM/MIPS.
• (puppy), A professional PE file Explorer that can be used by malware researchers, reversers and others who need to inspect PE files more thoroughly.
• Advanced Task Manager for Windows
• Process hacker – This tool monitors the system’s resources.
• Advanced Monitoring Tool for Windows Programs
• – Windows command line tools to manage and examine live systems.
• Python tool to analyze malware.
• Scriptable reverse engineering toolbox for Python by Cisco’s Talos Team.
• – QEMU embedded with WinDbg for stealth debugging.
• Radare2 – A reverse engineering framework with debugger support.
• is a registry compare utility that allows you to compare snapshots.
• RetDec Machine-code decompiler using an online service. API You can also use this in your toolbox.
• – An analysis, dissection and decompilation framework for complex code-reuse attacks.
• Sublime Malware Research Tools, a Sublime 3 plugin to assist with malware analysis.
• Dynamic analysis of Linux executables.
• – An interactive framework for dynamic binary analysis (DBA).
• – A disassembler tool and library for x86_64 and x86_64.
• is a Python tool to analyze malware.
• – Multipurpose debugger that works with Microsoft Windows operating systems. It can be used to troubleshoot user mode apps, driver software, and kernel-mode memory dumps.
• – An open-source x64/x32 debugger for windows.

Binary Format, Binary Analysis

Compound File Binary format is the base container for many different Microsoft file formats, such as Microsoft Office documents or Microsoft Installer packages.

Binary Analysis Resources

Decompiler

Decompiler can create executable files and attempt to compile them successfully. This is the reverse of a compiler which uses an executable file as input and attempts to create a high-level source file that can be recompiled successfully.

Java Decompiler

.NET Decompiler

Delphi Decompiler

Python decompiler

Bytecode Analy

Bytecode Analysis Tool

Malware Analysis and Tools for Reconstruction

Tools for Import Reconstruction

• Free Online Analysis of APKs Against Multiple Mobile Antivirus Apps
• Malware.lu is an online scanner that detects and removes malware.
• Analyze suspicious office records.
• Cuckoo Sandbox – Open-source, self-hosted sandbox with automated analysis.
• – A modified version of Cuckoo Sandbox is available under the GPL. Due to legal issues, the author has not merged it upstream.
• Cuckoo Modified-api – This Python API is used to manage a cuckoo modified sandbox.
• – Multiformat File Analyzer with Machine-Learning Classification.
• – This sandbox was created to analyze traffic and capture IOCs from Linux malwares.
• – Dynamic malware analysis system.
• – Analyzes any firmware package, unpacks it and scans it.
• HaboMalHunter – A tool to automate the analysis of malware in Linux ELF files
• – An online malware analysis tool powered by VxSandbox.
• – A customizable and asynchronous analysis platform to detect suspicious files.
• Deep malware analysis using Joe Sandbox.
• – Online multi-AV scanner.
• – Box for Analyzing Linux Malware.
• – Automated Sandboxed Analysis of Malware Behavior.
• – This is a Python RESTful API Framework for URL and online malware analysis.
• – Decode, display and extract the settings of common malwares.
• – Get a free analysis using an online Cuckoo Sandbox.
• – Static analysis online of malware.
• Scan any file, hash, or IP address to find malware for free
• – This service analyzes pcap files to detect viruses, trojans and other malware. It is configured with EmergingThreats Pro and Suricata.
• Uses Sysinternals to gather information about malware within a sandboxed setting.
• – Analyse suspicious PDF files.
• ProcDot – A graphic malware analysis toolkit.
• – Helper script to safely upload binaries onto sandbox websites.
• The complete and automatic Android app analysis system.
• The Sandboxed Execution Environment, (SEE), is a tool for automating test automation within secured environments.
• Viral Free Online Analysis of Malware Samples and URLs
• – An open source visualization tool and command line log tools. (Cuckoo and Procmon, plus more …)
• Lenny Zeltser compiled the free automated sandboxes.

Document Analysis

Software for Document Analysis

Scripting

Scripting

Android

Android Tools

Yara

Yara Resources

Malware Analysis Tools

Tool to dissect malware in memory images and running systems.

• Client for Windows/MacOS Forensics, including hiberfil, Pagefile and raw memory analysis.
• DAMM – A Differential Analysis for Malware in Memory, based on Volatility.
• – Web interface to the Volatility Memo Forensics Framework.
• Find AES keys to your memory.
• – High-speed memory analysis framework created in.NET that supports all Windows x64 platforms. It also includes code integrity support.
• – This script automates portions of Volatility analysis and generates readable reports.
• Memory Analysis Framework, Forked From Volatility In 2013.
• TotalRecall Script that uses Volatility to automate various malware analysis tasks
• – Use Volatility to check memory images prior and subsequent to malware execution and then report any changes.
• Advanced memory forforensics.
• – Web Interface to Volatility Memory Analysis Framework.
• WinDBG AntiRootKit Extension.
• – Live memory inspection for Windows and kernel debugging

Windows Artifacts

• A script to respond to an incident and gather Windows artifacts.
• Python library to parse Windows Event Logs.
• Python library to parse registry files.
• RegRipper ) is a plugin-based registry analysis tool.

Workflow and Storage

• Open Source Malware Analysis Pipeline Systems
• – Collaborative Research Into Threats. A threat and malware repository.
• FAME is a malware analysis framework that allows for the addition of custom modules. These can then be linked and interacted with to carry out end-to-end analyses.
• Malwarehouse – Search, store, tag and scan for malware.
• is a malware analysis platform that allows analysts to work together to remove malware.
• is a distributed content analysis framework that supports a wide range of plugins, including input, output and everything in-between.
• – An analysis and management framework that supports analysts and researchers.

Malware examples

Samples of malware collected to be analysed.

• Real-time database for malware and malicious domains.
• A compilation of malware samples and analysis.
• – Exploit and shellcode samples.
• Large collection of malware actively scrapped from malign sites.
• – A repository of malware samples.
• Samples and Downloads Formerly Offensive Computing.
• Ragpicker Plugin-based malware crawler that provides pre-analysis and reports
• – Live malware samples available for analysts
• Tracker HTML3x – Agregator of malware corpus tracker, and malicious download websites.
• – Malware database detected by all anti malware software except ClamAV.
• Registration required.
• – Active collection for malware samples
• Lenny Zeltser has compiled a list of sample malware sources.
• – Leaked source for Zeus trojan in 2011.

Malware Analysis Tools

Examine domains and IP addresses.

• Community-based IP blacklist service.
• Boomerang – This tool is designed to capture off-network web resources in a consistent, safe manner.
• Threat intelligence tracker with IP/domain/hash look.
• – Use this tool in one click to find as many metadata about a website as you can and assess its current standing.
• – Get free online digs and other tools.
• DNStwist – A domain name permutation engine to detect typo squatting and corporate espionage.
• HTMLinfo – Search online for information on an IP address or domain.
• Machinae is an OSINT tool that collects information about URLs and IPs. Automator is similar.
• – A cross-language temporary email detection tool.
• VirusTotal API. This allows domain/IP research and search for file hashes.
• Multiple rbl
• NormShield Services – Free API Services to detect possible phishing domains and blacklisted ip address, as well as breached accounts.
• IP-based spam blocker list.
• SpamHaus Block List based on IPs and domains
• – A free website security scanner and malware scanner.
• – Search for IP, domain or network owner. (Previously SenderBase.)
• is an OSINT tool that collects information on URLs, IPs and hashes.
• – Free URL Scanner.
• DomainTools – domaintools online whois search.
• – A collection of free online tools to search for malicious websites. compiled by Lenny Zeltser.
• – Zulu URL Risk Analyzer.

Books

Reverse Engineering Books: The Most Important Books

Shellcode and Documents

Analysis of malicious JS/shellcode in PDFs and Office documents. Also see the section on browser malware.

• AnalyzePDF – This tool allows you to analyze PDFs, and determine if they’re malicious.
• is a tool to study JavaScript malware. It includes JScript/WScript support, ActiveX Emulation and ActiveX support.
• – Use this tool to analyze malicious shellcode.
• JavaScript Unpacking and Deobfuscation
• Deobfuscator
• – Library and tools to emulate x86 shellcodes
• – Deconstruct malicious PDFs into a JSON representation.
• Scan malicious traces within MS Office documents.
• This script allows you to parse OLE and OpenXML files and extract useful information.
• Origami – An analysis tool to identify malicious PDFs.
• pdfid and pdf-parser from Didier Stevens.
• XRay Lite – This is a PDF analysis tool that allows you to analyze PDFs without the need for a backend.
• is a Python tool to explore potentially malicious PDFs.
• QuickSand QuickSand QuickSand is an efficient C framework that analyzes suspected malware documents in order to find exploits within streams of various encodings, and locate and extract executables.
• Spidermonkey – Mozilla’s JavaScript engine for diagnosing malicious JS.

Malware analysis tools

Practice Reverse Engineering. Take care when dealing with malware

Analyze and harvest IOCs

• Abuser – A free framework to receive and distribute abuse feeds as well as threat intelligence.
• – Collaborate in the development of Threat Intelligence.
• – To gather Threat Intelligence indicators using publicly available sources
• – Get intelligence per file hash.
• – Pull Intelligence per host.
• – This tool is for CERTs to process incident data by using a message queue.
• – A free editor for XML IOC files.
• Python library to work with OpenIOC objects from Mandiant
• – Formerly known as CIF, Collective Intelligence Framework. This aggregates IOCs taken from different lists. Curated by the .
• – Malware Information Sharing Platform, curated by .
• – A community-driven platform for threat intelligence that collects IOCs using open-source feeds.
• PyIOCe – A Python OpenIOC editor.
• – Connect, Tag, and Share IPs and Domains. (Was PassiveTotal.)
• – Combines security threats from many sources including those mentioned below in .
• threatCrowd – Search engine for threats with visual visualization.
• – This Python script monitors and generates alerts on IOCs that have been indexed using a number of Google Custom Search Engines.
• – Data visualizations and statistical analyses of Threat Intelligence feeds.

Additional Resources

Credits

This is a list created with the help of these Awesome Peoples.