# Favorite Tools - A list of my favorite tools. The list will grow over time. ## Distros: - Flare VM - https://github.com/mandiant/flare-vm - REMnux - https://remnux.org/ - Kali Purple - https://www.kali.org/ ## Basic Static Analysis: - VirusTotal - https://virustotal.com - any.run - https://any.run - FLOSS - https://github.com/mandiant/flare-floss - stringsifter - https://github.com/mandiant/stringsifter - ftrace - strace - PEStudio - https://www.winitor.com/ - peframe - DIE (Detect It Easy) - ExeInfo - PEView - http://wjradburn.com/software/ - pdfid - https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdfid.py - pdf-parser - https://github.com/DidierStevens/DidierStevensSuite/blob/master/pdf-parser.py - CyberChef - https://gchq.github.io/CyberChef/ - 010 Editor - https://www.sweetscape.com/010editor/ ## FLARE-VM/REMnux Tool List - FLARE-VM - strings/FLOSS: [https://github.com/mandiant/flare-floss](https://github.com/mandiant/flare-floss) - PEView: [http://wjradburn.com/software/](http://wjradburn.com/software) - upx (not used but referenced): [https://upx.github.io/](https://upx.github.io/) - PEStudio: [https://www.winitor.com/download](https://www.winitor.com/download) - Capa: [https://github.com/mandiant/capa](https://github.com/mandiant/capa) - Wireshark: [https://www.wireshark.org/](https://www.wireshark.org/) - Sysinternals (Procmon, TCPView): [https://learn.microsoft.com/en-us/sysinternals/downloads/](https://learn.microsoft.com/en-us/sysinternals/downloads) - nc/ncat: [https://nmap.org/download](https://nmap.org/download) - Cutter: [https://github.com/rizinorg/cutter](https://github.com/rizinorg/cutter) - x32/x64dbg: [https://x64dbg.com/](https://x64dbg.com/) - Process Hacker 2 (now known as System Informer): [https://systeminformer.sourceforge.io/](https://systeminformer.sourceforge.io/) - scdbg: [https://github.com/dzzie/SCDBG](https://github.com/dzzie/SCDBG) - dnSpy/dnSpyEx: [https://github.com/dnSpyEx/dnSpy](https://github.com/dnSpyEx/dnSpy) - PEBear: [https://hshrzd.wordpress.com/pe-bear/](https://hshrzd.wordpress.com/pe-bear) - YARA: [https://github.com/VirusTotal/yara](https://github.com/VirusTotal/yara) - REMnux - base64 (built in Linux bin) - OLEdump: [https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py) - MobSF (Docker Container): [https://github.com/MobSF/Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | [https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf) - INetSim: [https://www.inetsim.org/](https://www.inetsim.org/) ## Advanced Static Analysis: - [[Ghidra]] - https://github.com/NationalSecurityAgency/ghidra - Cutter - https://cutter.re/ - IDA - https://hex-rays.com/ida-free/ - dnSpy - dot NET - Binwalk ## Emulators - Speakeasy - [[Capa]] - https://github.com/mandiant/capa - binee - Qiling - Vivisect ## Dynamic Analysis - Wireshark - Inetsim - fakedns - accept-all-ips - Netcat - TCPView - Procmon - procdot - RegShot - Process Hacker - CMDWatcher - Fiddler Classic ## Advanced Dynamic Analysis - x86dbg - x64dbg - API Monitor MAL API - https://malapi.io/# ## Forensic Tools - AXIOM Cyber - https://www.magnetforensics.com/products/magnet-axiom-cyber - KAPE - https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape - All things Eric Zimmerman - https://ericzimmerman.github.io/#!index.md - FTK Imager - Win Prefetch View - Arsenal Image Mounter - exiftool - PhotoRec ## Recon/Intel Gathering - dirhunt - https://github.com/Nekmo/dirhunt ## Helpful Links - Malicious APIs - https://malapi.io/ - Malware Class- https://class.malware.re/ - Windows Builds - https://uupdump.net/ ## Malware - vxunderground - https://github.com/vxunderground/MalwareSourceCode - theZoo - https://github.com/ytisf/theZoo ------------------------------------------------------------- # Greatness Borrowed - The list below was copied from https://github.com/0x4143/malware-gems. - All credit from here down goes to them. - No need to recreate something that already exists and is great. # [Books:](https://github.com/0x4143/malware-gems#books) - Intelligence Driven Incident Response - [http://shop.oreilly.com/product/0636920043614.do](http://shop.oreilly.com/product/0636920043614.do) - Practical Malware Analysis - [https://www.nostarch.com/malware](https://www.nostarch.com/malware) - Reversing: Secrets of Reverse Engineering - [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0764574817.html](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0764574817.html) - Practical Reverse Engineering - [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118787315,subjectCd-CSJ0.html) - Malware Analyst Cookbook - [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470613033.html](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470613033.html) - IDA Pro Book - [https://www.nostarch.com/idapro2.htm](https://www.nostarch.com/idapro2.htm) - Art of Assembly - [http://www.plantation-productions.com/Webster/www.artofasm.com/index.html](http://www.plantation-productions.com/Webster/www.artofasm.com/index.html) - The Art of Memory Forensics - [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118825098.html](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118825098.html) - Windows Internals, Part 1 (6th Edition) - [https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739](https://www.microsoftpressstore.com/store/windows-internals-part-1-9780735648739) - Windows Internals, Part 2 (6th Edition) - [https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780735665873) - Windows Internals, Part 1 (7th Edition): [https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188) - Windows Internals, Part 2 (7th Edition): [https://www.microsoftpressstore.com/store/windows-internals-part-2-9780135462409](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780135462409) - Hacking. The Art of Exploitation - [https://www.nostarch.com/hacking2.htm](https://www.nostarch.com/hacking2.htm) - The Shellcoder's Handbook: Discovering and Exploiting Security Holes - [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html](http://eu.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html) - Rootkits: Subverting the Windows Kernel - [https://dl.acm.org/citation.cfm?id=1076346](https://dl.acm.org/citation.cfm?id=1076346) - Rootkits and Bootkits - [https://www.nostarch.com/rootkits](https://www.nostarch.com/rootkits) - The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage - [http://www.simonandschuster.com/books/The-Cuckoos-Egg/Cliff-Stoll/9781416507789](http://www.simonandschuster.com/books/The-Cuckoos-Egg/Cliff-Stoll/9781416507789) - Rootkits: Subverting the Windows Kernel - [https://dl.acm.org/citation.cfm?id=1076346](https://dl.acm.org/citation.cfm?id=1076346) - The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System - [https://www.safaribooksonline.com/library/view/the-rootkit-arsenal/9781449626365/](https://www.safaribooksonline.com/library/view/the-rootkit-arsenal/9781449626365/) - Learning Malware Analysis - [https://www.amazon.co.uk/Learning-Malware-Analysis-techniques-investigate/dp/1788392507/ref=sr_1_1?ie=UTF8&qid=1534162748&sr=8-1&keywords=malware+analysis](https://www.amazon.co.uk/Learning-Malware-Analysis-techniques-investigate/dp/1788392507/ref=sr_1_1?ie=UTF8&qid=1534162748&sr=8-1&keywords=malware+analysis) - Sandworm - [https://www.penguinrandomhouse.com/books/597684/sandworm-by-andy-greenberg/](https://www.penguinrandomhouse.com/books/597684/sandworm-by-andy-greenberg/) # [CheatSheets/Tables:](https://github.com/0x4143/malware-gems#cheatsheetstables) - IDA Cheat Sheet - [https://securedorg.github.io/idacheatsheet.html](https://securedorg.github.io/idacheatsheet.html) - Cheat Sheets - [https://highon.coffee/blog/cheat-sheet/](https://highon.coffee/blog/cheat-sheet/) - File Signatures - [http://www.garykessler.net/library/file_sigs.html](http://www.garykessler.net/library/file_sigs.html) - APT Groups and Operations - [https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#](https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml#) - Ransomware Overview - [https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#) - Intel Assembler code table - [http://www.jegerlehner.ch/intel/](http://www.jegerlehner.ch/intel/) - ARM Assembly Cheatsheet - [https://azeria-labs.com/assembly-basics-cheatsheet/](https://azeria-labs.com/assembly-basics-cheatsheet/) - APTnotes - [https://github.com/kbandla/APTnotes](https://github.com/kbandla/APTnotes) - PE 101 - [https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf](https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf) - PDF 101 - [https://github.com/corkami/docs/blob/master/PDF/PDF.md](https://github.com/corkami/docs/blob/master/PDF/PDF.md) - PDF analysis - [https://github.com/zbetcheckin/PDF_analysis](https://github.com/zbetcheckin/PDF_analysis) - Digital Forensics and Incident Response - [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/#) # [CTF's:](https://github.com/0x4143/malware-gems#ctfs) - Flare-On - [http://flare-on.com/](http://flare-on.com/) - LabyREnth - [https://labyrenth.com/mud/](https://labyrenth.com/mud/) - Facebook CTF - [https://github.com/facebook/fbctf](https://github.com/facebook/fbctf) - CTF Field Guide - [https://trailofbits.github.io/ctf/](https://trailofbits.github.io/ctf/) - RootMe - [https://www.root-me.org](https://www.root-me.org/) - RPISEC CSCI 4968 - [http://security.cs.rpi.edu/courses/binexp-spring2015/](http://security.cs.rpi.edu/courses/binexp-spring2015/) - Crackmes - [https://crackmes.one/](https://crackmes.one/) # [Decoders:](https://github.com/0x4143/malware-gems#decoders) - CyberChef - [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) - KevtheHermit RAT decoders - [https://github.com/kevthehermit/RATDecoders](https://github.com/kevthehermit/RATDecoders) # [Debuggers:](https://github.com/0x4143/malware-gems#debuggers) - OllyDbg - [http://www.ollydbg.de/](http://www.ollydbg.de/) - Immunity Debugger - [https://www.immunityinc.com/products/debugger/](https://www.immunityinc.com/products/debugger/) - X64dbg - [https://x64dbg.com/#start](https://x64dbg.com/#start) - Rvmi - [https://github.com/fireeye/rvmi](https://github.com/fireeye/rvmi) - WinDBG - [https://docs.microsoft.com/en-gb/windows-hardware/drivers/debugger/debugger-download-tools](https://docs.microsoft.com/en-gb/windows-hardware/drivers/debugger/debugger-download-tools) # [Disassemblers:](https://github.com/0x4143/malware-gems#disassemblers) - IDA Pro - [https://www.hex-rays.com/products/ida/](https://www.hex-rays.com/products/ida/) - Binary Ninja - [https://binary.ninja/](https://binary.ninja/) - Radare2 - [https://github.com/radare/radare2](https://github.com/radare/radare2) - Cutter - [https://github.com/radareorg/cutter](https://github.com/radareorg/cutter) - BinNavi - [https://github.com/google/binnavi](https://github.com/google/binnavi) - Hopper - [https://www.hopperapp.com/](https://www.hopperapp.com/) - medusa - [https://github.com/wisk/medusa](https://github.com/wisk/medusa) - Disassembler.io - [https://www.onlinedisassembler.com/static/home/](https://www.onlinedisassembler.com/static/home/) - Ghidra - [https://ghidra-sre.org/](https://ghidra-sre.org/) # [Document Analysis Tools:](https://github.com/0x4143/malware-gems#document-analysis-tools) - OfficeMalScanner/DisView - [http://www.reconstructor.org/](http://www.reconstructor.org/) - AnalyzePDF - [https://github.com/hiddenillusion/AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - BiffView - [https://www.aldeid.com/wiki/BiffView](https://www.aldeid.com/wiki/BiffView) - oletools - [https://www.decalage.info/python/oletools](https://www.decalage.info/python/oletools) - Origami Framework - [https://github.com/cogent/origami-pdf](https://github.com/cogent/origami-pdf) - PDF Stream Dumper - [http://sandsprite.com/blogs/index.php?uid=7&pid=57](http://sandsprite.com/blogs/index.php?uid=7&pid=57) - CERMINE - [https://github.com/CeON/CERMINE](https://github.com/CeON/CERMINE) - pdfid - [https://blog.didierstevens.com/programs/pdf-tools/](https://blog.didierstevens.com/programs/pdf-tools/) - PDFwalker - [https://www.aldeid.com/wiki/Origami/pdfwalker](https://www.aldeid.com/wiki/Origami/pdfwalker) - Peepdf - [http://eternal-todo.com/tools/peepdf-pdf-analysis-tool](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - pev - [http://pev.sourceforge.net/](http://pev.sourceforge.net/) - FOCA - [https://www.elevenpaths.com/labstools/foca/index.html](https://www.elevenpaths.com/labstools/foca/index.html) - LuckyStrike - [https://github.com/curi0usJack/luckystrike](https://github.com/curi0usJack/luckystrike) - RTF Cleaner - [https://github.com/nicpenning/RTF-Cleaner](https://github.com/nicpenning/RTF-Cleaner) - RTFScan - [http://www.reconstructer.org/](http://www.reconstructer.org/) # [Dynamic/Behavioural Analysis Tools:](https://github.com/0x4143/malware-gems#dynamicbehavioural-analysis-tools) - CaptureBAT - [https://www.honeynet.org/node/315](https://www.honeynet.org/node/315) - Sysinternals Suite - [https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) - ProcDOT - [http://www.procdot.com/](http://www.procdot.com/) - Process Hacker - [http://processhacker.sourceforge.net/](http://processhacker.sourceforge.net/) - Sysmon - [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) - API Monitor - [http://www.rohitab.com/apimonitor](http://www.rohitab.com/apimonitor) - Regshot - [https://sourceforge.net/projects/regshot/](https://sourceforge.net/projects/regshot/) - SwiftonSecurity Sysmon Config - [https://github.com/SwiftOnSecurity/sysmon-config](https://github.com/SwiftOnSecurity/sysmon-config) - Capture-Py - [https://github.com/fbruzzaniti/Capture-Py](https://github.com/fbruzzaniti/Capture-Py) - Windows Kernel Explorer - [https://github.com/AxtMueller/Windows-Kernel-Explorer](https://github.com/AxtMueller/Windows-Kernel-Explorer) # [Funny/Random:](https://github.com/0x4143/malware-gems#funnyrandom) - Win95 defrag - [http://hultbergs.org/defrag/](http://hultbergs.org/defrag/) - Little Bobby - [http://www.littlebobbycomic.com/](http://www.littlebobbycomic.com/) - Dilbert - [http://dilbert.com/](http://dilbert.com/) - XKCD - [https://xkcd.com/](https://xkcd.com/) - Why the fuck was i breached - [https://whythefuckwasibreached.com/](https://whythefuckwasibreached.com/) - VIM Adventures - [https://vim-adventures.com/](https://vim-adventures.com/) # [Honeypots:](https://github.com/0x4143/malware-gems#honeypots) - Modern Honey Network - [https://github.com/threatstream/mhn](https://github.com/threatstream/mhn) # [ICS:](https://github.com/0x4143/malware-gems#ics) - Graphical Realism Framework for Industrial Control Simulations - [https://github.com/djformby/GRFICS](https://github.com/djformby/GRFICS) - ꓘamerka - [https://woj-ciech.github.io/kamerka-demo/kamerka.html](https://woj-ciech.github.io/kamerka-demo/kamerka.html) # [IDA:](https://github.com/0x4143/malware-gems#ida) - stackstring_static.py - [https://github.com/TakahiroHaruyama/ida_haru/tree/master/stackstring_static](https://github.com/TakahiroHaruyama/ida_haru/tree/master/stackstring_static) - emotet_payload_decryption.py - [https://gist.github.com/levwu/23751fe47f83d42ed6a63280a4f2aaaa](https://gist.github.com/levwu/23751fe47f83d42ed6a63280a4f2aaaa) - VB IDC - [https://www.hex-rays.com/products/ida/support/freefiles/vb.idc](https://www.hex-rays.com/products/ida/support/freefiles/vb.idc) - Diaphora - [https://github.com/joxeankoret/diaphora](https://github.com/joxeankoret/diaphora) - BinDiff - [https://www.zynamics.com/bindiff.html](https://www.zynamics.com/bindiff.html) - fnfuzzy - [https://github.com/TakahiroHaruyama/ida_haru/tree/master/fn_fuzzy](https://github.com/TakahiroHaruyama/ida_haru/tree/master/fn_fuzzy) - BinDiff wrapper - [https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff](https://github.com/TakahiroHaruyama/ida_haru/tree/master/bindiff) - simpliFiRE.IDAscope - [https://bitbucket.org/daniel_plohmann/simplifire.idascope/src/master/](https://bitbucket.org/daniel_plohmann/simplifire.idascope/src/master/) - IDA Plugins - [http://www.openrce.org/downloads/browse/IDA_Plugins](http://www.openrce.org/downloads/browse/IDA_Plugins) - FindCrypt - [https://github.com/you0708/ida/tree/master/idapython_tools/findcrypt](https://github.com/you0708/ida/tree/master/idapython_tools/findcrypt) # [IOT:](https://github.com/0x4143/malware-gems#iot) - Binwalk - [https://github.com/devttys0/binwalk](https://github.com/devttys0/binwalk) - JTAG Explained - [http://blog.senr.io/blog/jtag-explained](http://blog.senr.io/blog/jtag-explained) - Firmware Analysis Toolkit - [https://github.com/attify/firmware-analysis-toolkit](https://github.com/attify/firmware-analysis-toolkit) - Saleae Logic Analyzer software - [https://www.saleae.com/downloads/](https://www.saleae.com/downloads/) # [IR:](https://github.com/0x4143/malware-gems#ir) - Detecting Lateral Movement through Tracking Event Logs - [https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf](https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf) - Incident Response Methodologies - [https://github.com/certsocietegenerale/IRM](https://github.com/certsocietegenerale/IRM) - MITRE ATT&CK Framework - [https://attack.mitre.org/wiki/Main_Page](https://attack.mitre.org/wiki/Main_Page) # [JavaScript Deobfuscation Tools:](https://github.com/0x4143/malware-gems#javascript-deobfuscation-tools) - SpiderMonkey (js) - [https://blog.didierstevens.com/programs/spidermonkey/](https://blog.didierstevens.com/programs/spidermonkey/) - Malzilla - [http://malzilla.sourceforge.net/](http://malzilla.sourceforge.net/) - Malware-Jail - [https://github.com/HynekPetrak/malware-jail](https://github.com/HynekPetrak/malware-jail) # [LNK File Analysis:](https://github.com/0x4143/malware-gems#lnk-file-analysis) - [https://lifeinhex.com/analyzing-malicious-lnk-file/](https://lifeinhex.com/analyzing-malicious-lnk-file/) # [MAC:](https://github.com/0x4143/malware-gems#mac) - MacOS Papers, Slides and Thesis Archive - [https://papers.put.as/macosx/macosx/](https://papers.put.as/macosx/macosx/) - norimaci - [https://github.com/mnrkbys/norimaci](https://github.com/mnrkbys/norimaci) - DTrace: [even better than] strace for OS X - [https://8thlight.com/blog/colin-jones/2015/11/06/dtrace-even-better-than-strace-for-osx.html](https://8thlight.com/blog/colin-jones/2015/11/06/dtrace-even-better-than-strace-for-osx.html) # [Malware Repo's:](https://github.com/0x4143/malware-gems#malware-repos) - MalwareBazaar - [https://bazaar.abuse.ch/](https://bazaar.abuse.ch/) - VXVault - [http://vxvault.net/ViriList.php](http://vxvault.net/ViriList.php) - MalShare - [https://malshare.com/](https://malshare.com/) - CyberCrime Tracker - [http://cybercrime-tracker.net/index.php](http://cybercrime-tracker.net/index.php) - TheZoo - [https://github.com/ytisf/theZoo](https://github.com/ytisf/theZoo) - Endgame Ember - [https://github.com/endgameinc/ember](https://github.com/endgameinc/ember) - Global ATM Malware Wall - [http://atm.cybercrime-tracker.net/index.php](http://atm.cybercrime-tracker.net/index.php) - What is this C2 - [https://github.com/misterch0c/what_is_this_c2](https://github.com/misterch0c/what_is_this_c2) - Connect Trojan - [https://www.connect-trojan.com/](https://www.connect-trojan.com/) - ViriBack C2 Tracker - [http://tracker.viriback.com/](http://tracker.viriback.com/) - VirusBay - [https://beta.virusbay.io/](https://beta.virusbay.io/) # [Maps / Stats (eye candy):](https://github.com/0x4143/malware-gems#maps--stats-eye-candy) - ThreatButt - [https://threatbutt.com/map/](https://threatbutt.com/map/) - BitDefender - [https://threatmap.bitdefender.com/](https://threatmap.bitdefender.com/) - FireEye - [https://www.fireeye.com/cyber-map/threat-map.html](https://www.fireeye.com/cyber-map/threat-map.html) - Global Incident Map - [http://www.globalincidentmap.com/](http://www.globalincidentmap.com/) - Tor Flow - [https://torflow.uncharted.software/](https://torflow.uncharted.software/) - Kaspersky Cybermap - [https://cybermap.kaspersky.com/](https://cybermap.kaspersky.com/) - Security Wizardry - [http://www.securitywizardry.com/radar.htm](http://www.securitywizardry.com/radar.htm) - Norse Attack Map - [http://map.norsecorp.com/#/](http://map.norsecorp.com/#/) - Digital Attack Map - [http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16938&view=map](http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16938&view=map) - Stats - [http://breachlevelindex.com/](http://breachlevelindex.com/) - Current Cyber Attacks - [http://community.sicherheitstacho.eu/start/main](http://community.sicherheitstacho.eu/start/main) - FSecure - [http://worldmap3.f-secure.com/](http://worldmap3.f-secure.com/) - Talos - [https://talosintelligence.com/](https://talosintelligence.com/) - Security Wizardry - [https://radar.securitywizardry.com/](https://radar.securitywizardry.com/) - Ransomware Attack Map - [https://statescoop.com/ransomware-map/](https://statescoop.com/ransomware-map/) # [Memory Forensics:](https://github.com/0x4143/malware-gems#memory-forensics) - Volatility - [http://www.volatilityfoundation.org/](http://www.volatilityfoundation.org/) - Memoryze - [https://www.fireeye.com/services/freeware/memoryze.html](https://www.fireeye.com/services/freeware/memoryze.html) - DumpIt - [https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c](https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c) - Hibr2Bin - [https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c](https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c) - Rekall Memory Forensic Framework - [https://github.com/google/rekall](https://github.com/google/rekall) - Clonezilla - [http://clonezilla.org/](http://clonezilla.org/) - dd - [https://linux.die.net/man/1/dd](https://linux.die.net/man/1/dd) - Fog - [https://fogproject.org/](https://fogproject.org/) - Forensic Toolkit (FTK) - [http://www.accessdata.com/product-download](http://www.accessdata.com/product-download) - Redline - [https://www.fireeye.com/services/freeware/redline.html](https://www.fireeye.com/services/freeware/redline.html) - MemLabs - [https://github.com/stuxnet999/MemLabs](https://github.com/stuxnet999/MemLabs) # [Misc Tools:](https://github.com/0x4143/malware-gems#misc-tools) - File Signature Analysis - [https://filesignatures.net/index.php?page=all](https://filesignatures.net/index.php?page=all) - EKFiddle - [https://github.com/malwareinfosec/EKFiddle](https://github.com/malwareinfosec/EKFiddle) - XMind - [http://www.xmind.net/](http://www.xmind.net/) - ExamDiff - [http://www.prestosoft.com/edp_examdiff.asp](http://www.prestosoft.com/edp_examdiff.asp) - 7zip - [http://www.7-zip.org/download.html](http://www.7-zip.org/download.html) - Visual Studio - [https://www.visualstudio.com/](https://www.visualstudio.com/) - WinSCP - [https://winscp.net/eng/download.php](https://winscp.net/eng/download.php) - Putty - [https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) - TreeSizeFree - [https://www.jam-software.com/treesize_free/](https://www.jam-software.com/treesize_free/) - OneNote - [https://www.onenote.com/](https://www.onenote.com/) - KeePass - [https://keepass.info/](https://keepass.info/) - ExifTool - [https://www.sno.phy.queensu.ca/~phil/exiftool/](https://www.sno.phy.queensu.ca/~phil/exiftool/) - RegEx 101 - [https://regex101.com/](https://regex101.com/) - Byte Counter - [https://mothereff.in/byte-counter](https://mothereff.in/byte-counter) - Utilu IE Collection - [http://utilu.com/IECollection/](http://utilu.com/IECollection/) - UserAgentString - [http://www.useragentstring.com/](http://www.useragentstring.com/) - Maltego - [https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php](https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php) - Cmder - [http://cmder.net/](http://cmder.net/) - MalPull - [https://github.com/ThisIsLibra/MalPull](https://github.com/ThisIsLibra/MalPull) - StringSifter - [https://github.com/mandiant/stringsifter](https://github.com/mandiant/stringsifter) # [.Net Debuggers/Decompilers:](https://github.com/0x4143/malware-gems#net-debuggersdecompilers) - ILSpy - [http://ilspy.net/](http://ilspy.net/) - dnSpy - [https://github.com/0xd4d/dnSpy](https://github.com/0xd4d/dnSpy) - dotPeek - [https://www.jetbrains.com/decompiler/](https://www.jetbrains.com/decompiler/) - de4dot - [https://github.com/0xd4d/de4dot](https://github.com/0xd4d/de4dot) - Reflector - [https://www.red-gate.com/products/dotnet-development/reflector/index](https://www.red-gate.com/products/dotnet-development/reflector/index) # [Network Analysis:](https://github.com/0x4143/malware-gems#network-analysis) - Wireshark - [https://www.wireshark.org/](https://www.wireshark.org/) - Network Miner - [http://www.netresec.com/?page=NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - LogRhythm Network Monitor Freemium - [https://logrhythm.com/network-monitor-freemium/](https://logrhythm.com/network-monitor-freemium/) - dig - [https://linux.die.net/man/1/dig](https://linux.die.net/man/1/dig) - curl - [https://curl.haxx.se/docs/manpage.html](https://curl.haxx.se/docs/manpage.html) - ApateDNS - [https://www.fireeye.com/services/freeware/apatedns.html](https://www.fireeye.com/services/freeware/apatedns.html) - NetCat - [http://netcat.sourceforge.net/](http://netcat.sourceforge.net/) - Nslookup - [https://linux.die.net/man/1/nslookup](https://linux.die.net/man/1/nslookup) - PDF Stream Dumper - [http://sandsprite.com/blogs/index.php?uid=7&pid=57](http://sandsprite.com/blogs/index.php?uid=7&pid=57) - Robtex - [https://www.robtex.com/](https://www.robtex.com/) - Belati - [https://github.com/aancw/Belati](https://github.com/aancw/Belati) - Ostinato - [http://ostinato.org/](http://ostinato.org/) - Burp Suite - [https://portswigger.net/burp/](https://portswigger.net/burp/) - Hak5 - [https://hakshop.com/](https://hakshop.com/) - Fiddler - [https://www.telerik.com/fiddler](https://www.telerik.com/fiddler) - Shodan - [https://www.shodan.io/](https://www.shodan.io/) - FakeNet-NG - [https://github.com/fireeye/flare-fakenet-ng](https://github.com/fireeye/flare-fakenet-ng) - Netzob - [https://github.com/netzob/netzob](https://github.com/netzob/netzob) - DShell - [https://github.com/USArmyResearchLab/Dshell](https://github.com/USArmyResearchLab/Dshell) - SecurityOnion - [https://securityonion.net/](https://securityonion.net/) - Reverse engineering network protocols - Reverse Engineering Network Protocols - MITMProxy - [https://mitmproxy.org/](https://mitmproxy.org/) - DNSChef - [https://github.com/iphelix/dnschef](https://github.com/iphelix/dnschef) # [Operating Systems:](https://github.com/0x4143/malware-gems#operating-systems) - Remnux - [https://remnux.org/](https://remnux.org/) - SIFT - [https://digital-forensics.sans.org/community/downloads](https://digital-forensics.sans.org/community/downloads) - Kali - [https://www.kali.org/](https://www.kali.org/) - CAINE - [http://www.caine-live.net/](http://www.caine-live.net/) - Metasploitable 3 - [https://github.com/rapid7/metasploitable3](https://github.com/rapid7/metasploitable3) - DVWA - [http://www.dvwa.co.uk/](http://www.dvwa.co.uk/) - Security Onion - [https://securityonion.net/](https://securityonion.net/) - FLARE VM - [https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html](https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html) - OWASP WebGoat - [https://www.owasp.org/index.php/WebGoat_Installation#Installing_to_Windows](https://www.owasp.org/index.php/WebGoat_Installation#Installing_to_Windows) - OWASP Bricks - [https://www.owasp.org/index.php/OWASP_Bricks](https://www.owasp.org/index.php/OWASP_Bricks) - OWASP Mantra - [http://www.getmantra.com/](http://www.getmantra.com/) - Tails - [https://tails.boum.org/](https://tails.boum.org/) - Whonix - [https://www.whonix.org/](https://www.whonix.org/) - Santoku - [https://santoku-linux.com/about-santoku/](https://santoku-linux.com/about-santoku/) # [OSINT Online Tools:](https://github.com/0x4143/malware-gems#osint-online-tools) - OSINT Gathering - [https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05](https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05) - Automating OSINT Blog - [http://www.automatingosint.com/blog/](http://www.automatingosint.com/blog/) - SpiderFoot - [https://www.spiderfoot.net/](https://www.spiderfoot.net/) - Buscador - [https://inteltechniques.com/buscador/](https://inteltechniques.com/buscador/) # [Password Cracking:](https://github.com/0x4143/malware-gems#password-cracking) - Hashcat - [https://github.com/hashcat/hashcat](https://github.com/hashcat/hashcat) - Crack.sh - [https://crack.sh/](https://crack.sh/) - Mimikatz - [https://github.com/gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz) - Ophcrack - [http://ophcrack.sourceforge.net/](http://ophcrack.sourceforge.net/) # [Podcasts:](https://github.com/0x4143/malware-gems#podcasts) - Security Now - [https://www.grc.com/securitynow.htm](https://www.grc.com/securitynow.htm) - SANS Stormcast - [https://isc.sans.edu/podcast.html](https://isc.sans.edu/podcast.html) - Down the Security Rabbithole - [http://podcast.wh1t3rabbit.net/](http://podcast.wh1t3rabbit.net/) - Defensive Security - [https://defensivesecurity.org/category/podcast/](https://defensivesecurity.org/category/podcast/) - Paul's Security Weekly - [https://wiki.securityweekly.com/Show_Notes](https://wiki.securityweekly.com/Show_Notes) - RunAs Radio - [http://www.runasradio.com/](http://www.runasradio.com/) - Defensive Security Podcast - [https://defensivesecurity.org/](https://defensivesecurity.org/) - Darknet Diaries - [https://darknetdiaries.com/](https://darknetdiaries.com/) - Risky Business Podcast - [https://risky.biz/](https://risky.biz/) - Security Nation Podcast - [https://podcasts.apple.com/gb/podcast/security-nation/id1124543784](https://podcasts.apple.com/gb/podcast/security-nation/id1124543784) - Smashing Security - [https://www.smashingsecurity.com/](https://www.smashingsecurity.com/) # [PowerShell decoding:](https://github.com/0x4143/malware-gems#powershell-decoding) - PSDecode - [https://github.com/R3MRUM/PSDecode](https://github.com/R3MRUM/PSDecode) - PyPowerShellXray - [https://github.com/JohnLaTwC/PyPowerShellXray](https://github.com/JohnLaTwC/PyPowerShellXray) - PowerShellRunBox: Analyzing PowerShell Threats Using PowerShell Debugging - [https://darungrim.com/research/2019-10-01-analyzing-powershell-threats-using-powershell-debugging.html](https://darungrim.com/research/2019-10-01-analyzing-powershell-threats-using-powershell-debugging.html) # [Ransomware:](https://github.com/0x4143/malware-gems#ransomware) - No More Ransomware - [https://www.nomoreransom.org/en/index.html](https://www.nomoreransom.org/en/index.html) - ID Ransomware - [https://id-ransomware.malwarehunterteam.com/](https://id-ransomware.malwarehunterteam.com/) - Emisoft decrypters - [https://www.emsisoft.com/ransomware-decryption-tools/](https://www.emsisoft.com/ransomware-decryption-tools/) # [Reading Material:](https://github.com/0x4143/malware-gems#reading-material) - Reverse Engineering for Beginners - [https://beginners.re/](https://beginners.re/) - Phrack - [http://phrack.org/](http://phrack.org/) - Crypto 101 - [https://www.crypto101.io/](https://www.crypto101.io/) - Hacker Manifesto - [http://phrack.org/issues/7/3.html](http://phrack.org/issues/7/3.html) - How to Become a Hacker - [http://www.catb.org/esr/faqs/hacker-howto.html](http://www.catb.org/esr/faqs/hacker-howto.html) - Zines - [https://github.com/fdiskyou/Zines](https://github.com/fdiskyou/Zines) - Hackaday - [https://hackaday.com/blog/](https://hackaday.com/blog/) - Hacktress - [http://www.hacktress.com/](http://www.hacktress.com/) - Reddit - [https://www.reddit.com/r/ReverseEngineering/](https://www.reddit.com/r/ReverseEngineering/) - Windows API Index - [https://msdn.microsoft.com/en-gb/library/windows/desktop/hh920508(v=vs.85).aspx](https://msdn.microsoft.com/en-gb/library/windows/desktop/hh920508(v=vs.85).aspx) - Raw Hex - [https://rawhex.com/](https://rawhex.com/) - DigiNinja - [https://digi.ninja/](https://digi.ninja/) - Team Cymru - [http://www.team-cymru.org/index.html](http://www.team-cymru.org/index.html) - Lenny Zeltser - [https://zeltser.com/malicious-software/](https://zeltser.com/malicious-software/) - OverAPI - [http://overapi.com/](http://overapi.com/) - HackBack - [https://pastebin.com/0SNSvyjJ](https://pastebin.com/0SNSvyjJ) - FlexiDie - [https://pastebin.com/raw/Y1yf8kq0](https://pastebin.com/raw/Y1yf8kq0) - DefCon archive - [https://media.defcon.org/](https://media.defcon.org/) - Malwology - [https://malwology.com/](https://malwology.com/) - Stuxnet's Footprint in memory with Volatility - [http://mnin.blogspot.co.uk/2011/06/examining-stuxnets-footprint-in-memory.html](http://mnin.blogspot.co.uk/2011/06/examining-stuxnets-footprint-in-memory.html) - AtomBombing - [https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/](https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/) - Malware Archaeology - [https://www.malwarearchaeology.com/cheat-sheets](https://www.malwarearchaeology.com/cheat-sheets) - ShinoLocker - [https://shinolocker.com/](https://shinolocker.com/) - A crash course in x86 assembly for reverse engineers - [https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf](https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf) - Zero Days, Thousands of Nights - [https://www.rand.org/pubs/research_reports/RR1751.html](https://www.rand.org/pubs/research_reports/RR1751.html) - Shadow Brokers Exploit Reference Table - [https://docs.google.com/spreadsheets/d/1sD4rebofrkO9Rectt5S3Bzw6RnPpbJrMV-L1mS10HQc/edit#gid=1602324093](https://docs.google.com/spreadsheets/d/1sD4rebofrkO9Rectt5S3Bzw6RnPpbJrMV-L1mS10HQc/edit#gid=1602324093) - GracefulSecurity - [https://www.gracefulsecurity.com/infrastructure-security-articles/](https://www.gracefulsecurity.com/infrastructure-security-articles/) - Cybersecurity ain't easy. Let's talk about it - [https://itspmagazine.com/itsp-chronicles/cybersecurity-ain-t-easy-lets-talk-about-it](https://itspmagazine.com/itsp-chronicles/cybersecurity-ain-t-easy-lets-talk-about-it) - How to become the best malware analyst e-v-e-r - [http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/](http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/) - Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware - [https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html](https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html) - Dr Fu's Security Blog - [http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html](http://fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html) - Encoding vs. Encryption vs. Hashing vs. Obfuscation - [https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/) - Introduction to reverse engineering and Assembly - [https://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/](https://kakaroto.homelinux.net/2017/11/introduction-to-reverse-engineering-and-assembly/) - Getting started with reverse engineering - [https://lospi.net/developing/software/software%20engineering/reverse%20engineering/assembly/2015/03/06/reversing-with-ida.html](https://lospi.net/developing/software/software%20engineering/reverse%20engineering/assembly/2015/03/06/reversing-with-ida.html) - Guide to x86 Assembly - [http://www.cs.virginia.edu/~evans/cs216/guides/x86.html](http://www.cs.virginia.edu/~evans/cs216/guides/x86.html) - Nightmare (RE) - [https://github.com/guyinatuxedo/nightmare](https://github.com/guyinatuxedo/nightmare) - PDB Files: What Every Developer Must Know - [https://www.wintellect.com/pdb-files-what-every-developer-must-know](https://www.wintellect.com/pdb-files-what-every-developer-must-know) - BOLO: Reverse Engineering — Part 1 (Basic Programming Concepts) - [https://medium.com/bugbountywriteup/bolo-reverse-engineering-part-1-basic-programming-concepts-f88b233c63b7](https://medium.com/bugbountywriteup/bolo-reverse-engineering-part-1-basic-programming-concepts-f88b233c63b7) - BOLO: Reverse Engineering — Part 2 (Advanced Programming Concepts) - [https://medium.com/@danielabloom/bolo-reverse-engineering-part-2-advanced-programming-concepts-b4e292b2f3e](https://medium.com/@danielabloom/bolo-reverse-engineering-part-2-advanced-programming-concepts-b4e292b2f3e) - String Hashing: Reverse Engineering an Anti-Analysis Control - [https://r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/](https://r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/) - Ground Zero: Part 1 – Reverse Engineering Basics – Linux x64 - [https://0xdarkvortex.dev/index.php/2018/04/09/ground-zero-part-1-reverse-engineering-basics/](https://0xdarkvortex.dev/index.php/2018/04/09/ground-zero-part-1-reverse-engineering-basics/) - Let's Build a Compiler - [https://compilers.iecc.com/crenshaw/](https://compilers.iecc.com/crenshaw/) - Static Malware Analysis with OLE Tools and CyberChef - [https://newtonpaul.com/static-malware-analysis-with-ole-tools-and-cyber-chef/](https://newtonpaul.com/static-malware-analysis-with-ole-tools-and-cyber-chef/) - An Introduction to Reverse Engineering - [https://www.muppetlabs.com/~breadbox/txt/bure.html](https://www.muppetlabs.com/~breadbox/txt/bure.html) - VXUnderground - [https://vx-underground.org/papers.html](https://vx-underground.org/papers.html) - Tracking Advanced Persistent Threats (APTs) via Shared Code - [https://medium.com/@arun_73782/tracking-apts-by-shared-code-5e88a2ae2363](https://medium.com/@arun_73782/tracking-apts-by-shared-code-5e88a2ae2363) - YARA Hunting for Code Reuse: DoppelPaymer Ransomware & Dridex Families - [https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/](https://www.sentinelone.com/blog/yara-hunting-for-code-reuse-doppelpaymer-ransomware-dridex-families/) - Here We GO: Crimeware Virus & APT Journey From “RobbinHood” to APT28 - [https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/](https://www.sentinelone.com/blog/here-we-go-crimeware-apt-journey-from-robbinhood-to-apt28/) - The mysterious case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - [https://securelist.com/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/73255/](https://securelist.com/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-microsoft-silverlight-0-day/73255/) - Process Injection part 1 of 5 - [https://3xpl01tc0d3r.blogspot.com/2019/08/process-injection-part-i.html](https://3xpl01tc0d3r.blogspot.com/2019/08/process-injection-part-i.html) - OSINT : Chasing Malware + C&C Servers - [https://medium.com/secjuice/chasing-malware-and-c-c-servers-in-osint-style-3c893dc1e8cb](https://medium.com/secjuice/chasing-malware-and-c-c-servers-in-osint-style-3c893dc1e8cb) - Daily dose of malware - [https://github.com/woj-ciech/Daily-dose-of-malware](https://github.com/woj-ciech/Daily-dose-of-malware) - Tracking Malware with Import Hashing - [https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html](https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html) - STOMP 2 DIS: Brilliance in the (Visual) Basics - [https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html](https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) - Advanced Binary Deobfuscation - [https://github.com/malrev/ABD](https://github.com/malrev/ABD) - A Case Study Into Solving Crypters/packers in Malware Obfuscation Using an SMT Approach - [https://vixra.org/abs/2002.0183](https://vixra.org/abs/2002.0183) - ReCon Montreal Archives - [https://recon.cx/2019/montreal/archives/](https://recon.cx/2019/montreal/archives/) - FLARE IDA Pro Script Series: MSDN Annotations IDA Pro for Malware Analysis - [https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html](https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html) - Analyzing Modern Malware Techniques - Part 1 (of 4) - [https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663](https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663) - What Every Computer Programmer Should Know About Windows API, CRT, and the Standard C++ Library - [https://www.codeproject.com/Articles/22642/What-Every-Computer-Programmer-Should-Know-About-W](https://www.codeproject.com/Articles/22642/What-Every-Computer-Programmer-Should-Know-About-W) - theForger's Win32 API Programming Tutorial - [http://www.winprog.org/tutorial/start.html](http://www.winprog.org/tutorial/start.html) - Unbreakable Cryptography in 5 Minutes - [https://blog.xrds.acm.org/2012/08/unbreakable-cryptography-in-5-minutes/](https://blog.xrds.acm.org/2012/08/unbreakable-cryptography-in-5-minutes/) - Let’s play (again) with Predator the thief - [https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/](https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/) - VMProtect Introduction - [https://shhoya.github.io/vmp_vmpintro.html](https://shhoya.github.io/vmp_vmpintro.html) - Azorult loader stages - [https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/](https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/) - Reversing Malware Command and Control: From Sockets to COM - [https://www.fireeye.com/blog/threat-research/2010/08/reversing-malware-command-control-sockets.html](https://www.fireeye.com/blog/threat-research/2010/08/reversing-malware-command-control-sockets.html) - Indicators of Compromise (IoCs) and Their Role in Attack Defence - [https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-00](https://tools.ietf.org/html/draft-paine-smart-indicators-of-compromise-00) - Zombieland CTF – Reverse Engineering for Beginners - [https://mcb101.blog/2019/10/11/zombieland-ctf-reverse-engineering-for-beginners/](https://mcb101.blog/2019/10/11/zombieland-ctf-reverse-engineering-for-beginners/) - Fu11Shade Windows Exploitation - [https://fullpwnops.com/windows-exploitation-pathway.html](https://fullpwnops.com/windows-exploitation-pathway.html) # [Sandbox Tools (Online):](https://github.com/0x4143/malware-gems#sandbox-tools-online) - VirusTotal - [https://www.virustotal.com](https://www.virustotal.com/) - Malwr - [https://malwr.com/](https://malwr.com/) - Reverse.it - [https://www.reverse.it/](https://www.reverse.it/) - Open Analysis - [http://www.openanalysis.net/](http://www.openanalysis.net/) - ANY.RUN - [https://any.run/](https://any.run/) - Hybrid Analysis - [https://www.hybrid-analysis.com/](https://www.hybrid-analysis.com/) - Intezer Analyze - [https://analyze.intezer.com/](https://analyze.intezer.com/) # [Sandbox Tools (Offline):](https://github.com/0x4143/malware-gems#sandbox-tools-offline) - Noriben - [https://github.com/Rurik/Noriben](https://github.com/Rurik/Noriben) - Cuckoo - [https://www.cuckoosandbox.org/](https://www.cuckoosandbox.org/) - PyREBox - [https://github.com/Cisco-Talos/pyrebox](https://github.com/Cisco-Talos/pyrebox) - Viper - [http://viper.li/](http://viper.li/) - MISP - [http://www.misp-project.org/](http://www.misp-project.org/) - Sandboxie - [https://www.sandboxie.com/](https://www.sandboxie.com/) - Ph0neutria - [https://github.com/phage-nz/ph0neutria](https://github.com/phage-nz/ph0neutria) - FlareVM - [https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html](https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html) # [Shellcode Tools:](https://github.com/0x4143/malware-gems#shellcode-tools) - JMP2IT - [https://github.com/adamkramer/jmp2it](https://github.com/adamkramer/jmp2it) - Shellcode2exe.py - [https://github.com/MarioVilas/shellcode_tools](https://github.com/MarioVilas/shellcode_tools) - ConvertShellCode - [http://le-tools.com/ConvertShellcode.html](http://le-tools.com/ConvertShellcode.html) - scdbg - [http://sandsprite.com/blogs/index.php?uid=7&pid=152](http://sandsprite.com/blogs/index.php?uid=7&pid=152) # [Static Analysis Tools:](https://github.com/0x4143/malware-gems#static-analysis-tools) - PEiD -[https://www.aldeid.com/wiki/PEiD](https://www.aldeid.com/wiki/PEiD) - McAfee FileInsight - [https://www.mcafee.com/uk/downloads/free-tools/fileinsight.aspx](https://www.mcafee.com/uk/downloads/free-tools/fileinsight.aspx) - HashMyFiles - [http://www.nirsoft.net/utils/hash_my_files.html](http://www.nirsoft.net/utils/hash_my_files.html) - CFF Explorer - [http://www.ntcore.com/exsuite.php](http://www.ntcore.com/exsuite.php) - AnalyzePESig - [https://blog.didierstevens.com/2012/10/01/searching-for-that-adobe-cert/](https://blog.didierstevens.com/2012/10/01/searching-for-that-adobe-cert/) - ByteHist - [https://www.cert.at/downloads/software/bytehist_en.html](https://www.cert.at/downloads/software/bytehist_en.html) - Exeinfo - [http://exeinfo.pe.hu/](http://exeinfo.pe.hu/) - Scylla - [https://github.com/NtQuery/Scylla](https://github.com/NtQuery/Scylla) - MASTIFF - [https://git.korelogic.com/mastiff.git/](https://git.korelogic.com/mastiff.git/) - PEframe - [https://github.com/guelfoweb/peframe](https://github.com/guelfoweb/peframe) - PEscan - [https://tzworks.net/prototype_page.php?proto_id=15](https://tzworks.net/prototype_page.php?proto_id=15) - PEstudio - [https://www.winitor.com/](https://www.winitor.com/) - PE-Bear - [https://hshrzd.wordpress.com/2013/07/09/introducing-new-pe-files-reversing-tool/](https://hshrzd.wordpress.com/2013/07/09/introducing-new-pe-files-reversing-tool/) - PE-sieve - [https://github.com/hasherezade/pe-sieve](https://github.com/hasherezade/pe-sieve) - Flare-Floss - [https://github.com/fireeye/flare-floss](https://github.com/fireeye/flare-floss) - PatchDiff2 - [https://github.com/filcab/patchdiff2](https://github.com/filcab/patchdiff2) - PE Insider - [http://cerbero.io/peinsider/](http://cerbero.io/peinsider/) - Resource Hacker - [http://www.angusj.com/resourcehacker/](http://www.angusj.com/resourcehacker/) - DarunGrim - [https://github.com/ohjeongwook/DarunGrim](https://github.com/ohjeongwook/DarunGrim) - Mal Tindex - [https://github.com/joxeankoret/maltindex](https://github.com/joxeankoret/maltindex) - Manalyze - [https://github.com/JusticeRage/Manalyze](https://github.com/JusticeRage/Manalyze) - PDBlaster - [https://github.com/SecurityRiskAdvisors/PDBlaster](https://github.com/SecurityRiskAdvisors/PDBlaster) - ImpFuzzy - [https://github.com/JPCERTCC/impfuzzy](https://github.com/JPCERTCC/impfuzzy) - Florentino - [https://github.com/0xsha/florentino/blob/master/README.md](https://github.com/0xsha/florentino/blob/master/README.md) - Viper - [https://viper.li/en/latest/](https://viper.li/en/latest/) # [Text/hex Editor Tools:](https://github.com/0x4143/malware-gems#texthex-editor-tools) - Notepad++ - [https://notepad-plus-plus.org/](https://notepad-plus-plus.org/) - 010 Editor - [https://www.sweetscape.com/010editor/](https://www.sweetscape.com/010editor/) - HxD - [https://mh-nexus.de/en/hxd/](https://mh-nexus.de/en/hxd/) - BinText - [https://www.aldeid.com/wiki/BinText](https://www.aldeid.com/wiki/BinText) - Hexinator - [https://hexinator.com/](https://hexinator.com/) # [Threat Intelligence:](https://github.com/0x4143/malware-gems#threat-intelligence) - ThreatMiner - [https://www.threatminer.org/](https://www.threatminer.org/) - RiskIQ Community - [https://community.riskiq.com/home](https://community.riskiq.com/home) - PasteBin - [https://pastebin.com/](https://pastebin.com/) - Shodan - [https://www.shodan.io/](https://www.shodan.io/) - Censys - [https://censys.io/](https://censys.io/) - DNSdumpster - [https://dnsdumpster.com/](https://dnsdumpster.com/) - URLHaus - [https://urlhaus.abuse.ch/](https://urlhaus.abuse.ch/) - AlienVault OTX - [https://otx.alienvault.com/](https://otx.alienvault.com/) - C2 Tracker - [http://tracker.viriback.com/stats.php](http://tracker.viriback.com/stats.php) - MISP - [https://www.misp-project.org/](https://www.misp-project.org/) - The Hive - [https://thehive-project.org/](https://thehive-project.org/) - Yeti - [https://yeti-platform.github.io/](https://yeti-platform.github.io/) - Using ATT&CK for CTI Training - [https://attack.mitre.org/resources/training/cti/](https://attack.mitre.org/resources/training/cti/) - PasteScraper - [https://github.com/PimmyTrousers/pastescraper](https://github.com/PimmyTrousers/pastescraper) # [Training:](https://github.com/0x4143/malware-gems#training) - Cybrary - [https://www.cybrary.it/](https://www.cybrary.it/) - Corelan Team - [https://www.corelan.be/](https://www.corelan.be/) - Open Security Training - [http://opensecuritytraining.info/Training.html](http://opensecuritytraining.info/Training.html) - Offensive Computer Security - [http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html](http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html) - PentesterLab - [https://pentesterlab.com/](https://pentesterlab.com/) - Malware Traffic Analysis - [http://www.malware-traffic-analysis.net/training-exercises.html](http://www.malware-traffic-analysis.net/training-exercises.html) - MIT Open Courseware - [https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/video-lectures/](https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/video-lectures/) - OALabs - [https://vimeo.com/oalabs](https://vimeo.com/oalabs) - OALabs - [https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg/videos](https://www.youtube.com/channel/UC--DwaiMV-jtO-6EvmKOnqg/videos) - MalwareAnalysisForHedgeHogs - [https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A](https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A) - Malware Unicorn - [https://securedorg.github.io/](https://securedorg.github.io/) - Tuts4You - [https://tuts4you.com/](https://tuts4you.com/) - Lenas Reversing for Newbies - [https://tuts4you.com/download.php?list.17](https://tuts4you.com/download.php?list.17) - Introduction to WinDBG - [https://www.youtube.com/watch?list=PLhx7-txsG6t6n_E2LgDGqgvJtCHPL7UFu&time_continue=1&v=8zBpqc3HkSE](https://www.youtube.com/watch?list=PLhx7-txsG6t6n_E2LgDGqgvJtCHPL7UFu&time_continue=1&v=8zBpqc3HkSE) - Colin Hardy - [https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg/videos](https://www.youtube.com/channel/UCND1KVdVt8A580SjdaS4cZg/videos) - OWASP AppSec Tutorials - [http://owasp-academy.teachable.com/p/owasp-appsec-tutorials](http://owasp-academy.teachable.com/p/owasp-appsec-tutorials) - Modern Binary Exploitation - [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE) - FuzzySecurity - [http://www.fuzzysecurity.com/tutorials.html](http://www.fuzzysecurity.com/tutorials.html) - Linux Journey - [https://linuxjourney.com/](https://linuxjourney.com/) - Pivot Project - [http://pivotproject.org/](http://pivotproject.org/) - Security Tube - [http://www.securitytube-training.com/index.html](http://www.securitytube-training.com/index.html) - Packet Life Cheat Sheets - [http://packetlife.net/library/cheat-sheets/?_escaped_fragment_=#](http://packetlife.net/library/cheat-sheets/?_escaped_fragment_=#)! - SecurityXploded - [http://securityxploded.com/](http://securityxploded.com/) - MalwareMustDie - [https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75](https://www.youtube.com/playlist?list=PLSe6fLFf1YDX-2sog70220BchQmhVqQ75) - Win32Assembly - [http://win32assembly.programminghorizon.com/tutorials.html](http://win32assembly.programminghorizon.com/tutorials.html) - RPISEC - [https://github.com/RPISEC/Malware/blob/master/README.md](https://github.com/RPISEC/Malware/blob/master/README.md) - RPISEC - [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE) - Reverse Engineering Challenges - [https://challenges.re/](https://challenges.re/) - HackerOne - [https://www.hackerone.com/](https://www.hackerone.com/) - Google Python Class - [https://developers.google.com/edu/python/](https://developers.google.com/edu/python/) - Guide to x86 Assembly - [http://www.cs.virginia.edu/~evans/cs216/guides/x86.html](http://www.cs.virginia.edu/~evans/cs216/guides/x86.html) - Code Blocks - [http://www.codeblocks.org/](http://www.codeblocks.org/) - Wireshark Course - [https://www.youtube.com/watch?v=XTSc2mPF4II&t=25s](https://www.youtube.com/watch?v=XTSc2mPF4II&t=25s) - Maltrak Malware Analyst webinar - [http://maltrak.com/webinar-registration](http://maltrak.com/webinar-registration) - Intro to ARM assembly basics - [https://azeria-labs.com/writing-arm-assembly-part-1/](https://azeria-labs.com/writing-arm-assembly-part-1/) - Life in Hex - [https://lifeinhex.com/category/reversing/](https://lifeinhex.com/category/reversing/) - The Cuckoo's Egg Decompiled Online Course - [http://chrissanders.org/cuckoosegg/](http://chrissanders.org/cuckoosegg/) - Creating Yara Rules for Malware Detection - [https://www.real0day.com/hacking-tutorials/yara](https://www.real0day.com/hacking-tutorials/yara) - Windows Privilege Escalation Guide - [https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/) - Amr Thabet shellcode training - [https://www.youtube.com/channel/UCkY_8Hz8ojyQQ9S6bPnHa7g](https://www.youtube.com/channel/UCkY_8Hz8ojyQQ9S6bPnHa7g) - Hexacorn Converting Shellcode to Portable Executable (32- and 64- bit) - [http://www.hexacorn.com/blog/2015/12/10/converting-shellcode-to-portable-executable-32-and-64-bit/](http://www.hexacorn.com/blog/2015/12/10/converting-shellcode-to-portable-executable-32-and-64-bit/) - Learn Forensics with David Cowen - [https://www.youtube.com/user/LearnForensics/featured](https://www.youtube.com/user/LearnForensics/featured) - Raphael Mudge (various, In-memory evasion/detection) - [https://www.youtube.com/user/DashnineMedia/videos](https://www.youtube.com/user/DashnineMedia/videos) - Assembly programming tutorial - [https://www.tutorialspoint.com/assembly_programming/index.htm](https://www.tutorialspoint.com/assembly_programming/index.htm) - RPISec Training - [https://github.com/RPISEC/Malware](https://github.com/RPISEC/Malware) - Intro to Computer Science - [https://www.edx.org/course/introduction-to-computer-science-and-programming-7](https://www.edx.org/course/introduction-to-computer-science-and-programming-7) - Ringzer0 - [https://www.ringzer0.training/](https://www.ringzer0.training/) - Reversing Hero - [https://www.reversinghero.com/](https://www.reversinghero.com/) - MIT Open Courseware - [https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/video-lectures/](https://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-00-introduction-to-computer-science-and-programming-fall-2008/video-lectures/) - Reverse Engineering and malware analysis 101 - [https://github.com/abhisek/reverse-engineering-and-malware-analysis](https://github.com/abhisek/reverse-engineering-and-malware-analysis) - Reverse engineering intel x64 - [https://github.com/0xdidu/Reverse-Engineering-Intel-x64-101](https://github.com/0xdidu/Reverse-Engineering-Intel-x64-101) - C++ Tutorial for Beginners - Full Course - [https://www.youtube.com/watch?v=vLnPwxZdW4Y](https://www.youtube.com/watch?v=vLnPwxZdW4Y) - ELF Reversing Tutorial - [https://www.youtube.com/playlist?list=PLsNNY-Xea3ra42GZDnvTB46G4p-5oUpFf](https://www.youtube.com/playlist?list=PLsNNY-Xea3ra42GZDnvTB46G4p-5oUpFf) - Adversary Tactics: PowerShell - [https://github.com/specterops/at-ps](https://github.com/specterops/at-ps) - Malware Unicorn Reverse Engineering 101 - [https://malwareunicorn.org/workshops/re101.html#0](https://malwareunicorn.org/workshops/re101.html#0) - Modern Binary Exploitation - [http://security.cs.rpi.edu/courses/binexp-spring2015/](http://security.cs.rpi.edu/courses/binexp-spring2015/) - Ghidra Courses - [https://ghidra.re/online-courses/](https://ghidra.re/online-courses/) - Technical Writing Courses - [https://developers.google.com/tech-writing](https://developers.google.com/tech-writing) - Introduction to Malware Analysis and Reverse Engineering - [https://class.malware.re/](https://class.malware.re/) - Binary Analysis Course - [https://maxkersten.nl/binary-analysis-course/](https://maxkersten.nl/binary-analysis-course/) - Josh Stroschein - [https://www.youtube.com/user/jstrosch/videos](https://www.youtube.com/user/jstrosch/videos) - How to hack together your own CS degree online for free - [https://www.freecodecamp.org/news/how-to-hack-your-own-cs-degree-for-free/](https://www.freecodecamp.org/news/how-to-hack-your-own-cs-degree-for-free/) - Zero 2 Automated - [https://courses.zero2auto.com/adv-malware-analysis-course](https://courses.zero2auto.com/adv-malware-analysis-course) # [Unpacking:](https://github.com/0x4143/malware-gems#unpacking) - UnpacMe - [https://www.unpac.me/#/](https://www.unpac.me/#/) - Unipacker - [https://github.com/unipacker/unipacker](https://github.com/unipacker/unipacker) # [VBA Deobfuscation Tools:](https://github.com/0x4143/malware-gems#vba-deobfuscation-tools) - pcodedmp - [https://github.com/bontchev/pcodedmp](https://github.com/bontchev/pcodedmp) - vba-dynamic-hook - [https://github.com/eset/vba-dynamic-hook](https://github.com/eset/vba-dynamic-hook) - ViperMonkey - [https://github.com/decalage2/ViperMonkey](https://github.com/decalage2/ViperMonkey) # [Video:](https://github.com/0x4143/malware-gems#video) - Teach Yourself Computer Science - [https://teachyourselfcs.com/](https://teachyourselfcs.com/) - CS50 at Harvard - [https://cs50.harvard.edu/](https://cs50.harvard.edu/) - J4vv4D - [https://www.j4vv4d.com/videos/](https://www.j4vv4d.com/videos/) - Movies for Hackers - [https://github.com/k4m4/movies-for-hackers](https://github.com/k4m4/movies-for-hackers) - Can You Hack It - [https://www.youtube.com/watch?v=GWr5kbHt_2E](https://www.youtube.com/watch?v=GWr5kbHt_2E) - Chris Nickerson talk - [http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me14-started-from-the-bottom-now-im-here-how-to-ruin-your-life-by-getting-everything-you-ever-wanted-chris-nickerson](http://www.irongeek.com/i.php?page=videos/derbycon5/teach-me14-started-from-the-bottom-now-im-here-how-to-ruin-your-life-by-getting-everything-you-ever-wanted-chris-nickerson) - Zoz - Don't Fuck it Up - [https://www.youtube.com/watch?v=J1q4Ir2J8P8](https://www.youtube.com/watch?v=J1q4Ir2J8P8) - Rob Joyce (NSA) - Disrupting Nation State Hackers - [https://www.youtube.com/watch?v=bDJb8WOJYdA](https://www.youtube.com/watch?v=bDJb8WOJYdA) - Movies for Hackers - [https://github.com/k4m4/movies-for-hackers](https://github.com/k4m4/movies-for-hackers) - Wannacry: The Marcus Hutchins Story - All 3 Chapters - [https://www.youtube.com/watch?v=vveLaA-z3-o&t=451s](https://www.youtube.com/watch?v=vveLaA-z3-o&t=451s) - DEF CON 23 - Chris Domas - Repsych: Psychological Warfare in Reverse Engineering - [https://www.youtube.com/watch?v=HlUe0TUHOIc](https://www.youtube.com/watch?v=HlUe0TUHOIc) - SAS2018: Finding aliens, star weapons and ponies with YARA - [https://www.youtube.com/watch?v=fbidgtOXvc0](https://www.youtube.com/watch?v=fbidgtOXvc0) # [XOR Decoding Tools:](https://github.com/0x4143/malware-gems#xor-decoding-tools) - bbcrack - [https://www.decalage.info/python/balbuzard](https://www.decalage.info/python/balbuzard) - Brutexor - [https://www.aldeid.com/wiki/Brutexor-iheartxor](https://www.aldeid.com/wiki/Brutexor-iheartxor) - ConverterNET - [http://www.kahusecurity.com/2017/converternet-v0-1-released/](http://www.kahusecurity.com/2017/converternet-v0-1-released/) - NoMoreXOR - [https://github.com/hiddenillusion/NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) # [Yara Related:](https://github.com/0x4143/malware-gems#yara-related) - Yara - [https://virustotal.github.io/yara/](https://virustotal.github.io/yara/) - Stringless Yara Rules - [https://inquest.net/blog/2018/09/30/yara-performance](https://inquest.net/blog/2018/09/30/yara-performance) - YarGen - [https://github.com/Neo23x0/yarGen](https://github.com/Neo23x0/yarGen) - Yara-Rules - [https://github.com/Yara-Rules/rules](https://github.com/Yara-Rules/rules) - CONFidence 2019: "Utilizing YARA to Find Evolving Malware" - Jay Rosenberg - [https://www.youtube.com/watch?v=XMZ-c2Zwzjg](https://www.youtube.com/watch?v=XMZ-c2Zwzjg) - SANS Webcast - YARA - Effectively using and generating rules - [https://www.youtube.com/watch?v=5A_O8X_JljI](https://www.youtube.com/watch?v=5A_O8X_JljI) - Klara - [https://github.com/KasperskyLab/klara](https://github.com/KasperskyLab/klara) - Open Source Yara Rules - [https://github.com/mikesxrs/Open-Source-YARA-rules](https://github.com/mikesxrs/Open-Source-YARA-rules)