Malware Analysis Resources

Malware Analysis Resources

This post encompasses all of the resources I have collected during my tenure as a cybersecurity professional and malware analyst. Although all of these resources may not be directly related to malware analysis, the information will assist in malware analysis efforts, in my opinion.

If any of the hyperlinks are out of date or you believe a resource can be added to the list, I’d be glad to add it if applicable. You can contact me and I will attempt to get back to you as soon as possible.

I will eventually move this master list to a more easily navigatable format such as seperate pages for each topic and subpages.

Last Updated: Feb 12, 2022

Fixes:

  • Fixed hyperlinks for Table of Contents

Additions: 1

  • PyInstaller Extractor

Deletitons: 0

Table of Contents

Books and PDFs

This section encompasses all of the books geared towards malware analysis and also PDFs to supplement learning. The resources in this section are below.

Books:

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software (https://www.amazon.com/AntivirusBypass-Techniques-practical-techniques/dp/1801079749)

Applied Network Security Monitoring: Collection, Detection, and Analysis (https://www.amazon.com/Applied-Network-Security-Monitoring-Collection/dp/0124172083)

Art of Computer Virus Research and Defense (https://www.amazon.com/SZOR-VIRUS-DEFENSE-Symantec-Press-ebook/dp/B003DQ4WLQ/)

C Programming Language (https://www.amazon.com/Programming-Language-2nd-Brian-Kernighan/dp/0131103628)

C++ Programming Language (https://www.amazon.com/C-Programming-Language-4th/dp/0321563840)

Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats, 2nd Edition (https://www.amazon.com/Digital-Forensics-Incident-Response-techniques-dp-183864900X/dp/183864900X/ref=mt_other?_encoding=UTF8&me=&qid=1589730602)

Digital Forensics with Open Source Tools (https://www.amazon.com/Digital-Forensics-Open-Source-Tools-dp-1597495867/dp/1597495867/ref=mt_other?_encoding=UTF8&me=&qid=1589730602)

Gray Hat Python (https://nostarch.com/ghpython.htm)

Hacker Disassembling Uncovered (https://www.amazon.com/Hacker-Disassembling-Uncovered-Kris-Kaspersky/dp/1931769648/)

Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 2 (https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia32-architectures-software-developer-instruction-set-reference-manual-325383.pdf)

Learning Malware Analysis (https://www.packtpub.com/product/learning-malware-analysis/9781788392501)

Malware Analysis Techniques (https://www.amazon.com/Malware-Analysis-Techniques-adversarial-software-ebook/dp/B093QJ9Q2B)

Malware Analysis and Detection Engineering (https://www.amazon.com/Malware-Analysis-Detection-Engineering-Comprehensive/dp/1484261925)

Malware Analyst’s Cookbook (https://www.amazon.com/dp/0470613033)

Malware Data Science (https://nostarch.com/malwaredatascience)

Malware Reverse Engineering Handbook (https://ccdcoe.org/library/publications/malware-reverse-engineering-handbook/)

Mastering Malware Analysis (https://www.packtpub.com/product/mastering-malware-analysis/9781789610789)

Mastering Reverse Engineering (https://www.packtpub.com/product/mastering-reverse-engineering/9781788838849)

Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information (https://www.amazon.com/Open-Source-IntelligenceTechniques-Information-dp-B09PHL6Q4G/dp/B09PHL6Q4G/ref=dp_ob_title_bk)

Practical Binary Analysis (https://nostarch.com/binaryanalysis)

Practical Forensic Imaging (https://nostarch.com/forensicimaging)

Practical Linux Forensics (https://nostarch.com/practical-linux-forensics)

Practical Malware Analysis (https://nostarch.com/malware)

  • Samples (https://practicalmalwareanalysis.com/labs/)

Practical Mobile Forensics: Forensically investigate and analyze iOS, Android, and Windows 10 devices, 4th Edition (https://www.amazon.com/PracticalMobile-Forensics-Forensically-investigate/dp/183864752X/ref=tmm_pap_swatch_0?_encoding=UTF8&qid=&sr=)

Practical Packet Analysis (https://nostarch.com/packetanalysis3)

Practical Reverse Engineering (https://www.amazon.com/gp/product/1118787315/)

Programming Windows (https://www.amazon.com/Programming-Windows%C2%AE-Fifth-Microsoft/dp/157231995X/ref=ntt_at_ep_dpt_3/185-4090500-7860862)

RE4B/Understanding Assembly Language (https://challenges.re/handbook) (https://beginners.re/)

Real Digital Forensics (https://www.amazon.com/gp/product/0321240693)

Reversing Secrets of Reverse Engineering (https://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817)

Rootkits and Bootkits (https://nostarch.com/rootkits)

Rootkits: Subverting the Windows Kernel (https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319/ref=sr_1_1?s=books&ie=UTF8&qid=1347658166&sr=1-1&keywords=Rootkits)

The Art of Assembly Language (https://nostarch.com/assembly2.htm)

The Art of Mac Malware (https://nostarch.com/art-mac-malware)

The Art of Memory Forensics (https://www.amazon.com/dp/1118825098)

The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics (https://www.amazon.com/Basics-Digital-Forensics-Getting-Started-dp0128016353/dp/0128016353/ref=mt_other?_encoding=UTF8&me=&qid=1589730602)

The Ghidra Book (https://nostarch.com/GhidraBook)

The IDA Pro Book (https://nostarch.com/idapro2.htm)

The Practice of Network Security Monitoring: Understanding Incident Detection and Response (https://www.amazon.com/Practice-Network-SecurityMonitoring-Understanding-ebook/dp/B00E5REN34)

The Rootkit Arsenal (https://www.amazon.com/dp/144962636X)

Windows Internals Part 1 (https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188)

Windows Internals Part 2 (https://www.microsoftpressstore.com/store/windows-internals-part-2-9780135462331)

Windows Kernel Programming (https://leanpub.com/windowskernelprogramming)

  • Samples (https://github.com/zodiacon/windowskernelprogrammingbook)

Windows Malware Analysis Essentials (https://www.amazon.com/Windows-Malware-Analysis-Essentials-Victor/dp/1785281518)

Windows System Programming (https://www.amazon.com/Programming-Paperback-Addison-Wesley-Microsoft-Technology/dp/0134382250)

PDFs:

Azeria ARM Assembly Basics Cheatsheet (https://azeria-labs.com/assembly-basics-cheatsheet/)

CodeBreakers Magazine Portable Executable File Format – A Reverse Engineer View (http://index-of.es/Windows/pe/CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View.pdf)

Common Ports (https://packetlife.net/media/library/23/common-ports.pdf)

Corkami PE File Infographics (https://github.com/corkami/pics)

  • PE101 (https://raw.githubusercontent.com/corkami/pics/master/binary/PE101.png)
  • PE102 (https://raw.githubusercontent.com/corkami/pics/master/binary/PE102.png)

DFIRonline Filesystem Cheatsheets (https://writeblocked.org/6Resources)

Ero Carrera’s PE File Format Graphs (http://blog.dkbza.org/)

Hunting Process Injection By Windows API Calls (https://malwareanalysis.co/wp-content/uploads/2019/11/Hunting-Process-Injection-by-Windows-APICalls.pdf)

iOSAppReverseEngineering (https://github.com/iosre/iOSAppReverseEngineering)

IDAPro Cheatsheet (https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf)

Katjahahn Master’s Thesis: Robust Static Analysis of Portable Executable Malware (https://github.com/katjahahn/PortEx/blob/master/masterthesis/masterthesis.pdf)

  • PortEx (https://github.com/katjahahn/PortEx)

Lenny Zeltser IT and Information Security Cheat Sheets (https://zeltser.com/cheat-sheets/)

Malware Analysis Co Windows Registry Forensics Mindmap (https://malwareanalysis.co/wp-content/uploads/2020/05/mindmap-forensics-windows-registrycheat-sheet-1-1024.jpg)

Reverse Engineering For Malware Analysis Cheat Sheet by @rootbsd (https://eforensicsmag.com/reverse_engi_cheatsheet/)

Reversing iOS Apps (https://s3.amazonaws.com/s3.synack.com/T2_reversingIOSApps.pdf)

SafeBreach Labs Windows Process Injection in 2019 (https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-CatchThem-All-wp.pdf)

SANS Posters & Cheat Sheets (https://www.sans.org/posters/?focus-area=digital-forensics)

Sekoia Rootkit Analysis Use Case on HideDRV (http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf)

VX Underground Papers (https://vxug.fakedoma.in/papers.html)

X86 Opcode and Instruction Reference (http://ref.x86asm.net/)

X86 and amd64 instruction reference (https://www.felixcloutier.com/x86/)

X86-64 Intel Instruction set in JSON format (https://github.com/astocko/json-x86-64)

Back to top

Malware News Resources

This section includes all resources for collecting relevant malware-related information. The subsections provided herein include:

  • Blogs
  • Forums
  • Social Media
  • Threat Intelligence

Blogs

This subsection encompasses all of the malware-related blogs. They are found below:

0xPat Blog (https://0xpat.github.io/)

AT&T Cybersecurity Blog (https://cybersecurity.att.com/blogs)

Anomali Blog (https://www.anomali.com/blog/category/malware)

Avast Blog (https://blog.avast.com/tag/malware)

Binary Reverse Engineering Blog (https://bin.re/)

BitDefender Blog (https://www.bitdefender.com/blog/)

BlackBerry ThreatVector Blog (https://blogs.blackberry.com/en#nav)

CISA US-CERT(https://www.cisa.gov/uscert)

Cert.pl News (https://cert.pl/en/news/)

Cisco Talos Intelligence Blog (https://blog.talosintelligence.com/)

ClamAV Blog (https://blog.clamav.net/)

Cofense Blog (https://cofense.com/blog/)

CrowdStrike Blog (https://www.crowdstrike.com/blog/)

Cybereason Blog (https://www.cybereason.com/blog)

Dancho Danchev’s Blog (https://ddanchev.blogspot.com/)

DarkReading (https://www.darkreading.com/)

Didier Stevens Blog (https://blog.didierstevens.com/)

Emsisoft Blog (https://blog.emsisoft.com/en/)

FireEye Blogs (https://www.fireeye.com/blog.html)

ForcePoint Security Insights (https://www.forcepoint.com/blog)

Fortinet Blog (https://www.fortinet.com/blog)

Hacker News (https://thehackernews.com/search/label/Malware)

Hasherezade’s 1001 Nights (https://hshrzd.wordpress.com/)

Intel 471 Blog (https://intel471.com/blog)

Intezer Blog (https://www.intezer.com/blog/)

Kaspersky Blog (https://www.kaspersky.com/blog/)

KnowBe4 Security Awareness Training Blog - Malware Blog (https://blog.knowbe4.com/topic/malware)

KrebsonSecurity (https://krebsonsecurity.com/)

Lenny Zeltser (https://zeltser.com/blog/)

Malware Must Die! Blog (https://blog.malwaremustdie.org/)

Malware Patrol Blog (https://www.malwarepatrol.net/onpatrol4malware-blog/)

Malware-Traffic-Analysis.Net (https://www.malware-traffic-analysis.net/)

Malware.News (https://malware.news/)

Malware.re Blog (https://blog.malware.re/)

MalwareFox Blog (https://www.malwarefox.com/blog/)

MalwareTech (https://www.malwaretech.com/)

Malwarebytes Labs (https://blog.malwarebytes.com/)

McAfee Blog (https://www.mcafee.com/blogs)

McAfee Labs (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/)

Microsoft Security Blog (https://www.microsoft.com/security/blog/)

Packet Storm (https://packetstormsecurity.com/)

Palo Alto Networks Unit 42 (https://unit42.paloaltonetworks.com/)

Panda Security MediaCenter (https://www.pandasecurity.com/en/mediacenter/)

Proofpoint Threat Insight Blog (https://www.proofpoint.com/us/blog/threat-insight)

Rapid7 Blog (https://www.rapid7.com/blog/)

ReversingLabs Blog (https://blog.reversinglabs.com/blog)

Secplicity (https://www.secplicity.org/)

SecureWorks Blog (https://www.secureworks.com/blog)

SentinelOne Blog (https://www.sentinelone.com/)

Sophos Naked Security (https://nakedsecurity.sophos.com/)

Sucuri Blog (https://blog.sucuri.net/)

ThreatPost (https://threatpost.com/)

Trend Micro News (https://www.trendmicro.com/en_us/research.html)

TrustWave SpiderLabs Blog (https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/)

UpGuard Blog (https://www.upguard.com/blog)

VMRay Blog (https://www.vmray.com/cyber-security-blog/)

Varonis Inside Out Security (https://www.varonis.com/blog)

VirusBay Blog (https://www.blog.virusbay.io/)

VirusBulletin Blog (https://www.virusbulletin.com/blog/)

VirusTotal Blog (https://blog.virustotal.com/)

Vitali Kremez (https://www.vkremez.com/)

Webroot Blog (https://www.webroot.com/blog/)

ZScaler Blog (https://www.zscaler.com/blogs)

Forums

This subsection encompasses all of the malware-related forums. They are found below:

0x00sec (https://0x00sec.org/)

Bleeping Computer.com Forums (https://www.bleepingcomputer.com/forums/f/25/anti-virus-anti-malware-and-privacy-software/)

Hack Forums (https://hackforums.net/forumdisplay.php?fid=229)

Malwarebytes Research Center Forums (https://forums.malwarebytes.com/forum/44-research-center/)

MalwareTips Community (https://malwaretips.com/)

r/ReverseEngineering (https://www.reddit.com/r/ReverseEngineering/)

RaidForums (https://raidforums.com/)

Social Media

This subsection encompasses all of the malware-related social media accounts. They are found below:

Twitter

Adam (https://twitter.com/Hexacorn)

Albert Zsigovits (https://twitter.com/albertzsigovits)

Alexander Sevstov (https://twitter.com/alexsevtsov)

Alexandre Borges (https://twitter.com/ale_sp_brazil)

Andrew Case (https://twitter.com/attrc)

Binni Shah (https://twitter.com/binitamshah)

Brad (https://twitter.com/malware_traffic)

CERT Polska (https://twitter.com/cert_polska_en)

Charlie Miller (https://twitter.com/0xcharlie)

Glenn (https://twitter.com/hiddenillusion)

Hasherezade (https://twitter.com/hasherezade)

Ido Naor (https://twitter.com/idonaor1)

JAMESWT (https://twitter.com/JAMESWT_MHT)

Jakub Kroustek (https://twitter.com/JakubKroustek)

JaromirHorejsi (https://twitter.com/JaromirHorejsi)

Jimmy Wylie (https://twitter.com/mayahustle)

Karsten Hahn (https://twitter.com/struppigel)

Lenny Zeltser (https://twitter.com/lennyzeltser)

Lukas Stefano (https://twitter.com/LukasStefanko)

MalShare (https://twitter.com/mal_share)

Malware Patrol (https://twitter.com/MalwarePatrol)

MalwareHunterTeam (https://twitter.com/malwrhunterteam)

Marcelo Rivero (https://twitter.com/MarceloRivero)

Mark Schloesser (https://twitter.com/repmovsb)

Matt Nelson (https://twitter.com/enigma0x3)

Michael Gillespie (https://twitter.com/demonslay335)

Microsoft Security Intelligence (https://twitter.com/MsftSecIntel)

Monnappa K A (https://twitter.com/monnappa22)

Richard Bejtlich (https://twitter.com/taosecurity)

Unit 42 (https://twitter.com/Unit42_Intel)

VirusBay (https://twitter.com/virusbay_io)

Vitali Kremez (https://twitter.com/vk_intel)

X0rz (https://twitter.com/x0rz)

idatips (https://twitter.com/idatips)

marc ochsenmeier (https://twitter.com/ochsenmeier)

patrick wardle (https://twitter.com/patrickwardle)

sigpwn (https://twitter.com/GHIDRA_RE)

tomchop (https://twitter.com/tomchop_)

volatility (https://twitter.com/volatility)

Threat Intelligence

This subsection encompasses all of the malware-related threat intelligence feeds, digestions, and exchanges. They are found below:

AlienVault (https://otx.alienvault.com/)

Blueliv (https://community.blueliv.com/#!/discover)

IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/activity/map)

MISP (https://www.misp-project.org/)

Maldatabase (https://maldatabase.com/)

Maltiverse (https://maltiverse.com/search)

OpenCTI (https://github.com/OpenCTI-Platform/opencti)

PulseDive (https://pulsedive.com/explore/)

RiskIQ (https://community.riskiq.com/home)

ThreatConnect (https://app.threatconnect.com/auth/index.xhtml)

threatfeeds.io (https://threatfeeds.io/)

Back to top

Misc Resources

This section was created to include any resources that didn’t particularly fall into any other category. They are found below:

Gary Kessler’s File Signature Table (https://www.garykessler.net/library/file_sigs.html)

Hack+ (https://hack.plus/)

Hex/Decimal/ASCII/Binary Converters:
  • Branah (https://www.branah.com/ascii-converter)
  • Calculators Tech (https://www.calculators.tech/ascii-to-decimal)
  • CalculatorX (https://www.calculatorx.com/convert/number/ascii-hex-bin-dec-converter.htm)
  • EasyUnitConverter (https://www.easyunitconverter.com/ascii-hex-binary-decimal-converter)
  • IBM (https://www.ibm.com/docs/en/aix/7.1?topic=adapters-ascii-decimal-hexadecimal-octal-binary-conversion-table)
  • OnlineHexTools (https://onlinehextools.com/)
  • Rapid Tables (https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html)

IBM (https://www.ibm.com/docs/en/aix/7.1?topic=adapters-ascii-decimal-hexadecimal-octal-binary-conversion-table)

Kernelmode.Info Forum (https://www.kernelmode.info/forum/)

MITRE ATT&CK Matrix (https://attack.mitre.org/)

Maltiverse (https://maltiverse.com/search)

MalwareTech Creating a Simple Free Malware Analysis Environment (https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysisenvironment.html)

MÖBIUS STRIP REVERSE ENGINEERING (https://www.msreverseengineering.com/)

Regex Tools:
  • Debuggex (https://www.debuggex.com/)
  • MyRegexTester (https://myregextester.com/index.php)
  • RegEx Tester (https://www.regextester.com/)
  • RegExLib (https://regexlib.com/?AspxAutoDetectCookieSupport=1)
  • RegExr (https://regexr.com/)
  • Regex101 (https://regex101.com/)
  • RegexGenerator++ (http://regex.inginf.units.it/)
  • RegexGuide (https://regex.guide/)
  • Regexper (https://regexper.com/)
  • Rexv (http://www.rexv.org/)

Todd Cullum Research GIANT Intro of Windows Malware Analysis Tools (https://toddcullumresearch.com/2017/07/01/todds-giant-intro-of-windowsmalware-analysis-tools/)

Back to top

Online Sandboxes and Analyzers

This section includes links to external websites that perform additional analysis from online sandboxes and online analysis tools. The types of online analyzers included in this section are as follows:

  • Domain, URL, and IP Address Analyzers
  • File Analyzers
  • Hash Checkers
  • Packer Analyzers
  • Packet Analyzers
  • Ransomware Analyzers and Tools

Domain, URL, and IP Address Analyzers

This subsection encompasses all of the online resources for analyzing domains, URLs, and IP Addresses. They are found below:

AbuseIPDB (https://www.abuseipdb.com/)

AlienVault (https://otx.alienvault.com/browse/global/pulses?include_inactive=0&sort=-modified&page=1)

BrightCloud (https://www.brightcloud.com/tools/url-ip-lookup.php)

CheckPhish (https://checkphish.ai/)

Desenmascara.me (http://desenmascara.me/)

DomainTools Whois Lookup (https://whois.domaintools.com/)

Dr. Web Check Link (https://vms.drweb.com/online/)

Email Veritas (https://www.emailveritas.com/url-checker)

FortiGuard Labs Web Filter Lookup (https://www.fortiguard.com/webfilter)

GoDaddy Whois Lookup (https://www.godaddy.com/whois)

Google Safe Browsing Status (https://transparencyreport.google.com/safe-browsing/search?hl=en)

IBM X-Force Exchange (https://exchange.xforce.ibmcloud.com/)

ICANN Lookup (https://lookup.icann.org/)

IPQualityScore Domain Reputation Test (https://www.ipqualityscore.com/domain-reputation)

IPVoid (https://www.ipvoid.com/)

IronScales Phishing URL Scanner (https://ironscales.com/free-url-scanner/#/)

Is It Hacked? (https://www.isithacked.com/)

IsItPhishing (https://isitphishing.org/)

Joe Sandbox URL Lookup (https://www.joesandbox.com/#windows)

Kaspersky Lookup (https://opentip.kaspersky.com/)

MXToolbox (https://mxtoolbox.com/domain/)

MalwareDomainList (https://www.malwaredomainlist.com/mdl.php)

MalwareURL (https://www.malwareurl.com/listing-urls.php)

McAfee TrustSource (https://www.trustedsource.org/)

Netcore Tools Blocklist Checker (https://grademyemail.co/email-blocklist-checker)

Network Solutions WHOIS Lookup (https://www.networksolutions.com/domains/whois)

Network Tools WHOIS lookup tool (https://network-tools.com/whois/)

Norton SafeWeb (https://safeweb.norton.com/)

OpenPhish (https://openphish.com/phishing_feeds.html)

Palo Alto Networks Test a Site (https://urlfiltering.paloaltonetworks.com/)

PhishTank (https://www.phishtank.com/)

Polyswarm.Network (https://polyswarm.network/)

Pulsedive (https://pulsedive.com/)

Quttera (https://quttera.com/)

RiskIQ (https://community.riskiq.com/home)

ScamAdviser (https://www.scamadviser.com/)

SecurityTrails (https://securitytrails.com/#search)

Sucuri (https://sitecheck.sucuri.net/)

Symantec BlueCoat (https://sitereview.bluecoat.com/#/)

Talos IP & Domain Reputation (https://talosintelligence.com/reputation_center)

ThreatMiner (https://www.threatminer.org/)

ThreatSTOP (https://www.threatstop.com/check-ioc)

TrendMicro (https://global.sitesafety.trendmicro.com/)

URLScan (https://urlscan.io/)

URLVoid (https://www.urlvoid.com/)

VirusTotal (https://www.virustotal.com/gui/home/url)

WHOis[.]net(https://www.whois.net/)

Who[.]is (https://who.is/)

Whois[.]com (https://www.whois.com/whois/)

WhoisXMLAPI (https://main.whoisxmlapi.com/)

ZScaler (https://zulu.zscaler.com/)

zveloLIVE (https://tools.zvelo.com/)

File Analyzers

This subsection encompasses all of the online resources for file analysis. They are found below:

Amnpardaz Sandbox (Jevereg) (https://jevereg.amnpardaz.com/)

ANY.RUN (https://any.run/)

Analz (https://sandbox.anlyz.io/dashboard)

CAPE Sandbox (https://capesandbox.com/)

CheckPoint Research SandBlast (https://threatpoint.checkpoint.com/ThreatPortal/emulation)

Cuckoo Sandbox (https://sandbox.pikker.ee/)

Dr. Web Scan File (https://vms.drweb.com/scan_file/?lng=en)

F-Secure (https://www.f-secure.com/us-en/business/support-and-downloads/submit-a-sample)

FileScan.IO (https://www.filescan.io/scan)

FortiGuard Online Scanner (https://www.fortiguard.com/faq/onlinescanner)

GateWatcher Intelligence (https://intelligence.gatewatcher.com/upload_sample/)

Hatching Triage (https://tria.ge/)

Hybrid Analysis (https://www.hybrid-analysis.com/)

IOBit (https://cloud.iobit.com/index.php)

IRIS-H Digital Forensics (https://iris-h.services/pages/submit)

InQuest Labs (https://labs.inquest.net/)

Intezer Analyze (https://analyze.intezer.com/)

Joe Sandbox (https://www.joesandbox.com/#windows)

Jotti’s Malware Scan (https://virusscan.jotti.org/)

Kaspersky OpenTip (https://opentip.kaspersky.com/)

Manalyzer (https://manalyzer.org/)

OPSWAT MetaDefender Cloud (https://metadefender.opswat.com/?lang=en)

PolySwarm (https://polyswarm.network/)

SecondWrite DeepView Sandbox (https://www.secondwrite.com/products/deepview-sandbox/)

ThreatPoint (https://threatpoint.checkpoint.com/ThreatPortal/emulation)

TyLabs Quicksand (https://scan.tylabs.com/)

Valkyrie (https://valkyrie.comodo.com/)

VirScan (https://www.virscan.org/)

VirusTotal (https://www.virustotal.com/gui/home/upload)

Yomi By Yoroi (https://yomi.yoroi.company/upload)

Hash Checkers

This subsection encompasses all of the online resources for checking file hashes. They are found below:

Hashdd (https://hashdd.com/)

Name That Hash (https://nth.skerritt.blog/)

Malware Hash Registry (https://hash.cymru.com/)

Talos File Reputation (https://talosintelligence.com/talos_file_reputation)

Packer Analyzers

This subsection encompasses all of the online resources for analyzing packers within files. They are found below:

UnpacMe (https://www.unpac.me/#/)

Packet Analyzers

This subsection encompasses all of the online resources for packet analysis (PCAPs). They are found below:

A-Packets (https://apackets.com/upload)

MyCERT PCAP Analyzer (https://pcap.honeynet.org.my/v1/)

Online PCAP Viewer (https://fileproinfo.com/tools/viewer/pcap#)

PacketTotal (https://packettotal.com/)

Ransomware Analyzers and Tools

This subsection encompasses all of the online resources for ransomware analysis and decoding. They are found below:

Emsisoft Free Ransomware Decryption Tool (https://www.emsisoft.com/ransomware-decryption-tools/)

ID Ransomware (https://id-ransomware.malwarehunterteam.com/)

Kaspersky Ransomware Decryptors (https://noransom.kaspersky.com/)

No More Ransom Crypto Sheriff (https://www.nomoreransom.org/crypto-sheriff.php?lang=en)

No More Ransom Decryption Tools (https://www.nomoreransom.org/en/decryption-tools.html)

Trend Micro Ransomware File Decryptor (https://success.trendmicro.com/solution/1114221-downloading-and-using-the-trend-micro-ransomware-filedecryptor)

Back to top

Packer and Anti-Debug Resources

This section includes resources to help understand packers and how to unpack files that use packers. This section also includes resources to tackle antidebugging tricks and how they work. The list is:

Check Point Research Anti-Debug Tricks (https://anti-debug.checkpoint.com/)

Hasherezade’s Malware Unpacking Series (https://www.youtube.com/playlist?list=PL3CZ2aaB7m83eYTAVV2knNglB8I4y5QmH)

Malware Crypters – the Deceptive First Layer (https://blog.malwarebytes.com/threat-analysis/2015/12/malware-crypters-the-deceptive-first-layer/)

Pafish (https://github.com/a0rtega/pafish)

The Art of Unpacking (https://www.blackhat.com/presentations/bh-usa-07/Yason/Whitepaper/bh-usa-07-yason-WP.pdf)

The “Ultimate” Anti-Debugging Reference (https://anti-reversing.com/Downloads/Anti-Reversing/The_Ultimate_Anti-Reversing_Reference.pdf)

Tuts4You IDA Disassembler and Debugging Tutorials (https://forum.tuts4you.com/files/category/78-tutorials-documents/)

Back to top

PE Header Resources

Understanding the Portable Executable file format for executables in Windows is crucial to understanding malware analysis, and more specifically, reverse engineering of files. As such, this section is supplied to provide useful resources on the PE file format and the inner workings of the PE Header. The resources are as follows:

An In-Depth Look into the Win32 Portable Executable File Format, Part 1 (https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt1.htm)

An In-Depth Look into the Win32 Portable Executable File Format, Part 2 (https://bytepointer.com/resources/pietrek_in_depth_look_into_pe_format_pt2.htm)

Corkami PE File Infographics (https://github.com/corkami/pocs/tree/master/PE)

  • PE Format page (https://github.com/corkami/docs/blob/master/PE/PE.md)

Infosec Institute’s Malware Researcher’s Handbook (https://resources.infosecinstitute.com/topic/2-malware-researchers-handbook-demystifying-pe-file/)

Ivanlef0u PE File Structure (https://ivanlef0u.fr/repo/madchat/vxdevl/papers/winsys/pefile/pefile.htm)

Johannes Plachy PE File Format (https://blog.kowalczyk.info/articles/pefileformat.html)

LIEF Format Tutorials (https://lief-project.github.io/doc/stable/tutorials/01_play_with_formats.html)

Malwology PE Structure (https://malwology.com/category/pe-structure/)

Microsoft Docs PE Format (https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)

PE Format page (https://github.com/corkami/docs/blob/master/PE/PE.md)

Peering Inside the PE: A Tour of the Win32 Portable Executable File Format (https://docs.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)?redirectedfrom=MSDN)

Back to top

Supplemental Learning

This section includes all resources to assist an analyst with learning malware analysis concepts including foundational concepts, certifications, additional malware samples to practice on, and much more. The subsections provided herein include:

  • Certifications
  • Malware Samples
  • Reversing Crackmes
  • Tutorials and Learning Guides
  • Videos and Video Series

Certifications

This subsection encompasses all certifications related to malware analysis. They are found below:

CREA (https://www.iacertification.org/crea_certified_reverse_engineering_analyst.html)

CREST (https://crest-approved.org/professional-qualifications/crest-exams/index.html)

eCRE (https://elearnsecurity.com/product/ecre-certification/)

eCMAP (https://elearnsecurity.com/product/ecmap-certification/)

FOR610 (https://www.sans.org/cyber-security-courses/reverse-engineering-malware-malware-analysis-tools-techniques/)

  • GREM (https://www.giac.org/certification/reverse-engineering-malware-grem)

Zero2Automated (https://courses.zero2auto.com/)

Malware Samples

This subsection encompasses all of the online resources to acquire real malware samples and challenges related to malware behavior for additional practice. They are found below:

ANY.RUN Malware Trends (https://any.run/malware-trends/)

Cantagio Malware Dump (https://contagiodump.blogspot.com/)

CyberCrime Tracker (http://cybercrime-tracker.net/vx.php)

Das Malwerk (https://dasmalwerk.eu/)

ESET Research Malware IoCs (https://github.com/eset/malware-ioc)

InQuest Labs (https://labs.inquest.net/dfi/search/ext/ext_code##eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ==)

InQuest Labs Malware Samples (https://github.com/InQuest/malware-samples)

jstrosch malware-samples (https://github.com/jstrosch/malware-samples)

MalShare (https://malshare.com/index.php)

Malpedia (https://malpedia.caad.fkie.fraunhofer.de/)

Malware Traffic Analysis (https://www.malware-traffic-analysis.net/)

MalwareBazaar Database (https://bazaar.abuse.ch/browse/)

MalwareMustDie (https://www.mediafire.com/malwaremustdie)

Mr. Malware MalwareSamples (https://github.com/MalwareSamples) and (https://www.virussamples.com/)

Objective-See Mac Malware (https://objective-see.com/malware.html)

PolySwarm (https://polyswarm.network/)

Practical Malware Analysis Labs for Book (https://practicalmalwareanalysis.com/labs/)

Reverse Shell Generator (https://www.revshells.com/)

TekDefense (http://www.tekdefense.com/downloads/malware-samples/)

Tuts4you (https://forum.tuts4you.com/files/categories/)

VX Underground (https://vx-underground.org/samples.html)

VXVault (http://vxvault.net/ViriList.php)

VirusBay (https://beta.virusbay.io/)

VirusShare (https://virusshare.com/)

VirusSign (https://www.virussign.com/downloads.html)

Volatility Memory Samples (https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples)

Yomi by Yoroi (https://yomi.yoroi.company/submissions/public)

theZoo AKA Malware DB (https://thezoo.morirt.com/)

Reversing Crackmes

This subsection encompasses all of the online resources to acquire reverse engineering samples and challenges for additional practice. They are found below:

crackmes.one (https://crackmes.one/)

CTFLearn (https://ctflearn.com/user/login?next=%2Fdashboard)

flAWS Challange (http://flaws.cloud/)

HackTheBox (https://www.hackthebox.com/)

Malware Traffic Analysis (https://www.malware-traffic-analysis.net/)

MalwareTech Beginner Malware Reversing Challenges (https://www.malwaretech.com/beginner-malware-reversing-challenges)

Malwarebytes CrackMe (https://blog.malwarebytes.com/malwarebytes-news/2017/11/how-to-solve-the-malwarebytes-crackme-a-step-by-step-tutorial/)

Malwarebytes CrackMe 2 (https://blog.malwarebytes.com/security-world/2018/04/malwarebytes-crackme-2-another-challenge/)

  • Malwarebytes CrackMe2 Summary (https://blog.malwarebytes.com/malwarebytes-news/2018/05/malwarebytes-crackme-2-contest-summary/)

PWN.TN (https://pwn.tn/)

pwnable.kr (http://pwnable.kr/)

pwnable.tw (https://pwnable.tw/challenge/)

Reverse Engineering Challenges (https://challenges.re/)

Reversing.Kr (http://reversing.kr/challenge.php)

The Flare-On Challenge (http://flare-on.com/)

SANS Holiday Hack Challenge (Insert year) (https://holidayhackchallenge.com/2020/)

Tutorials and Learning Guides

This subsection encompasses all of the online tutorials and guided learning resources, which could include videos not included in the videos subsection. They are found below:

0xPat Malware Development Tutorial (https://0xpat.github.io/)

Android App Reverse Engineering 101 (https://www.ragingrock.com/AndroidAppRE/)

Attack Defense (https://attackdefense.com)

BOLO : Reverse Engineering

  • Part 1 (https://infosecwriteups.com/bolo-reverse-engineering-part-1-basic-programming-concepts-f88b233c63b7)
  • Part 2 (https://medium.com/@danielabloom/bolo-reverse-engineering-part-2-advanced-programming-concepts-b4e292b2f3e)

Binary Bomb Lab (http://zpalexander.com/binary-bomb-lab-phase-1/)

Blue Team Labs (https://blueteamlabs.online/)

CNIT 126: Practical Malware Analysis (https://samsclass.info/126/126_S17.shtml)

CS6038/CS5138 Malware Analysis; Department of Electrical Engineering and Computing Systems; College of Engineering and Applied Science; University of Cincinnati (https://class.malware.re/)

YouTube videos (https://www.youtube.com/playlist?list=PLFvh_k-n27CnAyfsMDowQmogkG5MbZkXz)

CTF Time (https://ctftime.org/)

Cybrary (https://www.cybrary.it/)

FireEye Trainings (https://www.fireeye.com/services/training/courses.html)

GuidedHacking What is reverse engineering? (https://guidedhacking.com/threads/ghb2-beginners-guide-to-reverse-engineering.13446/)

HackerSploit Malware Analysis Bootcamp (https://www.youtube.com/watch?v=uHhKkLwT4Mk&list=PLBf0hzazHTGMSlOI2HZGc08ePwut6A2Io)

Hasherezade Injection Techniques Demos (https://github.com/hasherezade/demos)

PE Injection Demos (https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10#file-injection_demos-md)

Hasherezade Malware Training Vol 1 (https://github.com/hasherezade/malware_training_vol1)

Hasherezade’s Windows Kernel Exploitation

  • Part 1 (https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/)
  • Part 2 (https://hshrzd.wordpress.com/2017/06/05/starting-with-windows-kernel-exploitation-part-2/)
  • Part 3 (https://hshrzd.wordpress.com/2017/06/22/starting-with-windows-kernel-exploitation-part-3-stealing-the-access-token/)

ImmersiveLabs (https://www.immersivelabs.com/)

INE (https://ine.com/)

InfoSec Institute Skills (https://www.infosecinstitute.com/skills/)

Malware Analysis - CSCI 4976 (https://github.com/RPISEC/Malware)

Malware Analysis for N00bs (https://drive.google.com/file/d/1lSEps7jDX6an_iXJ0Wokdjh0rnBgY9l7/view)

Malware Unicorn (https://malwareunicorn.org/#/workshops)

MalwareTech Inline Hooking for Programmers

  • Part 1 (https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)
  • Part 2 (https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-2.html)

Nightmare by guyinatuxedo (https://guyinatuxedo.github.io/)

OALabs (https://oalabs.openanalysis.net/)

YouTube Videos (https://www.youtube.com/channel/UC–DwaiMV-jtO-6EvmKOnqg)

Odzhan Injection Methods (https://github.com/odzhan/injection)

Open Security Training (https://opensecuritytraining.info/Training.html)

0verflo0w.podia.com - Beginner Malware Analysis Course (https://0verfl0w.podia.com/)

OverTheWire Wargames (https://overthewire.org/wargames/)

  • Maze (https://overthewire.org/wargames/maze/)
  • Vortex (https://overthewire.org/wargames/vortex/)
  • Semtex (https://overthewire.org/wargames/semtex/)
  • Manpage (https://overthewire.org/wargames/manpage/)
  • Drifter (https://overthewire.org/wargames/drifter/)

PE Injection Demos (https://gist.github.com/hasherezade/e6daa4124fab73543497b6d1295ece10#file-injection_demos-md)

Pentester Academy (https://www.pentesteracademy.com/)

PentesterLab (https://pentesterlab.com/)

Pluralsight (https://www.pluralsight.com/)

R4ndom’s Beginning Reverse Engineering Tutorials (https://legend.octopuslabs.io/sample-page.html)

RangeForce (https://www.rangeforce.com/)

Red Teaming Techniques & Experiments: Code & Process Injection (https://www.ired.team/offensive-security/code-injection-process-injection)

Reverse Engineering for Beginners (https://www.begin.re/)

Root-me (https://www.root-me.org/)

SpecterOps Methodology for Static Reverse Engineering of Windows Kernel Drivers (https://posts.specterops.io/methodology-for-static-reverseengineering-of-windows-kernel-drivers-3115b2efed83)

Ten Process Injection Techniques (https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process)

ThisIsSecurity (https://thisissecurity.stormshield.com/)

Try Hack Me Malware Analysis (https://tryhackme.com/module/malware-analysis)

Win32 Assembler Coding for Crackers (http://woodmann.com/accessroot/arteam/site/e107_plugins/download/download.php?action=view&id=173)

Win32 Assembly Tutorials (https://web.archive.org/web/20171110201344/http://win32assembly.programminghorizon.com/tutorials.html)

Videos and Video Series

This subsection encompasses all of the videos and video series found online related to malware and malware analysis. They are found below:

A reversing tutorial for newbies by lena151 (Part 1 of series) (https://www.youtube.com/watch?v=wqzZB31zDSs&list=PLcFUp5WYCxVYeR7AgsmjzGW6PjamaY6JO)

Black Hat Process Injection Techniques (https://www.youtube.com/watch?v=xewv122qxnk)

Colin Hardy Malware Videos (https://www.youtube.com/c/ColinHardy/playlists)

DuMp-GuY TrIcKsTeR Videos (https://www.youtube.com/c/DuMpGuYTrIcKsTeR/playlists)

HackerSploit Malware Analysis Bootcamp (https://www.youtube.com/watch?v=uHhKkLwT4Mk&list=PLBf0hzazHTGMSlOI2HZGc08ePwut6A2Io)

Hasherezade Videos (https://www.youtube.com/c/hasherezade/playlists)

Intro to x86 Assembly Language (Part 1) (6 part series) (https://www.youtube.com/watch?v=wLXIWKUWpSs)

Introduction to Windbg and Debugging Windows (https://www.youtube.com/playlist?list=PLhx7-txsG6t6n_E2LgDGqgvJtCHPL7UFu)

MalwareAnalysisForHedgehogs (https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A)

Malware Analysis Workshop - Dissecting the WannaCry Ransomware - ITC SOC Analyst Course (https://www.youtube.com/watch?v=F0Yx7GhqKXI)

Marcus Hutchins (https://www.youtube.com/c/MalwareTechBlog/playlists)

Modern x64 Assembly Language (https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA)

Monnappa K A (https://www.youtube.com/c/MonnappaKA/videos)

OALabs (https://www.youtube.com/c/OALabs/videos)

Ring Zero Labs - Malware Analysis (https://www.youtube.com/playlist?list=PLrJFR89Z-9SAzVHvcg6Q1uKnLXEVO3DSg)

SANS DFIR (https://www.youtube.com/c/SANSDigitalForensics/featured)

Unpacking ASPack Manually (https://www.youtube.com/watch?v=Oejq7_mH3IM)

Unpacking PECompact Manually (https://www.youtube.com/watch?v=TPcQpS8niIM)

Unpacking UPX Manually (https://www.youtube.com/watch?v=vR3K2t2UYZY)

X86 Assembly Crash Course (https://www.youtube.com/watch?v=75gBFiFtAb8)

Back to top

Tools

This section includes all of the known tools that are useful for malware analysis. This list may include tools that are deprecated or have limited use as of this writing. The tools are split into their respective functionality. They are as follows:

  • Debuggers and Disassemblers
  • Dynamic Analysis Tools
  • Editors
  • Extractors, (De)obfuscators, and (Un)packers
  • Frameworks
  • Incident Response Tools
  • Memory Forensic Tools
  • Network Tools
  • Security Researcher Toolsets
  • Static Analysis Tools
  • String and Metadata Tools
  • Visual Analysis Tools

Debuggers and Disassemblers

This subsection encompasses all of the disassembler and debugger tools. They are found below:

Binary Ninja (https://binary.ninja/)

CFR (http://www.benf.org/other/cfr/)

Capstone (https://www.capstone-engine.org/)

Cutter (https://cutter.re/)

DisSharp .NET Decompiler (http://netdecompiler.com/)

dnSpy (https://github.com/dnSpy/dnSpy)

dirtyJOE (http://dirty-joe.com/)

Dotnet IL Editor (DILE) (https://sourceforge.net/projects/dile/)

dotPeek (https://www.jetbrains.com/decompiler/)

GDB GNU Debugger (https://www.gnu.org/software/gdb/)

Ghidra (https://ghidra-sre.org/)

Hiew (http://hiew.ru/)

Hopper (https://www.hopperapp.com/)

IDA (https://hex-rays.com/)

IDR (https://github.com/crypto2011/IDR)

ILSpy (https://github.com/icsharpcode/ILSpy#ilspy——-)

Immunity Debugger (https://www.immunityinc.com/products/debugger/)

JPEXS (https://github.com/jindrapetrik/jpexs-decompiler)

Java Decompiler Project (https://java-decompiler.github.io/)

JustDecompile (https://www.telerik.com/products/decompiler.aspx)

.NET Reflector (https://www.red-gate.com/products/dotnet-development/reflector/)

OllyDbg (https://www.ollydbg.de/)

Python Dumpers and Decompilers

  • Easy Python Decompiler (https://sourceforge.net/projects/easypythondecompiler/)
  • Py2Exe Binary Editor (https://sourceforge.net/projects/p2ebe/)
  • Py2Exe Dumper (https://sourceforge.net/projects/py2exedumper/)
  • PyInstaller Extractor (https://github.com/extremecoders-re/pyinstxtractor)

Radare2 (https://rada.re/n/)

ReFox (http://www.refox.net/)

RetDec (https://github.com/avast/retdec)

Simple Assembly Explorer (https://github.com/wickyhu/simple-assembly-explorer/releases)

VB Decompiler (https://www.vb-decompiler.org/)

VB Decompiler (https://www.vb-decompiler.org/)

WinDBG (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools)

X64dbg (https://x64dbg.com/#start)

Dynamic Analysis Tools

This subsection encompasses all of the tools used for dynamic analysis. They are found below:

APIMiner (https://github.com/poona/APIMiner)

API Monitor (http://www.rohitab.com/apimonitor#Download)

CMD Watcher (https://www.kahusecurity.com/posts/cmd_watcher_updated.html)

Event Log Explorer (https://eventlogxp.com/)

Pinitor (https://rayanfam.com/topics/pinitor/)

Reflective DLL Injection (https://github.com/stephenfewer/ReflectiveDLLInjection)

RegShot (https://sourceforge.net/projects/regshot/)

Rundll32 (LOLBin) (https://lolbas-project.github.io/lolbas/Binaries/Rundll32/)

  • Other LOLBin binaries and scripts: https://lolbas-project.github.io/

Windows Sysinternals (https://docs.microsoft.com/en-us/sysinternals/)

Winja (https://m.majorgeeks.com/files/details/winja.html)

Editors

This subsection encompasses all of the editors to assist in malware analysis and code analysis. They are found below:

010 Editor (https://www.sweetscape.com/010editor/)

Atom (https://atom.io/)

AutoIt (https://www.autoitscript.com/site/)

Notepad++ (https://notepad-plus-plus.org/downloads/)

Sublime Text (https://www.sublimetext.com/)

Extractors, (De)obfuscators, and (Un)packers

This subsection encompasses all of the tools used by a malware analyst for extractor embedded resources, obfuscators and deobfuscators, and packers and unpackers. They are found below:

AsPack (http://www.aspack.com/)

ConfuserEx (https://mkaring.github.io/ConfuserEx/)

Crinkler (https://in4k.github.io/wiki/crinkler)

De4dot (https://github.com/de4dot/de4dot)

Enigma (https://enigmaprotector.com/)

Exe Stealth Protector (http://www.webtoolmaster.com/exe\stealth.htm)

FSG v.20 (https://board.flatassembler.net/topic.php?p=10294)

GUnPacker (https://webscene.ir/tools/show/GUnPacker-v0.5)

Heavily Obfuscated UnConfuserEx Tool (https://gist.github.com/Rottweiler/44fe4461a4552acf303a)

Innoextract (https://constexpr.org/innoextract/)

MPRESS (https://www.autohotkey.com/mpress/mpress_web.htm)

MultiExtractor (https://www.multiextractor.com/)

Obsidium (https://www.obsidium.de/show/details/en)

PackerAttacker (https://github.com/BromiumLabs/PackerAttacker)

PdfParser (https://github.com/smalot/pdfparser)

pdfstreamdumper (https://github.com/dzzie/pdfstreamdumper)

Qunpack (https://www.npmjs.com/package/qunpack)

RDG Packer Detector (http://www.rdgsoft.net/)

Themida (https://www.oreans.com/Themida.php)

UPX (https://upx.github.io/)

ViperMonkey (https://github.com/decalage2/ViperMonkey)

VMProtect (https://vmpsoft.com/)

unipacker (https://github.com/unipacker/unipacker)

Universal Extractor (https://www.legroom.net/software/uniextract)

Unpacker (https://unpacker.en.softonic.com/)

Frameworks

This subsection encompasses all of the frameworks used to assist in malware analysis. They are found below:

Assemblyline (https://bitbucket.org/cse-assemblyline/assemblyline/src/master/)

File Scanning Framework (https://github.com/EmersonElectricCo/fsf)

Mastiff (https://github.com/KoreLogicSecurity/mastiff)

MultiScanner (https://github.com/mitre/multiscanner)

Viper Framework (https://github.com/viper-framework/viper)

Incident Response Tools

This subsection encompasses all of the incident response-related tools. They are found below:

BinaryAlert (https://github.com/airbnb/binaryalert)

ClamAV (https://www.clamav.net/)

Faronics Deep Freeze (https://www.faronics.com/products/deep-freeze/enterprise)

FireEye IOC Editor (https://www.fireeye.com/services/freeware/ioc-editor.html)

GRR Rapid Response (https://github.com/google/grr)

Loki (https://github.com/Neo23x0/Loki)

OsQuery (https://osquery.io/)

RollBackRx (https://horizondatasys.com/rollback-rx-time-machine/rollback-rx-professional/)

Shadow Defender (http://www.shadowdefender.com/)

Velociraptor (https://github.com/Velocidex/velociraptor)

YARA (https://virustotal.github.io/yara/)

  • Loki (https://github.com/Neo23x0/Loki)
  • OsQuery (https://osquery.io/)
  • Yara Rules (https://github.com/Yara-Rules)
  • Yara-Endpoint (https://github.com/Yara-Rules/yara-endpoint)
  • Yara_Merger (https://github.com/lsoumille/Yara_Merger)
  • yarGen (https://github.com/Neo23x0/yarGen)

Memory Forensic Tools

This subsection encompasses all of the memory forensic tools. They are found below:

AutoTimeliner (https://github.com/andreafortuna/autotimeliner)

Belkasoft Live RAM Capturer (https://belkasoft.com/ram-capturer)

Comae DumpIt (https://www.comae.com/dumpit/)

FireEye Redline (https://www.fireeye.com/services/freeware/redline.html)

Malhunt (https://github.com/andreafortuna/malhunt)

Memoryze (https://www.fireeye.com/services/freeware/memoryze.html)

MoonSols DumpIt (https://github.com/thimbleweed/All-In-USB/tree/master/utilities/DumpIt)

Nirsoft Memdump (https://nircmd.nirsoft.net/memdump.html)

RAM Capture (https://www.magnetforensics.com/resources/magnet-ram-capture)

Rekall (http://www.rekall-forensic.com/releases)

Volatility3 (https://github.com/volatilityfoundation/volatility3/)

  • AutoTimeliner (https://github.com/andreafortuna/autotimeliner)
  • Malhunt (https://github.com/andreafortuna/malhunt)

windd (https://github.com/luisgf/windd)

WinPmem (https://github.com/Velocidex/WinPmem)

Network Tools

This subsection encompasses all of the network-related tools. They are found below:

Burp Suite (https://portswigger.net/burp)

CapAnalysis (https://www.capanalysis.net/ca/)

Capsa Free Network Analyzer (https://www.colasoft.com/capsa-free/)

CaptureBAT (https://www.honeynet.org/projects/old/capture-bat/)

FakeNet-NG (https://github.com/mandiant/flare-fakenet-ng/releases)

Fiddler (https://www.telerik.com/fiddler)

FireEye ApateDNS (https://www.fireeye.com/services/freeware/apatedns.html)

FOG Project (https://fogproject.org/)

HTTP Analyzer (https://www.ieinspector.com/httpanalyzer/)

Mitmproxy (https://mitmproxy.org/)

NetworkMiner (https://www.netresec.com/?page=NetworkMiner)

Paessler PRTG Network Monitor (https://www.paessler.com/packet_capture)

PassiveDNS (https://github.com/gamelinux/passivedns)

Stenographer (https://github.com/google/stenographer)

TCPDump (https://www.tcpdump.org/)

TCPView (https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview)

TDIMon (https://freewareapp.com/tdimon_download/)

WinDump (https://www.winpcap.org/windump/)

Wireshark (https://www.fireeye.com/services/freeware/ioc-editor.html)

Xplico (https://www.xplico.org/)

Security Researcher Toolsets

This subsection encompasses all of the toolsets created by malware and security researchers. They are found below:

Didier Stevens Tools (https://blog.didierstevens.com/my-software/)

Eric Zimmerman’s Tools (https://ericzimmerman.github.io/#!index.md)

FireEye Freeware (https://www.fireeye.com/services/freeware.html)

Hasherezade Tools (https://hasherezade.github.io/)

Horsicq Tools (https://horsicq.github.io/)

Novirusthanks Tools (https://www.novirusthanks.org/browse-by/malware-analysis-tools/)

The Malware Analyst Pack (http://sandsprite.com/iDef/MAP/)

Static Analysis Tools

This subsection encompasses all of the tools for static analysis. They are found below:

7-Zip (https://www.7-zip.org/)

ASPack (http://www.aspack.com/downloads.html)

Amber (https://github.com/EgeBalci/Amber)

AnalyzePE (https://github.com/hiddenillusion/AnalyzePE)

BinText (https://www.aldeid.com/wiki/BinText)

CFF Explorer Suite (https://ntcore.com/?page_id=388)

Capa (https://github.com/mandiant/capa)

Cerbero Suite (https://cerbero.io/)

Chkrootkit (http://www.chkrootkit.org/)

DBeaver (https://dbeaver.io/)

Dependency Walker (http://dependencywalker.com/)

Detect It Easy (https://github.com/horsicq/Detect-It-Easy)

Exeinfo PE (http://www.exeinfo.xn.pl/)

FileAlyzer (https://www.safer-networking.org/products/filealyzer/)

Hashdeep (https://github.com/jessek/hashdeep)

Import REConstructor (https://www.aldeid.com/wiki/ImpREC)

LordPE (https://www.aldeid.com/wiki/LordPE)

malwoverview (https://github.com/alexandreborges/malwoverview)

Malfunction (https://github.com/Dynetics/Malfunction)

Nsrllookup (https://github.com/rjhansen/nsrllookup)

OfficeMalScanner (http://www.reconstructer.org/)

PE Explorer (http://www.heaventools.com/PE_Explorer_resource_editor.htm)

PE Internals (http://www.andreybazhan.com/pe-internals.html)

PE Studio (https://www.winitor.com/)

PEiD (https://www.aldeid.com/wiki/PEiD)

PPEE (puppy) (https://www.mzrst.com/)

Pefile (https://pypi.org/project/pefile/)

Pev (https://pev.sourceforge.io/)

ProtectionID (https://web.archive.org/web/20210331144912/https://protectionid.net/)

Resource Hacker (http://angusj.com/resourcehacker/)

Resource Tuner (http://www.heaventools.com/resource-tuner.htm)

Rootkit Hunter (https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/FAQ)

Scylla (https://github.com/NtQuery/Scylla)

Ssdeep (https://ssdeep-project.github.io/ssdeep/)

Total Uninstall (https://www.martau.com/)

TrID (https://mark0.net/soft-trid-e.html)

String and Metadata Tools

This subsection encompasses all of the tools related to strings and file metadata. They are found below:

Beyond Compare (https://www.scootersoftware.com/)

ExifTool (https://www.sno.phy.queensu.ca/~phil/exiftool/)

Free Hex Editor Neo (https://www.hhdsoftware.com/free-hex-editor)

HashMyFiles (https://www.nirsoft.net/utils/hash_my_files.html)

Hex Workshop (http://www.hexworkshop.com/overview.html)

HxD (https://mh-nexus.de/en/hxd/)

NoMoreXOR (https://github.com/hiddenillusion/NoMoreXOR)

StringSifter (https://github.com/mandiant/stringsifter)

Visual Analysis Tools

This subsection encompasses all of the visual analysis and visual aid tools. They are found below:

Graphviz (https://graphviz.org/download/)

ProcDOT (https://procdot.com/index.htm)

XDot (https://github.com/jrfonseca/xdot.py)

Back to top

Virtual Machines and Distros

This section includes all of the virtual machines and Linux distros related to malware analysis, forensics, and penetration testing. These will likely not be used in Panda Labs as the infrastructure has already been established, but this is a good way to learn different Linux distros, different tools within each distro, and methodologies for learning external to work. In other words, establishing a malware analysis infrastructure on a personal machine in conjunction with other learning and tools is a good way to learn more about malware analysis. The resource subsections are provided below:

  • Linux Distros and VMs
  • Sandboxes and Portable Labs
  • Virtual Machine Managers

Linux Distros and VMs

This subsection displays all of the Linux distros and virtual machines to be used in a virtual machine manager. They are found below:

ADIA (https://forensics.cert.org/appliance/README.html)

ArchStrike (https://archstrike.org/)

BackBox (https://www.backbox.org/)

BlackArch Linux (https://blackarch.org/index.html)

CAINE (https://www.caine-live.net/)

CSI Linux (https://csilinux.com/)

FLARE VM (https://github.com/mandiant/flare-vm)

Fedora Security Spin (https://fedoraproject.org/wiki/Security_Lab)

ForLEx (http://www.forlex.it/)

Kali (https://www.kali.org/)

Network Security Toolkit (https://www.networksecuritytoolkit.org/nst/index.html)

Parrot OS (https://www.parrotsec.org/)

Pentoo (https://www.pentoo.ch/)

REMnux (https://remnux.org/)

SIFT Workstation (https://www.sans.org/tools/sift-workstation/)

Security Onion (https://securityonionsolutions.com/)

Tsuguri (https://tsurugi-linux.org/)

Sandboxes and Portable Labs

This subsection displays all of the sandboxes and portable virtual labs premade for reverse engineering and malware analysis. They are found below:

Noriben Sandbox (https://github.com/Rurik/Noriben)

Re_lab (https://github.com/cboin/re_lab)

Sandboxie (https://sandboxie-plus.com/sandboxie/)

Virtual Machine Managers

This subsection displays all of the virtual machine managers to use for virtual machine disks and premade distros. They are found below:

Virtualbox (https://www.virtualbox.org/)

VMWare (https://www.vmware.com/)

Back to top