The Best Malware Analysis Tools for Security Researchers & Malware Analysts 2023

Security professionals need to be able to use malware analysis tools to identify sophisticated threats and cyberattacks.

• 
  Malware Analysis Courses
  
• 
  Hex Editors
  
• 
  Disassemblers
  
• 
  Classification and Detection
  
• 
  Dynamic binary Instrumentation
  
• 
  Dynamic Analys
  
• 
  Defuscation
  
• 
  Debugging
  
• 
  Malware Analysis Courses
  
• 
  Reverse Engineering
  
• 
  Binary Analysis
  
• 
  Decompiler
  
• 
  Bytecode Analy
  
• 
  Reconstruction
  
• 
  Memory Forensics
  
• 
  Windows Artifacts
  
• 
  Workflow and Storage
  
• 
  Malware examples
  
• 
  Courses
  
• 
  Domain Analysis
  
• 
  Books
  

Malware Analysis Courses

We have made a list of the top courses for malware analysis and reverse engineering.

Hex Editors

The byteeditor, also known as a binary editor or binary file editor, is a program designed to manipulate the binary data in a file. Hexadecimal is a common numerical format used to represent binary data.

Disassemblers

A Disassembler computer program converts machine language to assembly language. This is the opposite operation of an assembler.

Disassemblers are different from decompilers, as they target a higher-level language than an assembly language. The output of disassemblers is usually formatted to be easy for humans rather than suitable for use by an assembler. This makes it a principal reverse-engineering tool.

Classification and Detection

• – Wrapper to access a range of reporting tools on Windows PE files.
• A distributed, scalable file analysis framework.
• – An open-source, serverless AWS pipeline which scans uploaded files and issues alerts based upon a set YARA rules.
• ClamAV – Open source antivirus engine.
• The program to determine the types of files.
• – View, edit and write metadata.
• Modular, Recursive File Scanning Solution
• – Calculate digest hashes using a range of algorithms.
• – A host-based scanner to scan IOCs.
• – Search and compare malware at the function level.
• MASTIFF – Static analysis framework.
• MultiScanner – Modular file scanning/analysis platform
• is a tool to look up hashes within NIST’s National Software Reference Library.
• – An alternative to PEiD that is cross-platform.
• An multiplatform toolkit that works with PE files and provides feature-rich tools to analyze suspicious binaries.
• – Detect Linux rootkits.
• Compute fuzzy hashes.
• totalhash.py – Python script to search the databases.
• – File ID.
• – A pattern matching tool for analysts.
• Yara rule generator — Generate yara laws based upon a collection of malware samples. It also contains a string database to prevent false positives

Dynamic binary Instrumentation

Dynamic Binary Instrumentation Tools

Mac Encrypt

Mac Decrypting tools

Emulator

Emulator Tool

Document Analysis

Tool for Document Based Malware Analysis

Dynamic Analys

This class is for people starting out in malware dynamic analysis, or those who wish to learn more about the artifacts that malware leaves behind.

This class is hands-on and students will learn how to use different tools to identify malware: Communicating, Persisting, Hiding, and Communicating.

Deobfuscation Malware Analytic Tools

Other code obfuscation techniques and reverse XOR.

• Balbuzard – This malware analysis tool can be used to reverse obfuscation such as ROL and XOR.
• .NET unpacker and deobfuscator.
• & – Alexander Hanel has two tools for working with single-byte XOR encoded file.
• FLOSS– FireEye Labs Obfuscated String Solver employs advanced stat analysis techniques to deobfuscate strings in malware binaries.
• – Find a 256-byte XOR key by frequency analysis
• – This is a generic hidden code extractor that can be used to remove Windows malware.
• – Automatic malware removal for Windows malware using WinAppDbg.
• – Use known-plaintext attacks to guess XOR keys
• – A reverse engineering tool to create virtualization wrappers.
• – A Python script for brute forcing single-byte XOR keys.
• – A few programs by Didier Stevens to find XORed information.
• – Guess the XOR key length as well as key itself.

Debugging

This List contains tools to disassemble, debug, and analyze static and dynamic data. Cross-Platform Debugging Tool

Windows Only Debugging Tools

Linux Only Debugging Tools

Reverse Engineering

• anger – A platform-agnostic, binary analysis framework was developed by UCSB Seclab.
• bamfdetect – Identifies and extracts data from bots.
• – A multiplatform, open source (MIT), binary analysis framework created at Cylab CMU.
• – Open source, multiplatform Binary Analysis and Reverse Engineering Framework.
• – A binary analysis tool for reverse engineering that uses graph visualization.
• Binary ninja – An alternative to IDA.
• – Software analysis tool.
• – GUI for Pyew and Radare. ()
• – A disassembly framework that allows binary analysis and reverse engineering. It supports many languages and has bindings.
• Web-based code browser that uses clang for basic code analysis
• is a binary analysis platform that uses QEMU. DroidScope now extends DECAF.
• decompiler, and debugger.
• Evan’s Debugger (EDB). – An modular debugger that uses a Qt GUI.
• – A tool for exploring and tracking the Windows kernel.
• Reports opens TCP/IP ports and UDP ports on a live system, and maps them back to their owning applications.
• – The GNU Debugger.
• – GDB enhanced Features for reverse engineers and exploiters.
• is a utility that searches for strings within PE executables. This includes imports and exports as well debug symbols.
• – The macOS and Linux Disassembler.
• – Windows disassembler, debugger and free trial version.
• Immunisation Debugger – A Python API that allows you to use this tool for malware analysis, and other purposes.
• ILSpy – ILSpy, the free-source.NET assembly browser/decompiler is .
• – DSL to reverse engineer and dissect file formats/network protocols/data structures.
• – provides cross-platform support to modify, parse and abstract ELF and MachO files.
• Dynamic analysis of Linux executables
• Part of GNU Binutils for static analysis and compilation of Linux binaries.
• – An assembly-level debugger for Windows executables.
• Platform for Architecture Neutral Dynamic Analysis.
• Exploit Development Assistance For GDB, an enhanced display that includes additional commands
• Perform static analysis on Windows executables.
• – Automated static analysis can be performed with the Pharos binary analysis framework.
• – Interactive disassembler for x86/ARM/MIPS.
• (puppy), A professional PE file Explorer that can be used by malware researchers, reversers and others who need to inspect PE files more thoroughly.
• Advanced Task Manager for Windows
• Process hacker – This tool monitors the system’s resources.
• Advanced Monitoring Tool for Windows Programs
• – Windows command line tools to manage and examine live systems.
• Python tool to analyze malware.
• Scriptable reverse engineering toolbox for Python by Cisco’s Talos Team.
• – QEMU embedded with WinDbg for stealth debugging.
• Radare2 – A reverse engineering framework with debugger support.
• RegShot is a registry compare utility that allows you to compare snapshots.
• RetDec Machine-code decompiler using an online service. You can also use this in your toolbox.
• – An analysis, dissection and decompile of complex code-reuse attacks.
• Sublime Malware Research Tools, a Sublime 3 plugin to assist with malware analysis.
• Dynamic analysis of Linux executables.
• – An interactive framework for dynamic binary analysis (DBA).
• Udis86 – A disassembler tool and library for x86_64 and x86_64.
• is a Python tool to analyze malware.
• – Multipurpose debugger that works with Microsoft Windows operating systems. It can be used to troubleshoot user mode apps, driver software, and kernel-mode memory dumps.
• – An open-source x64/x32 debugger for windows.

Binary Format, Binary Analysis

Compound File Binary format is the base container for many different Microsoft file formats, such as Microsoft Office documents or Microsoft Installer packages.

Binary Analysis Resources

Decompiler

Decompiler can create executable files and attempt to compile them successfully. This is the reverse of a compiler which uses an executable file as input and attempts to create a high-level source file that can be recompiled successfully.

Java Decompiler

.NET Decompiler

Delphi Decompiler

Python decompiler

Bytecode Analy

Bytecode Analysis Tool

Tools for Import Reconstruction

• Free Online Analysis of APKs Against Multiple Mobile Antivirus Apps
• Malware.lu is an online scanner that detects and removes malware.
• Check suspicious documents.
• Open-source, self-hosted sandbox with automated analysis.
• – A modified version of Cuckoo Sandbox is available under the GPL. Due to legal issues, the author has not merged it upstream.
• Cuckoo Modified-api – This Python API is used to manage a cuckoo modified sandbox.
• – Multiformat File Analyzer with Machine-Learning Classification.
• – This sandbox was created to analyze traffic and capture IOCs from Linux malware.
• – Dynamic malware analysis system.
• – Analyzes any firmware package, unpacks it and scans it.
• HaboMalHunter – A tool to automate the analysis of malware in Linux ELF files
• – An online malware analysis tool powered by VxSandbox.
• – A customizable and asynchronous analysis platform to detect suspicious files.
• Deep malware analysis using Joe Sandbox.
• – Online multi-AV scanner.
• Sandbox to Analyze Linux Malware.
• – Automated Sandboxed Analysis of Malware Behavior.
• – This is a Python RESTful API Framework for URL and online malware analysis.
• – Decode, display and extract the settings of common malwares.
• – Get a free analysis using an online Cuckoo Sandbox.
• – Static analysis online of malware.
• Metadefender.com – Free scan of a file or hash to find malware
• – This service analyzes pcap files to detect viruses, trojans and other malware. It is configured with EmergingThreats Pro and Suricata.
• – Sysinternals Procmon is used to gather information on malware within a sandboxed setting.
• – Analyse suspicious PDF files.
• – A graphic malware analysis toolkit.
• – Helper script to safely upload binaries onto sandbox websites.
• Sandroid – Complete and automatic Android app analysis.
• – The Sandboxed Execution Environment, (SEE), is a tool for automating test automation within secured environments.
• Viral Free Online Analysis of Malware Samples and URLs
• – An open source visualization tool and command line log tools. (Cuckoo and Procmon, plus more …)
• Lenny Zeltser compiled the free automated sandboxes.

Document Analysis

Software for Document Analysis

Scripting

Scripting

Android

Android Tools

Yara

Yara Resources

Tool to dissect malware in memory images and running systems.

• Client for Windows/MacOS Forensics, including hiberfil, Pagefile and raw memory analysis.
• DAMM Differential Analysis Of Malware In Memory Based on Volatility
• – Web interface to the Volatility Memo Forensics Framework.
• FindAES Find AES Find AES encryption keys stored in your memory.
• – High-speed memory analysis framework created in.NET that supports all Windows x64 platforms. It also includes code integrity support.
• – This script automates portions of Volatility analysis and generates a readable report.
• Memory Analysis Framework, Forked From Volatility In 2013.
• Script that uses Volatility to automate various malware analysis tasks
• – Use Volatility to check memory images prior and subsequent to malware execution and then report any changes.
• Advanced memory forforensics.
• – Website Interface for Volatility Memo Analysis Framework.
• WinDBG AntiRootKit Extension.
• – Live memory inspection for Windows and kernel debugging

Windows Artifacts

• A script to respond to an incident and gather Windows artifacts.
• Python library to parse Windows Event Logs.
• pythonregistry – Python library to parse registry files.
• RegRipper ) is a plugin-based registry analysis tool.

Workflow and Storage

• Aleph Open Source Malware Analysis Pipeline Systems
• – Collaborative Research Into Threats. A threat and malware repository.
• A framework for malware analysis that allows you to add custom modules. These can then be linked and interacted with one another in order to do end-to-end analyses.
• – Search, store, and tag malware.
• is a malware analysis platform that allows analysts to work together to remove malware.
• Stable content analysis platform with many plugins, including input and output.
• – An analysis and management framework that supports analysts and researchers.

Malware examples

Samples of malware collected to be analysed.

• – Realtime Database of Malicious Domains and Malware.
• A compilation of malware samples and analysis.
• – Exploit and shellcode samples.
• A large repository of malware actively scrapped from malicious websites.
• – A repository of malware samples.
• Samples and Downloads Foremost Offensive Computing.
• Plugin-based malware crawler that provides pre-analysis and reports
• – Live malware samples available for analysts
• Tracker – Agregator of malware corpus tracker, and malicious download websites.
• – Malware database detected by all anti malware software except ClamAV.
• Registration required.
• – Active collection for malware samples
• Lenny Zeltser has compiled a list of sample malware sources.
• – Leaked source for Zeus trojan in 2011.

Malware Analysis Tools

Examine domains and IP addresses.

• Community-based IP blacklist service.
• Boomerang – This tool is designed to capture off-network web resources in a consistent, safe manner.
• – Threat Intelligence Tracker with IP/domain/hash Search.
• – Use this tool in one click to find as many metadata about a website as you can and assess its current standing.
• Dig – Get free online digs and other tools.
• DNStwist – A domain name permutation engine to detect typo squatting and corporate espionage.
• HTMLinfo – Search online for information on an IP address or domain.
• is an OSINT tool that collects information about URLs and IPs. Automator is similar.
• – A cross-language temporary email detection tool.
• VirusTotal API. This allows domain/IP research and search for file hashes.
• Multiple rbl
• – Free API Services to detect possible phishing domains and blacklisted ip address, as well as breached accounts.
• – IP-based spam blocker list.
• Block List based on IPs and domains
• – A free website security scanner and malware scanner.
• – Search for IP, domain or network owner. (Previously SenderBase.)
• is an OSINT tool that collects information on URLs, IPs and hashes.
• – Free URL Scanner.
• DomainTools – domaintools online whois search.
• – A collection of free online tools to search for malicious websites. compiled by Lenny Zeltser.
• – Zulu URL Risk Analyzer.

Books

Reverse Engineering Books: The Most Important Books

Shellcode and Documents

Analysis of malicious JS/shellcode in PDFs and Office documents. Also see the section on browser malware.

• AnalyzePDF – This tool allows you to analyze PDFs, and determine if they’re malicious.
• is a tool to study JavaScript malware. It includes JScript/WScript support, ActiveX Emulation and ActiveX support.
• – Use this tool to analyze malicious shellcode.
• JavaScript Unpacking and Deobfuscation
• Deobfuscator
• – Library and tools to emulate x86 shellcodes
• – Deconstruct malicious PDFs into a JSON representation.
• Scan malicious traces within MS Office documents.
• This script allows you to parse OLE and OpenXML files and extract useful information.
• – An analysis tool to identify malicious PDFs.
• pdfid and pdf-parser from Didier Stevens.
• – This is a PDF analysis tool that uses the backend-free PDF XRAY.
• is a Python tool to explore potentially malicious PDFs.
• QuickSand QuickSand is a C framework that analyzes suspected malware documents in order to find exploits within streams of various encodings, and locate and extract executables.
• Spidermonkey – Mozilla’s JavaScript engine for diagnosing malicious JS.

Practice Reverse Engineering. Take care when dealing with malware

Analyze and harvest IOCs

• AbuseHelper – A free framework to receive and distribute abuse feeds as well as threat intelligence.
• AlienVault Open Threat Exchange – Collaborate in the development of Threat Intelligence.
• – To gather Threat Intelligence indicators using publicly available sources
• – Get intelligence per file hash.
• – Pull Intelligence per host.
• – This tool is for CERTs to process incident data by using a message queue.
• – A free editor for XML IOC files.
• Python library to work with OpenIOC objects from Mandiant
• – Formerly known as CIF, Collective Intelligence Framework. This aggregates IOCs taken from different lists. Curated by the .
• – Malware Information Sharing Platform, curated by .
• – A community-driven platform for threat intelligence that collects IOCs using open-source feeds.
• PyIOCe – A Python OpenIOC editor.
• – Connect, Tag, and Share IPs and Domains. (Was PassiveTotal.)
• – Combines security threats from many sources including those mentioned below in .
• threatCrowd – Search engine for threats with visual visualization.
• ThreatTracker – This Python script monitors and generates alerts for IOCs that have been indexed using a number of Google Custom Search Engines.
• – Data visualizations and statistical analyses of Threat Intelligence feeds.

Additional Resources

Credits

This is a list created with the help of these Awesome Peoples.