The Big List of Malware Analysis Tools

Malware Analysis is a constantly evolving, highly engaging, and adversarial field that can be both incredibly useful for Security Operations Analysts, and incredibly helpful for the broader Cybersecurity community.

The list below is not intended to be all encompassing or all inclusive, but represents many of my go-to tools and things I’ve encountered in my time in malware reverse engineering and analysis.

Each entry should contain a succinct description of the tool, and when it should be used. Hopefully this can help analysts who may be entering the field to select the right tool for the job, and speed up malware analysis.

I am open to suggestions for changes, additions, and redactions from this list. Instructions to do so will be located at the bottom of the page.

Relevant Certifications & Courses

#

• SANS FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
• SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
• SANS FOR710: Reverse-Engineering Malware: Advanced Code Analysis
• TCM Security - Practical Malware Analysis
• InvokeRE - Introduction to Malware Binary Triage: IDA
• InvokeRE - Introduction to Malware Binary Triage: Binary Ninja

Malware Analysis Virtual Appliances

#

In Malware Analysis, your VM is your ’toolkit’ and will be constantly evolving. Ensuring you understand your hypervisor and the virtual machines running on them is pivotal to increasing efficiency and efficacy. While there are predominantly two de-facto standards for Malware Analysis, many of these VM’s use tools readily available, so feel free to experiment and build your own.

• Mandiant FLARE-VM - A Windows Malware Analysis lab generation script that loads the virtual machine with numerous critical tools for Malware Analysts, Security Operations Analysts, and DFIR specialists.
• REMnux - An Ubuntu based virtual machine created by Lenny Zeltser specifically for reverse engineering malware. Often deployed directly as a virtual appliance with a simple setup to facilitate consistent machine reproduction at scale.

Static Analysis

#

Static analysis is the act of making inferences about code without requiring that code be ran. When well-automated and consistent, static analysis will represent the absolute fastest information to triage (or potentially even verdict) a piece of software.

Static analysis is heavily enumerated by threat actors in an attempt to hide their code; many anti-malware engines utilize static analysis in the form of signature detection to verdict files. This means static analysis, while very powerful, varies widely in its efficacy.

Static Properties

#

Static properties of code are generally derived from headers or strings within the code itself. Static properties should be the ‘first-stop’ for analysts to establish a baseline understanding of what you may be working with. This includes things like static deobfuscators, magic bytes/file header parsers, etc.

• Unix file - the file command is incredibly useful for grabbing information about any given binary, including arch, dynamic/static linking and debugging symbols.
• Detect-It-Easy - Similar to Linux’s file command, but with extended functionality including a disassembler, entropy analysis calculator, string finder, and more.
• PEStudio - Malware CERT & SOC tool to parse artifacts from executable files without necessitating the use of a heavier decompiler/disassembler. Heavily focused on initial triage.
• Mandiant capa - Capa statically analyzes executable (PE, ELF, NET, shellcode, etc.) files and makes inferences about what the code is capable of performing. Includes ATT&CK mappings.
• GNU Strings - Included with virtually all modern Linux distributions, pulls successive ASCII characters of a given length out of any file.
• Sysinternals Strings - A Windows version of strings for Linux.

General Purpose Decompilers & Disassemblers

#

• HexRays IDA Pro - The most widely deployed Software Reverse Engineering toolkit; IDA Pro is incredibly powerful and represents the industry standard in decompilation and disassembly, with a slew of additional features such as an embedded console and API to facilitate custom tooling.
• Ghidra - A reverse engineering toolkit developed by the National Security Agency (Yes, that one.) Ghidra was a long-kept secret of the NSA before it was finally released to the public. Ghidra has several extremely powerful extensions, such as Ghidrathon, Mandiant’s Python 3 scripting engine for Ghidra.
• Vector35 Binary Ninja - A newcomer to the reverse engineering tooling ecosystem; Binary Ninja focuses on user experience with a modern UI and an incredibly robust intermediate language. Also contains a scripting engine for programmatic access.
• Malcat - A fairly new hex editor/disassembler. Highly extensible, very useful for at-a-glance triage of unknown files/malware. Made to try and lighten the load of determining malice in files without requiring extensive reverse engineering.

Domain Specific Tooling

#

Deobfuscation

#

• Mandiant FLARE Floss - Strings, but for obfuscation! This includes strings that are constructed on the stack, as well as strings decoded in functions.
• Cyberchef - A graphical, recipe-style general static property parser. Often used for deobfuscation, decryption, and decoding.
• Binary Refinery - A Python-based implementation of Cyberchef. Focused on command-line usage, and possess a strong set of Python bindings.
• XORStrings/XORSearch - Iterate over contents within the binary to attempt to extract XOR’d strings. Quick to run, and can generate some very rapid wins when it comes to static analysis.

Extraction

#

• binwalk - A (now Rust-based) file carving utility. Identifies and extracts embedded files within a given binary file.
• unblob - Much like binwalk, unblob is another extraction suite for obtaining embedded binary files and extracting contents recursively.
• debloat - Remove extrenous data designed to increase filesize and extract/decompress some relevant file formats.

Dynamic Analysis

#

Dynamic analysis, by comparison, is the act of running some or all of the target software to observe how it behaves. This may include the use of debuggers, which will allow analysts to step through functions. It also includes the most time-effective and consistent analysis technique of simply observing the changes to the system from the baseline.

Debuggers

#

Debuggers allow an analyst to walk line by line through an instruction set of a program. Most mature programming languages will have some sort of debugger specification, including those that are compiled. While this is not an all exhaustive list, becoming familiar with debuggers is pivotal to understanding and dissecting malicious behaviors, especially in heavily obfuscated binaries.

• x64dbg - The go-to debugger for Windows.
• GNU Debugger - GDB - The go-to debugger for Linux; a common inclusion in virtually every Linux distribution.
• PwnDBG - A wonderful GDB extension focused on binary exploitation and reverse engineering. My personal go-to.
• ScyllaHide - An anti-anti debugging platform. Hide from anti-debugging calls such as kernel32.dll::IsDebuggerPresent.

Domain Specific Tooling

#

• Frida - Allows for arbitrary injection of code into a running process. This is useful because it often allows us to easily gain control flow execution of a running process, often facilitating things like runtime deobfuscation, DLL hooking and unhooking, etc.
• Angr - A symbolic execution framework that is commonly used in Capture the Flags, also has some practical uses against obfuscation.

Logging & Observability

#

Logging and observability is pivotal to dynamic analysis. Understanding what changes occurred to a machine as malware was ran is important, and ensuring you have proper instrumentation in place the first time can prevent tedious troubleshooting, virtual machine snapshotting and reverting, etc.

• SysInternals Process Monitor - A real time feed of information such as registry modifications, thread activity, etc. Highly useful for detecting registry modifications and file handle operations in real time.
• SysInternals Sysmon - A service & device driver designed to achieve persistent Windows Event log enrichment. Contains the ability to log full command line arguments for process trees, automatic hashing of process image files, and various other enrichments that are essential to proper Windows event introspection.
• Chainsaw - While not a dynamic analysis tool directly, a worthwhile mention with the inclusion of the above– Chainsaw can be used to rapidly parse Windows event logs (and Sysmon logs).
• IppSec’s PowerSiem - A PowerShell script to ’tail’ or follow the end of the Sysmon Event log. Extremely useful for seeing a live feed of what a program may be doing at any given time.
• RegShot - Snapshot the Windows Registry Hive before and after process execution and compare changes. Incredibly powerful for rapid detection of registry persistence footholds.

Network Tools

#

Many malicious programs will communicate with command and control (C2) at some point in their execution. Capturing these communications can give analysts actionable indicators of compromise, and gives insight into how the program may be behaving and what it may be accomplishing.

• Wireshark - The de-facto packet capturing and network traffic monitoring solution. The ability to capture network communications can allow analysts to make decisions about exfiltrated data and C2 protocols, as well as identifying C2 infrastructure.
• Fiddler - An incredibly powerful networking toolkit for HTTP communications. Allows the proxying and capturing of specific HTTP(S) communications, and can be used to rapidly identify C2 behaviors.
• BurpSuite - An application security testing suite similar to Fiddler that lends itself well to debugging HTTP(S) communications from a given program. Both Fiddler and Burpsuite contain the ability to proxy outbound HTTPS connections through its own interface, giving insight into SSL/TLS communications.
• Mandiant FLARE FakeNet-NG - A dynamic network analysis tool, FakeNet simulates network services and captures information about these communications. FakeNet can redirect and reroute all network traffic, and gives granular control over network behaviors.

Memory Forensics

#

Memory forensics is the art of capturing live or dumped memory artifacts, and parsing them for relevant information. Memory dumps are often provided as part of online triaging, and can be incredibly effective for dealing with obfuscated or memory-resident malware.

• Volatility 3 - Volatility 3 stands out in this category as the most comprehensive, complete, and reliable tool to parse, identify, and extract memory resident artifacts. It is operating system agnostic, and comes with numerous modules to assist in recovery of information or behavioral analysis.
• MemProcFS - Navigate memory as if it were a file system. Contains the capability to automatically execute several useful forensics modules to timeline and hunt for evil within memory dumps.
• PE-sieve - Detects a variety of common tradecraft in runtime such as process hollowing, reflective loading, inline hooking, etc.
• hollows_hunter - A fork of PE-sieve designed to be a little more ergonomic for dynamic analysis and in-memory scanning.

Malware Family Analysis

#

.NET

#

• ILSpy - I mostly use this in the form of ilspycmd, this is a very well known .NET decompiler.
• de4dot - A fairly long time, well known .NET deobfuscation library. Handles some things well, doesn’t handle everything perfectly. Can do some heavy lifting to get you to an answer.

Javascript

#

• Webcrack - A Javascript deobfuscator for some commonly observed Javascript malware variants (including those obfuscated by obfuscator.io).
• boxJS - A Javascript reverse engineering tool suite. Technically, this is dynamic analysis, but it’s sandboxed and emulated. While I wouldn’t run this outside of a VM, it doesn’t quite land into the world of dynamic analysis.
• Mandiant Gootloader - A set of Python scripts designed to deobfuscate some of the more popular Gootloader obfuscation schemas.

Python

#

• Vipyr Security Deobfuscator - Shameless self plug. An automated deobfuscation platform for several common obfuscators found on the Internet and in Python malware.

Cobalt Strike

#

• CSCE - Cobalt Strike Config Extractor. Can act on both static files and memory dumps.
• 1768.py - Didier Stevens’ famous 1768. Again, acts upon both static files and memory dumps. Can also be targeted towards streams and positions in memory.

Tradecraft & Demonstrations

#

This is a non-exhaustive list of videos I found insightful in discussion of general concepts. In the future, as I expand this knowledgebase, this may encompass specific tutorials or analysis articles I’ve written for the purposes of teaching and demonstration.

General Resources

#

• crow - An Introduction to Malware Analysis - A gentle introduction to the field of malware analysis, covers a variety of topics at face value, and represents an excellent ‘start from zero’ point for Malware Analysts.

Windows Executables & DLL’s

#

• Anuj Soni - Code Analysis with Ghidra - WannaCry - Anuj Soni, SANS Reverse Engineering Malware instructor, discusses and demonstrates behavior of the Ghidra decompiler/disassembler.
• Off By One - Reverse Engineering Malware with Ghidra - Another succinct explanation of Ghidra from Off By One security and Anuj Soni.
• Anuj Soni - How I Debug DLL Malware - Emotet- DLL’s are often glossed over by analysts in favor of targeting executables; but DLL’s are heavily utilized in malware for a variety of purposes.
• Jai Minton - IDAT Loader - A wonderfully informative introduction on DLL sideloading, search order highjacking, etc., as well as a fantastic commentary on the process used to approach this malware.

Unix & MacOS Binaries

#

• Low Level Learning - ESXiArgs Ransomware - Analyzing general Linux ransomware. An excellent demonstration of an analysts’ mindset when it comes to approaching malware and the general decision making process.

Non-Native Language and Script Analysis

#

• John Hammond - JScript Deobfuscation WSHRAT - An excellent primer to what to expect with malware reverse engineering in Javascript, a common attack vector for many malicious programs.
• John Hammond - DcRat Malware Analysis - Dealing with PowerShell Fake Browser Updates; also touches on several malware author tradecraft behaviors that you will inevitably encounter.
• Laurie Wired - Deciphering Obfuscated Javascript Malware - Javascript deobfuscation using a common obfuscation pattern. This video does a fantastic job of covering a basic approach and mentality for deobfuscation.

Memory Forensics

#

• DFIRScience - Introduction to Memory Forensics - A comprehensive introduction on the capabilities of the Volatility framework and how we might use the modules to carve information from memory dumps.

Network Tools

#

• Chris Greer - Malware Analysis With Wireshark - TrickBot malware analysis focusing on utilizing Wireshark as a basis for the analysis. Discusses the methodology and approach behind diagnosing PCAP’s for critical analyst information.
• MalwareAnalysisForHedgehogs - Fun With Fiddler - Basic malware analysis utilizing Fiddler as the basis for analysis with a heavy focus on simulating the C2 framework and execute the malware. (This is quite old and Fiddler is a bit different now, but there isn’t much on the Internet geared towards Malware Analysis with Fiddler, and the concepts remain the same.)

Suggesting Changes

#

As discussed in the start of this article, I am open to additions to this list! Comprehensive malware analysis resources are difficult to come by, and it is my hope that by giving back to the community, we can equip Cybersecurity professionals at all levels for success. If you would like to suggest a change, please visit my Github blog repository and create a pull request. No specific format is necessary, simply listing the tool (preferably with a link to the primary maintainer’s repository or website) is enough. I will accept any elaboration on why it should be added, or do the research myself if necessary to determine if something should be included.

Thank you!