WhacAMole WhacAMole is a program that analyzes processes in memory in an integral way, detecting and alerting of anomalies related to the malware and presenting and saving in files all the relevant information for...
Network Flight Simulator flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic,...
iocextract This library extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. It includes some encoded and “defanged” IOCs in the output, and optionally decodes/refangs them. This library currently...
iMonitor iMonitor (Endpoint Behavior Analysis System – Then Open Source Procmon) is an endpoint behavior monitoring and analysis software based on iMonitorSDK. Provides monitoring of system behaviors such as processes, files, registry, and networks. Support...
FireEye Labs Obfuscated String Solver Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources...
Qiling – Advanced Binary Emulation framework Qiling is an advanced binary emulation framework, with the following features: Cross-platform: Windows, MacOS, Linux, BSD Cross architecture: X86, X86_64, Arm, Arm64, Mips Multiple file formats: PE, MachO,...
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe)...
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything...
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. It allows you to classify traffic as client...
DRAKVUF Introduction It is a virtualization-based agentless black-box binary analysis system. DRAKVUF allows for in-depth execution tracing of arbitrary binaries (including operating systems), all without having to install any special software within the virtual...
