Malware Analysis and Incident Response Tools The idea of this repository is to serve as a base of all the tools that we might be using or I recommend to be used for performing different malware analysis and incident response tasks. The list will be updated with new tools regularly.

ONLINE SCANNERS

• VirusTotal
• HYBRID ANALYSIS
• Any > Run
  • Latest malware trends
• Malcore
• Malwr (uses Cuckoo in background)
• Malware.id

PORTABLE EXECUTABLE (PE)

• CFF Explorer
• PE-Bear
• Detect-It-Easy
• Dependency Walker
• PE Studio
• Resource Hacker
• Cerbero
• PE Explorer v2 by Zodiacon
• CAPA by FireEye FLARE Team
• Malwoverview
• XPEViewer

PACKERS/DECRYPTERS/COMPRESSORS/ETC

• Exeinfo PE (old version) or here (latest)
• PEiD (password = tuts4you) + signatures
• ASPack (trail)
• Detect it Easy (DiE) or here
• TitanMist
• Reflective PE Packer: Amber
• etc

MISC UTILITIES

• bstrings
• BinText
• StringSifter
• Graphivz
• Viper
• Ssdeep
• Visual Studio Code
• Exe_to_dll
• Awesome Docker
• etc

DYNAMIC ANALYSIS

• Microsoft SysInternals Suite
• Process Hacker
• ProcDOT or here
  • Save as PNG
  • Save as SVG
• RegShot
• Noriben
• X64dbg
  • Themes:
    • https://github.com/Dump-GUY/x64dbg---Dark-Theme
    • https://github.com/Fmk0/templates
• Immunity Debugger
• Rundll32 (LOLBin)
• Injector (Reflective DLL Injection)
• API Monitor
• PE Capture
• Tiny_tracer
• VISION-ProcMon 
  • blog
• Pe-sieve
• Hollows-hunter
• ReverseKit
• Mal_unpack
• etc

NETWORKING

• Mandiant ApateDNS
• WinDump
• CaptureBAT
• Fiddler (get the classic version)

INCIDENT RESPONSE

• Yara
• YExtend
• IOC Editor
• IOC Finder
• Yara rules
• YaraRET
• Yara Endpoint
• ClamAV
• Osquery
• GRR
• DumpIt (readings: 1, 2)
• Memdump (similar to SysInternals)
• Velociraptor
• Beagle
• VolatileDataCollector
• KAPE

REVERSE ENGINEERING AND DECOMPILERS

• Ghidra
• IDA Pro
  • Plugins:
    • https://github.com/herosi/CTO
• dnSpyEx .NET Decompiler and Debugger
• ExtremeDumper for .NET Executables
• Cutter
• Rizin
• Vb decompiler
• P32Dasm (vb decompiler)
• Online VB Script DeObfuscator/Obfuscator
• Visual Basic decompiler
• Online Decompiler
• Import Hash Generator
• MonoDevelop
• Decompiler Explorer
• etc

MEMORY FORENSICS: Acquisition and Analysis

• Rekall
• Volatility
• Volatility Workbench
• Volatility Repository (profiles, plugins, community plugins, etc)
• Rekall
• VolWeb
• FireEye Redline
• Belkasoft RAM Capturer (free requires registration)
• MAGNET RAM Capture (requires registration)
• Memoryze by FireEye (requires registration)
• Surge Collect by Volexity (Commercial)
• OSForensics by PassMark Software (commercial)
• WinPmem (open source), part of Rekall Memory forensic framework
• FTK Imager by AccessData (free requires registration)
• Comae Memory Toolkit (DumpIt) (free requires registration)
• MemProcFS
  • MemProcFS-Analyzer
  • MemProcFS-Hunter
• Trufflepig Forensics
• VSTriage
• etc

EMAIL FORENSICS: Analysis, etc

• EmlRender

MALWARE SAMPLES and CODE REPOSITORIES

• Any > Run
• Malware Bazaar
• Virusshare
• Anti-X Code and Research

EMULATORS, SANDBOXES, AND ANTI-X

• Qiling
• Blobrunner
• Frida
• Windows 10 Sandbox
• Shadow Defender
• Cuckoo
• CAPEv2
• AssemblyLine4
• VMwareCloak
• Linux Malware Analysis Sandbox
• etc

LISTS AND APIs

• Vergilius Project
• Windows APIs used by Malware
• https://github.com/rshipp/awesome-malware-analysis
• NtDoc

COURSES AND VIDEOS

• Life of Binaries
• Intro to x86 (Assembly x86)
• Intro to x64 (Assembly 64)
• Intro to x64 (Assembly 64)
• Intro to Reverse Engineering (RE) Malware
• Intro to Reverse Engineering (RE) Software
• Learn x64 Assembly
• Dynamic Malware Analysis
• My YouTube Channel (will be updated)
• Ransomware 101

CODE AND WHITE PAPERS

• VXUG Papers
• Kernel Data Structures (I depend on this reference)
• LoadLibrary-GetProcAddress-Replacements
• zerosum0x0 Defcon25 Workshop
• Windows Internals
• PROCESSINFOCLASS Native APIs

USEFUL TIPS AND TRICKS

• Yara Generation Tip
• Win32-shellcode

Something missing? You recommend somthing? Please let me know…