Moneta Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs. With fileless malware becoming ubiquitous in the Red Teaming world, dynamic code is a feature of...
kraken Kraken is a simple cross-platform Yara scanner that can be built for Windows, Mac, FreeBSD, and Linux. It is primarily intended for incident response, research, and ad-hoc detections (not for endpoint protection). Following are...
VT Code Similarity Yara Generator Yara rule generator using VirusTotal code similarity feature code-similar-to: This Yara generator is using VirusTotal ‘code-similar-to:’ beta search modifier to gather code blocks from PE files and automatically create a...
Vol3xp, Volatility 3 Explorer Plugins RAMMap -> Physical Address Mapping (pfn.py) RAMMap (very similar to Rammap [SysInternals]), but additionally it marks any suspicious pages (for more information read the pdf). This module contains 3...
Hfinger – fingerprinting HTTP requests Tool for fingerprinting HTTP requests of malware. Based on Tshark and written in Python3. Working prototype stage 🙂 Its main objective is to provide a representation of malware requests...
XLM Macro Deobfuscator XLM Macro Deobfuscator can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the...
Speakeasy Speakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware. Instead of attempting to perform dynamic analysis using an entire virtualized operating system, Speakeasy will emulate specific...
xioc Extract indicators of compromise from the text, including “escaped” ones like hxxp://banana.com, 1.1.1[.]1, and phish at malicious dot com. Features Extract IOCs (indicators of compromise) from an input text: IPv4 IPv6 Domain URL...
Spyre Spyre is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is the easy operationalization of YARA rules and other indicators of...
capa capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the...
saferwall – Collaborative and Streamlined Threat Analysis at Scale Saferwall allows you to analyze, triage, and classify threats in just minutes. ⭐ Collaborative – Built for security teams and researchers to streamline analysis, identification, and sharing of malware samples....
PeaceMaker Threat Detection PeaceMaker Threat Detection is a kernel-mode utility designed to detect a variety of methods commonly used in advanced forms of malware. Compared to a stereotypical anti-virus that may detect via hashes...
Zelos Zelos (Zeropoint Emulated Lightweight Operating System) is a python-based binary emulation platform. One use of Zelos is to quickly assess the dynamic behavior of binaries via command-line or python scripts. All syscalls are emulated to isolate the...
Linux Memory Grabber A script for dumping Linux memory and creating Volatility(TM) profiles. To analyze Linux memory, you first need to be able to capture Linux memory. AVML works great, but if your system...