Open-Source Cybersecurity Tools: Malware Analysis & Reverse Engineering

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 425 documented tools. It focuses on capabilities used for sample triage, static/dynamic analysis, and malware behavior profiling. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

Letter

This letter section contains 64 tools.

010 Editor

• Website: https://www.sweetscape.com/010editor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: 010 Editor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Powerful hex and text editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Hex Editor.

Back to Name Jump

API Monitor

• Website: http://www.rohitab.com/apimonitor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: API Monitor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Monitors and controls API calls.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > APIs / DLLs.

Back to Name Jump

APISpy

• Website: http://www.ragoo.com/APISpy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: APISpy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Captures and analyzes API calls made by applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Dynamic Analysis Tools.

Back to Name Jump

BinText

• Website: https://www.majorgeeks.com/files/details/bintext.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: BinText is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extracts ASCII, Unicode, and Resource strings from files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Strings.

Back to Name Jump

Bless

• Website: https://github.com/afrantzis/bless
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Bless is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: High-performance, full-featured hex editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Hex Editor.

Back to Name Jump

CFF Explorer

• Website: https://ntcore.com/explorer-suite
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: CFF Explorer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Inspect and analyze Portable Executable (PE) files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

CFR

• Website: http://www.benf.org/other/cfr
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools, Awesome Web Security

What it does: CFR is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Another java decompiler by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Decompiler.

Back to Name Jump

ComputeHash

• Website: https://www.subisoft.net/ComputeHash.aspx
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ComputeHash is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Calculates MD5, SHA1, SHA256, SHA384, and SHA512 hashes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

Cutter

• Website: https://cutter.re
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Cutter is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Qt and C++ GUI powered by Radare2.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering.

Back to Name Jump

Dependency Walker

• Website: https://dependencywalker.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Dependency Walker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Builds hierarchical tree diagram of dependent modules.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

DLL Export Viewer

• Website: https://www.nirsoft.net/utils/dll_export_viewer.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: DLL Export Viewer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Displays exported functions and their addresses for DLL files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

dnSpy

• Website: https://github.com/dnSpy/dnSpy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: dnSpy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: .NET debugger and assembly editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > .NET Decompilers.

Back to Name Jump

Exeinfo PE

• Website: https://exeinfo-pe.en.uptodown.com/windows
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Exeinfo PE is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Analyze Windows PE header information, packer detection, and gives hints on how to unpack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Identification.

Back to Name Jump

FernFlower

• Website: https://github.com/fesh0r/fernflower
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: FernFlower is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: IntelliJ's Java decompiler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Java Decompilers.

Back to Name Jump

file

• Website: https://linux.die.net/man/1/file
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: file is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Determine file type.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Identification.

Back to Name Jump

flare-floss

• Website: https://github.com/mandiant/flare-floss
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools, Awesome Forensics

What it does: flare-floss is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Static analysis tool to automatically deobfuscate strings from malware binaries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Strings.

Back to Name Jump

GET-FileHash

• Website: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.4
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: GET-FileHash is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Computes hash value for a file using a specified hash algorithm (Microsoft PowerShell module).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

Ghidra

• Website: https://ghidra-sre.org
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools, Awesome Hacking, Awesome CTF

What it does: Ghidra is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Disassemblers and debuggers.

Back to Name Jump

Handle

• Website: https://learn.microsoft.com/en-us/sysinternals/downloads/handle
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Handle is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Lists open handles for system processes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > APIs / DLLs.

Back to Name Jump

HashMyFiles

• Website: https://www.nirsoft.net/utils/hash_my_files.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: HashMyFiles is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Calculates MD5 and SHA1 hashes of one or more files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

Hex Workshop

• Website: http://www.hexworkshop.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Hex Workshop is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Visualizes data through graphical representations and charts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Hex Editor.

Back to Name Jump

hexitor

• Website: https://github.com/briansteffens/hexitor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: hexitor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: terminal hex editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Hex Editor.

Back to Name Jump

HxD

• Website: https://mh-nexus.de/en/hxd
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: HxD is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Fast hex editor with raw disk editing capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Hex Editor.

Back to Name Jump

IDA Pro

• Website: https://www.hex-rays.com/ida-pro
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: IDA Pro is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Interactive disassembler and debugger.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering.

Back to Name Jump

IgorWare Hasher

• Website: https://www.igorware.com/hasher
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: IgorWare Hasher is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free SHA-1, MD5, and CRC32 hash generator for Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

ILSpy

• Website: https://github.com/icsharpcode/ILSpy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools, Awesome Hacking

What it does: ILSpy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: an open-source .NET assembly browser and decompiler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

impfuzzy

• Website: https://github.com/JPCERTCC/impfuzzy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: impfuzzy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Calculates Fuzzy Hash from import API of PE files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

JD-GUI

• Website: http://java-decompiler.github.io
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: JD-GUI is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Decompiler for Java bytecode.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Java Decompilers.

Back to Name Jump

JustDecompile

• Website: https://www.telerik.com/products/decompiler.aspx
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: JustDecompile is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free .NET decompiler from Telerik.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > .NET Decompilers.

Back to Name Jump

KapeFiles

• Website: https://github.com/EricZimmerman/KapeFiles
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: KapeFiles is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool for acquiring and processing forensic artifacts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Identification.

Back to Name Jump

Krakatau

• Website: https://github.com/Storyyeller/krakatau
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Krakatau is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Java decompiler, assembler, and disassembler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Java Decompilers.

Back to Name Jump

Lazy Office Analyzer

• Website: https://github.com/tehsyntx/loffice
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Lazy Office Analyzer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extracts URLs, VB-script, and JavaScript from Office documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Microsoft Office.

Back to Name Jump

ListDLLs

• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ListDLLs is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Lists all the DLLs loaded into processes (SysInternals).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > APIs / DLLs.

Back to Name Jump

md5sum

• Website: https://www.man7.org/linux/man-pages/man1/md5sum.1.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: md5sum is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compute and check MD5 message digest.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

OfficeMalScanner

• Website: https://www.aldeid.com/wiki/OfficeMalScanner/OfficeMalScanner
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: OfficeMalScanner is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Scans MS Office documents for malicious traces.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Microsoft Office.

Back to Name Jump

OfficeScan

• Website: https://support.trendmicro.com/en-us/home/pages/technical-support/office-scan
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: OfficeScan is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Analyzes Microsoft Office documents for malware and other threats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Microsoft Office.

Back to Name Jump

ole-tools

• Website: https://github.com/decalage2/oletools
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ole-tools is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extracts VBA macros from Office files and detects obfuscation techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Microsoft Office.

Back to Name Jump

PDF-XChange

• Website: https://www.tracker-software.com/product/pdf-xchange-editor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PDF-XChange is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: In-depth analysis and editing of PDF documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > PDF.

Back to Name Jump

pdfunite

• Website: https://manpages.ubuntu.com/manpages/jammy/man1/pdfunite.1.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: pdfunite is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Merges multiple PDF files into a single file.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > PDF.

Back to Name Jump

PE Explorer

• Website: https://pe-explorer.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PE Explorer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Inspects Windows applications and libraries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

pe-bear

• Website: https://github.com/hasherezade/pe-bear
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: pe-bear is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Multiplatform reversing tool for PE files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

pehash

• Website: https://github.com/knowmalware/pehash
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: pehash is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compilation of peHash implementations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

PEiD

• Website: https://www.aldeid.com/wiki/PEiD
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PEiD is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Detects common packers, cryptors, and compilers for PE files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Identification.

Back to Name Jump

PEPack

• Website: https://pev.sourceforge.io/doc/manual/en_us/ch06s05.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PEPack is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python library for inspecting and manipulating PE files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

PeStudio

• Website: https://pestudio.en.lo4d.com/windows
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PeStudio is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Examines executable files in depth.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

PEView

• Website: https://www.aldeid.com/wiki/PEView
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: PEView is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Lightweight utility for inspecting PE files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Inspector.

Back to Name Jump

ProcDot

• Website: https://www.cert.at/en/downloads/software/software-procdot
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ProcDot is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Visualizes process and thread behavior.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Dynamic Analysis Tools.

Back to Name Jump

Procyon

• Website: https://bitbucket.org/mstrobel/procyon
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Procyon is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Java decompiler for modern Java features.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Java Decompilers.

Back to Name Jump

Radare2

• Website: https://rada.re/n
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Radare2 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open-source reverse engineering framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering.

Back to Name Jump

Regshot

• Website: http://www.nikopol.org/regshot
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Regshot is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Takes snapshots of the Registry and compares them.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Dynamic Analysis Tools.

Back to Name Jump

Resource Hacker

• Website: https://www.angusj.com/resourcehacker
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Resource Hacker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Resource editor for Windows applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Resource Editor.

Back to Name Jump

Resource Tuner

• Website: https://www.restuner.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: Resource Tuner is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Allows you to edit resources within executables and DLLs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Resource Editor.

Back to Name Jump

sha256sum

• Website: https://www.man7.org/linux/man-pages/man1/sha256sum.1.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: sha256sum is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compute and check SHA256 message digest.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

sha512sum

• Website: https://www.man7.org/linux/man-pages/man1/sha512sum.1.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: sha512sum is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compute and check SHA512 message digest.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

SpiderMonkey

• Website: https://blog.didierstevens.com/programs/spidermonkey
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: SpiderMonkey is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Modified Mozilla JavaScript implementation for malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > PDF.

Back to Name Jump

ssdeep

• Website: https://ssdeep-project.github.io/ssdeep/index.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ssdeep is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Computes Context Triggered Piecewise Hashes (CTPH) for fuzzy matching.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Signature.

Back to Name Jump

strings

• Website: https://www.man7.org/linux/man-pages/man1/strings.1.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: strings is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Print sequences of printable characters in files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Strings.

Back to Name Jump

StringsDump

• Website: https://github.com/mwrlabs/stringsdump
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: StringsDump is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extracts and identifies text from binary files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Strings.

Back to Name Jump

TrID

• Website: https://trid.en.softonic.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: TrID is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Use pattern database to determine file types, gives a likelihood of detected type.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > File Identification.

Back to Name Jump

ViperMonkey

• Website: https://github.com/decalage2/ViperMonkey
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: ViperMonkey is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: VBA parser and emulation engine.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Microsoft Office.

Back to Name Jump

VMProtect

• Website: https://vmpsoft.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: VMProtect is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Anti-debugging and anti-VM software protection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Anti-Analysis Detector.

Back to Name Jump

WinAPIOverride

• Website: http://jacquelin.potier.free.fr/winapioverride32/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: WinAPIOverride is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Monitors, intercepts, and logs API calls.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > APIs / DLLs.

Back to Name Jump

x64dbg

• Website: https://x64dbg.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cyber Security Tools

What it does: x64dbg is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open-source debugger for Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering.

Back to Name Jump

/r/Malware

• Website: https://www.reddit.com/r/Malware
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: /r/Malware is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The malware subreddit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

Letter A

This letter section contains 18 tools.

AbuseIPDB

• Website: https://www.abuseipdb.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome OSINT

What it does: AbuseIPDB is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Repository of abuses reported by system administrators for IPs, Domains, and subnets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

ACSTIS

• Website: https://github.com/tijme/angularjs-csti-scanner
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Security, Awesome Penetration Testing

What it does: ACSTIS is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection (sometimes referred to as CSTI, sandbox escape or sandbox bypass). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

al-khaser

• Website: https://github.com/LordNoteworthy/al-khaser
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: al-khaser is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A PoC malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

Aleph

• Website: https://github.com/merces/aleph
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Aleph is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open Source Malware Analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Storage and Workflow.

Back to Name Jump

AnalyzePDF

• Website: https://github.com/hiddenillusion/AnalyzePDF
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: AnalyzePDF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

AnalyzePE

• Website: https://github.com/hiddenillusion/AnalyzePE
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: AnalyzePE is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Wrapper for a.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Androguard

• Website: https://github.com/androguard/androguard
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Honeypots, Awesome Cyber Security Tools, Awesome CTF

What it does: Androguard is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reverse engineering, Malware and goodware analysis of Android applications and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Penetration Testing > Mobile Penetration Testing.

Back to Name Jump

androguard

• Website: https://code.google.com/p/androguard/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: androguard is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reverse engineering, malware and goodware analysis of Android applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Other.

Back to Name Jump

AndroTotal

• Website: https://andrototal.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: AndroTotal is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free online analysis of APKs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

angr

• Website: https://github.com/angr/angr
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: angr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: platform-agnostic binary analysis framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

angr

• Website: https://angr.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: angr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Platform-agnostic binary analysis framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

anlyz.io

• Website: https://sandbox.anlyz.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: anlyz.io is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Online sandbox.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Anonymouse.org

• Website: http://anonymouse.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Anonymouse.org is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A free, web based anonymizer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Anonymizers.

Back to Name Jump

antinet

• Website: https://github.com/0xd4d/antinet
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: antinet is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: .NET anti-managed debugger and anti-profiler code.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Other.

Back to Name Jump

any.run

• Website: https://app.any.run/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: any.run is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Assemblyline

• Website: https://cybercentrecanada.github.io/assemblyline4_docs/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Assemblyline is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A scalable file triage and malware analysis system integrating the cyber security community's best tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Awesome Malware

• Website: https://github.com/fabacab/awesome-malware
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Awesome Malware is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Curated collection of awesome malware, botnets, and other post-exploitation tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.

Back to Name Jump

Awesome Malware Analysis

• Website: https://github.com/rshipp/awesome-malware-analysis
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Security, Awesome Forensics

What it does: Awesome Malware Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Other Awesome Lists > Other Security Awesome Lists.

Back to Name Jump

Letter B

This letter section contains 23 tools.

badips.com

• Website: https://www.badips.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: badips.com is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Community based IP blacklist service.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Balbuzard

• Website: https://bitbucket.org/decalage/balbuzard/wiki/Home
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Balbuzard is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

bamfdetect

• Website: https://github.com/bwall/bamfdetect
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: bamfdetect is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Identifies and extracts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

BAP

• Website: https://github.com/BinaryAnalysisPlatform/bap
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: BAP is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Multiplatform and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

BARF

• Website: https://github.com/programa-stic/barf-project
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: BARF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Binary Analysis and Reverse engineering Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Binary ninja

• Website: https://binary.ninja/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools, Awesome CTF

What it does: Binary ninja is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A reversing engineering platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

BinaryAlert

• Website: https://github.com/airbnb/binaryalert
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Threat Detection

What it does: BinaryAlert is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Serverless, real-time & retroactive malware detection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

binarypig

• Website: https://github.com/endgameinc/binarypig
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Security

What it does: binarypig is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Scalable Binary Data Extraction in Hadoop. Malware Processing and Analytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsearch.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Big Data.

Back to Name Jump

binnavi

• Website: https://github.com/google/binnavi
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: binnavi is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Binary analysis IDE for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

BinText

• Website: https://web.archive.org/web/http://www.mcafee.com/kr/downloads/free-tools/bintext.aspx
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: BinText is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A small, very fast and powerful text extractor that will be of particular interest to programmers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

Binwalk

• Website: https://github.com/devttys0/binwalk
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome CTF

What it does: Binwalk is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Binwalk

• Website: https://github.com/ReFirmLabs/binwalk
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Binwalk is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Detects signatures, unpacks archives, visualizes entropy.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

BlackLight

• Website: https://www.blackbagtech.com/blacklight.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: BlackLight is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Windows/MacOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Memory Forensics.

Back to Name Jump

BlockBlock

• Website: https://objective-see.com/products/blockblock.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cybersecurity Blue Team

What it does: BlockBlock is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Monitors common persistence locations and alerts whenever a persistent component is added, which helps to detect and prevent malware installation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > macOS-based defenses.

Back to Name Jump

BluePill

• Website: https://github.com/season-lab/bluepill
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: BluePill is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Framework for executing and debugging evasive malware and protected executables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

BoomBox

• Website: https://github.com/nbeede/BoomBox
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: BoomBox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Automatic deployment of Cuckoo.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

boomerang

• Website: https://github.com/EmersonElectricCo/boomerang
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: boomerang is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool designed.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

box-js

• Website: https://github.com/CapacitorSet/box-js
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: box-js is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool for studying JavaScript.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

boxxy

• Website: https://github.com/kpcyrd/boxxy-rs
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: boxxy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Linkable sandbox explorer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Brida

• Website: https://github.com/federicodotta/Brida
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Brida is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Burp Suite extension that, working as a bridge between Burp and Frida, lets you use and manipulate applications' own methods while tampering the traffic exchanged between the applications and their back-end services.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Browserling

• Website: https://www.browserling.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome OSINT

What it does: Browserling is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Browserling is an online sandbox that lets users safely test potentially malicious links across browsers and operating systems in real time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

bulk_extractor

• Website: https://github.com/simsong/bulk_extractor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response, Awesome Cyber Security Tools, Awesome Forensics

What it does: bulk_extractor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Bytecode Viewer

• Website: https://github.com/Konloch/bytecode-viewer
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Bytecode Viewer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Combines.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Letter C

This letter section contains 20 tools.

capa

• Website: https://github.com/fireeye/capa
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Threat Detection

What it does: capa is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An open-source tool to identify capabilities in executable files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Capstone

• Website: https://github.com/aquynh/capstone
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking

What it does: Capstone is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Capstone

• Website: http://www.capstone-engine.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Capstone is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Lightweight multi-platform, multi-architecture disassembly framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Charles Proxy

• Website: https://charlesproxy.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Charles Proxy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A cross-platform GUI web debugging proxy to view intercepted HTTP and HTTPS/SSL live traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

chkrootkit

• Website: http://www.chkrootkit.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: chkrootkit is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Local Linux rootkit detection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Clean MX

• Website: http://support.clean-mx.com/clean-mx/viruses.php
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Clean MX is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Realtime.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

CLEANLY ESCAPING THE CHROME SANDBOX

• Website: https://theori.io/research/escaping-chrome-sandbox
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Web Security

What it does: CLEANLY ESCAPING THE CHROME SANDBOX is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Browser Exploitation > Backend (core of Browser implementation, and often refers to C or C++ part).

Back to Name Jump

codebro

• Website: https://github.com/hugsy/codebro
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: codebro is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Web based code browser using.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

CodeEngn

• Website: http://codeengn.com/challenges/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: CodeEngn is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: (Korean).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Wargame > Reverse Engineering.

Back to Name Jump

Contagio

• Website: http://contagiodump.blogspot.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Contagio is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A collection of recent.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Crackmes

• Website: https://crackmes.one/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome CTF

What it does: Crackmes is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reverse Engineering Challenges.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Name Jump

Crackmes.de

• Website: http://crackmes.de/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Crackmes.de is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The world first and largest community website for crackmes and reversemes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Wargame > Reverse Engineering.

Back to Name Jump

CRITs

• Website: https://crits.github.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: CRITs is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Web-based tool which combines an analytic engine with a cyber threat database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Cryptam

• Website: http://www.cryptam.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Cryptam is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Analyze suspicious office documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

CryptoKnight

• Website: https://github.com/AbertayMachineLearningGroup/CryptoKnight
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: CryptoKnight is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Automated cryptographic algorithm reverse engineering and classification framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

Cuckoo Sandbox

• Website: https://cuckoosandbox.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Cuckoo Sandbox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Leading open source automated malware analysis system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

cuckoo-modified

• Website: https://github.com/brad-accuvant/cuckoo-modified
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: cuckoo-modified is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Modified.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

cuckoo-modified-api

• Website: https://github.com/keithjjones/cuckoo-modified-api
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: cuckoo-modified-api is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python library to control a cuckoo-modified sandbox.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Cutter

• Website: https://github.com/radareorg/cutter
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking

What it does: Cutter is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a decompiler based on radare2.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

CWSandbox / GFI Sandbox

• Website: https://www.gfi.com/products-and-solutions/all-products
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Honeypots

What it does: CWSandbox / GFI Sandbox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter D

This letter section contains 23 tools.

DAMM

• Website: https://github.com/504ensicsLabs/DAMM
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: DAMM is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Differential Analysis of.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Memory Forensics.

Back to Name Jump

DarunGrim

• Website: https://github.com/ohjeongwook/DarunGrim
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: DarunGrim is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: executable differ.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

DBeaver

• Website: https://github.com/dbeaver/dbeaver
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: DBeaver is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a DB editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

DC3-MWCP

• Website: https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: DC3-MWCP is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

de4dot

• Website: https://github.com/0xd4d/de4dot
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking

What it does: de4dot is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: .NET deobfuscator and unpacker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Deobfuscators.

Back to Name Jump

DECAF (Dynamic Executable Code Analysis Framework)

• Website: https://github.com/sycurelab/DECAF
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: DECAF (Dynamic Executable Code Analysis Framework) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

DeepViz

• Website: https://www.deepviz.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: DeepViz is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Multi-format file analyzer with.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

DemoHunter

• Website: https://github.com/RevengeComing/DemonHunter
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: DemoHunter is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Low interaction Distributed Honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Dependencies

• Website: https://github.com/lucasg/Dependencies
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Dependencies is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a FOSS replacement to Dependency Walker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

Desenmascara.me

• Website: http://desenmascara.me
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Desenmascara.me is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: One click tool to retrieve as.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Detect It Easy(DiE)

• Website: https://github.com/horsicq/Detect-It-Easy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Cyber Security Tools

What it does: Detect It Easy(DiE) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Program for determining types of files for Windows, Linux and MacOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Detecting Malware Beacons Using Splunk

• Website: https://pleasefeedthegeek.wordpress.com/2012/12/20/detecting-malware-beacons-using-splunk/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: Detecting Malware Beacons Using Splunk is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Detox

• Website: http://relentless-coding.org/projects/jsdetox/install
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome CTF

What it does: Detox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A Javascript malware analysis tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Name Jump

detux

• Website: https://github.com/detuxsandbox/detux/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: detux is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A sandbox developed to do.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

dex2jar

• Website: https://github.com/pxb1988/dex2jar
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: dex2jar is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Tools to work with Android .dex and Java .class files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Other.

Back to Name Jump

Dig

• Website: https://networking.ringofsaturn.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Dig is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free online dig and other.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

diStorm

• Website: http://www.ragestorm.net/distorm/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: diStorm is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Disassembler for analyzing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

dnSpy

• Website: https://github.com/0xd4d/dnSpy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Hacking

What it does: dnSpy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: .NET assembly editor, decompiler, and debugger.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

dnstwist

• Website: https://github.com/elceef/dnstwist
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: dnstwist is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

DOM based Angular sandbox escapes

• Website: http://blog.portswigger.net/2017/05/dom-based-angularjs-sandbox-escapes.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Web Security

What it does: DOM based Angular sandbox escapes is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Written by.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Introduction > AngularJS.

Back to Name Jump

DRAKVUF

• Website: https://github.com/tklengyel/drakvuf
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: DRAKVUF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Dynamic malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

drltrace

• Website: https://github.com/mxmssh/drltrace
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: drltrace is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: shared library calls tracing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

dynStruct

• Website: https://github.com/ampotos/dynStruct
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: dynStruct is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: structures recovery via dynamic instrumentation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

Letter E

This letter section contains 9 tools.

Ember

• Website: https://github.com/endgameinc/ember
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Threat Detection

What it does: Ember is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: () - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

Evan's Debugger

• Website: http://www.codef00.com/projects#debugger
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Evan's Debugger is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: OllyDbg-like debugger for GNU/Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Evan's Debugger (EDB)

• Website: http://codef00.com/projects#debugger
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Evan's Debugger (EDB) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

evolve

• Website: https://github.com/JamesHabben/evolve
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: evolve is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Web interface for the Volatility Memory Forensics Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

EVTXtract

• Website: https://github.com/williballenthin/EVTXtract
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: EVTXtract is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Carve Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > File Carving.

Back to Name Jump

ex_pe_xor

• Website: http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ex_pe_xor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

Exeinfo PE

• Website: http://exeinfo.pe.hu/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Exeinfo PE is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Packer, compressor detector, unpack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

ExifTool

• Website: https://sno.phy.queensu.ca/~phil/exiftool/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ExifTool is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Read, write and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Exploit Database

• Website: https://www.exploit-db.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Hacking

What it does: Exploit Database is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Non-profit project hosting exploits for software vulnerabilities, provided as a public service by Offensive Security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Letter F

This letter section contains 12 tools.

FAME

• Website: https://certsocietegenerale.github.io/fame/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: FAME is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Storage and Workflow.

Back to Name Jump

File Scanning Framework

• Website: https://github.com/EmersonElectricCo/fsf
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: File Scanning Framework is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

filescan.io

• Website: https://www.filescan.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: filescan.io is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Static malware analysis, VBA/Powershell/VBS/JS Emulation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

FindAES

• Website: https://sourceforge.net/projects/findaes/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: FindAES is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Find AES.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Memory Forensics.

Back to Name Jump

Firebug

• Website: https://getfirebug.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Firebug is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Firefox extension for web development.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

firmware.re

• Website: http://firmware.re/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: firmware.re is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Unpacks, scans and analyzes almost any.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

FLARE VM

• Website: https://github.com/fireeye/flare-vm
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response, Awesome CTF

What it does: FLARE VM is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

FLOSS

• Website: https://github.com/fireeye/flare-floss
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: FLOSS is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The FireEye Labs Obfuscated.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

fn2yara

• Website: https://github.com/cmu-sei/pharos
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: fn2yara is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The Pharos binary analysis framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Foremost

• Website: http://foremost.sourceforge.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: Foremost is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extract particular kind of files using headers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > File Carving.

Back to Name Jump

FPort

• Website: https://www.mcafee.com/us/downloads/free-tools/fport.aspx
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: FPort is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reports.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Fridax

• Website: https://github.com/NorthwaveNL/fridax
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Fridax is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Read variables and intercept/hook functions in Xamarin/Mono JIT and AOT compiled iOS/Android applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Letter G

This letter section contains 5 tools.

GDB

• Website: http://www.sourceware.org/gdb/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: GDB is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The GNU debugger.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

GEF

• Website: https://github.com/hugsy/gef
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: GEF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: GDB Enhanced Features, for exploiters.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Generic File Parser

• Website: https://github.com/uppusaikiran/generic-parser
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Generic File Parser is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A Single Library Parser to extract meta information,static analysis and detect macros within the files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Ghidra

• Website: https://github.com/NationalSecurityAgency/ghidra
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: Ghidra is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Ghidra

• Website: https://www.ghidra-sre.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Ghidra is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Suite of free software reverse engineering tools developed by NSA's Research Directorate originally exposed in WikiLeaks's "Vault 7" publication and now maintained as open source software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Letter H

This letter section contains 13 tools.

HaboMalHunter

• Website: https://github.com/Tencent/HaboMalHunter
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: HaboMalHunter is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An Automated Malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

hachoir3

• Website: https://github.com/vstinner/hachoir3
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: hachoir3 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Hachoir is a Python library.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > File Carving.

Back to Name Jump

hackers-grep

• Website: https://github.com/codypierce/hackers-grep
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: hackers-grep is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A utility to.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Hacking the Xbox by Andrew Huang, 2003

• Website: https://nostarch.com/xbox.htm
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Hacking the Xbox by Andrew Huang, 2003 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Books.

Back to Name Jump

HashCheck

• Website: https://github.com/gurnec/HashCheck
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: HashCheck is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Windows shell extension.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

hashdeep

• Website: https://github.com/jessek/hashdeep
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: hashdeep is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compute digest hashes with.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Hex-Rays

• Website: https://www.hex-rays.com/products/decompiler/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Hex-Rays is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Honeytrap

• Website: https://github.com/honeytrap/honeytrap
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Honeytrap is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Advanced Honeypot framework written in Go that can be connected with other honeypot software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Hopper

• Website: https://www.hopperapp.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools, Awesome Hacking

What it does: Hopper is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A OS X and Linux Disassembler/Decompiler for 32/64-bit Windows/Mac/Linux/iOS executables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Hopper

• Website: http://www.hopperapp.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome CTF

What it does: Hopper is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reverse engineering tool (disassembler) for OSX and Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Name Jump

Hudson Rock

• Website: https://www.hudsonrock.com/threat-intelligence-cybercrime-tools
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome OSINT

What it does: Hudson Rock is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: is a free cybercrime intelligence toolkit to check exposure in Infostealer malware infection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

HxD

• Website: http://mh-nexus.de/en/hxd/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: HxD is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Hex editors.

Back to Name Jump

Hybrid Analysis

• Website: https://www.hybrid-analysis.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response, Awesome Honeypots, Awesome OSINT, Awesome Cyber Security Tools

What it does: Hybrid Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Letter I

This letter section contains 14 tools.

Iaitō

• Website: https://github.com/hteso/iaito
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Web Security

What it does: Iaitō is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Qt and C++ GUI for radare2 reverse engineering framework by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Disassembler.

Back to Name Jump

IDA Pro

• Website: https://www.hex-rays.com/products/ida/index.shtml
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: IDA Pro is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

IDR

• Website: https://github.com/crypto2011/IDR
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: IDR is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Interactive Delphi Reconstructor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

ILSpy

• Website: http://ilspy.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ILSpy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: ILSpy is the open-source .NET assembly browser and decompiler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Immunity Debugger

• Website: http://debugger.immunityinc.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Immunity Debugger is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Debugger for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Immunity Debugger

• Website: https://immunityinc.com/products/debugger/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Immunity Debugger is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Powerful way to write exploits and analyze malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Infosec - CERT-PA

• Website: https://infosec.cert-pa.it/analyze/submission.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Infosec - CERT-PA is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Malware samples collection and analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

InQuest Deep File Inspection

• Website: https://labs.inquest.net/dfi
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: InQuest Deep File Inspection is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Upload common malware lures for Deep File Inspection and heuristical analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

InQuest Labs

• Website: https://labs.inquest.net
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: InQuest Labs is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Evergrowing searchable corpus of malicious Microsoft documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Interactive Disassembler (IDA Pro)

• Website: https://www.hex-rays.com/products/ida/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing, Awesome Hacking, Awesome CTF

What it does: Interactive Disassembler (IDA Pro) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Intezer

• Website: https://analyze.intezer.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: Intezer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

inVtero.net

• Website: https://github.com/ShaneK2/inVtero.net
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response, Awesome Forensics

What it does: inVtero.net is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Advanced memory analysis for Windows x64 with nested hypervisor support.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

IPinfo

• Website: https://github.com/hiddenillusion/IPinfo
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: IPinfo is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Gather information.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

IRMA

• Website: http://irma.quarkslab.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: IRMA is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An asynchronous and customizable.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Letter J

This letter section contains 13 tools.

JA3: SSL/TLS Client Fingerprinting for Malware Detection

• Website: https://engineering.salesforce.com/open-sourcing-ja3-92c9e53c3c41
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: JA3: SSL/TLS Client Fingerprinting for Malware Detection is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

JAD

• Website: http://varaneckas.com/jad/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: JAD is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: JAD Java Decompiler (closed-source, unmaintained).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Java Decompiler

• Website: http://jd.benow.ca/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Java Decompiler is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Decompile and inspect Java apps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Java IDX Parser

• Website: https://github.com/Rurik/Java_IDX_Parser/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Java IDX Parser is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Parses Java.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Javascript Mallware Collection

• Website: https://github.com/HynekPetrak/javascript-malware-collection
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Javascript Mallware Collection is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Collection of almost 40.000 javascript malware samples.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

JD-GUI

• Website: https://github.com/java-decompiler/jd-gui
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: JD-GUI is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Joe Sandbox

• Website: https://www.joesecurity.org
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Joe Sandbox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Deep malware analysis with Joe Sandbox.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Jotti

• Website: https://virusscan.jotti.org/en
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Jotti is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free online multi-AV scanner.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

JS Beautifier

• Website: http://jsbeautifier.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: JS Beautifier is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: JavaScript unpacking and deobfuscation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

JS Beautifier

• Website: https://github.com/beautify-web/js-beautify
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: JS Beautifier is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Deobfuscators.

Back to Name Jump

JS Nice

• Website: http://jsnice.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: JS Nice is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a web service guessing JS variables names and types based on the model derived from open source.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Deobfuscators.

Back to Name Jump

JSDetox

• Website: http://www.relentless-coding.com/projects/jsdetox/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: JSDetox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: JavaScript.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

jsunpack-n

• Website: https://github.com/urule99/jsunpack-n
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: jsunpack-n is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Letter K

This letter section contains 2 tools.

Kaitai Struct

• Website: https://github.com/kaitai-io/kaitai_struct
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Kaitai Struct is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a DSL for creating parsers in a variety of programming languages. The Web IDE is particularly useful for reverse-engineering.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

Krakatau

• Website: https://github.com/Storyyeller/Krakatau
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking, Awesome CTF

What it does: Krakatau is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: the best decompiler I have used. Is able to decompile apps written in Scala and Kotlin into Java code. JD-GUI and Luyten have failed to do it fully.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Letter L

This letter section contains 7 tools.

Learning Malware Analysis

• Website: https://www.packtpub.com/networking-and-servers/learning-malware-analysis
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Learning Malware Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Learning Malware Analysis: Explore the concepts, tools, and techniques to analuze and investigate Windows malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

Lena151: Reversing With Lena

• Website: https://archive.org/details/lena151
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Lena151: Reversing With Lena is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tutorials.

Back to Name Jump

libemu

• Website: http://libemu.carnivore.it/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: libemu is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Library and tools for x86 shellcode.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

LIEF

• Website: https://lief.quarkslab.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: LIEF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: LIEF provides a cross-platform library.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Limon

• Website: https://github.com/monnappa22/Limon
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Limon is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Sandbox for Analyzing Linux Malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

ltrace

• Website: http://ltrace.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ltrace is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Dynamic analysis for Linux executables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Luyten

• Website: https://github.com/deathmarine/Luyten
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Luyten is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: one of the best, though a bit slow, hangs on some binaries and not very well maintained.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Letter M

This letter section contains 39 tools.

mac-a-mal

• Website: https://github.com/phdphuc/mac-a-mal
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: mac-a-mal is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An automated framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Machinae

• Website: https://github.com/hurricanelabs/machinae
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Machinae is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: OSINT tool for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Machine Learning for Encrypted Malware Traffic Classification

• Website: https://dl.acm.org/doi/pdf/10.1145/3097983.3098163
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: Machine Learning for Encrypted Malware Traffic Classification is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Research Papers.

Back to Name Jump

mailchecker

• Website: https://github.com/FGRibreau/mailchecker
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: mailchecker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Cross-language.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Malfunction

• Website: https://github.com/Dynetics/Malfunction
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malfunction is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Catalog and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Malheur

• Website: https://github.com/rieck/malheur
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malheur is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Automatic sandboxed analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

malice.io

• Website: https://github.com/maliceio/malice
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: malice.io is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Massively scalable malware analysis framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Malicious Software

• Website: https://zeltser.com/malicious-software/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malicious Software is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

malpdfobj

• Website: https://github.com/9b/malpdfobj
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: malpdfobj is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Deconstruct malicious PDFs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

Malpedia

• Website: https://malpedia.caad.fkie.fraunhofer.de/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malpedia is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A resource providing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Malshare

• Website: https://malshare.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malshare is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Large repository of malware actively.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

MalSploitBase

• Website: https://github.com/misterch0c/malSploitBase
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: MalSploitBase is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

malsub

• Website: https://github.com/diogo-fernan/malsub
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: malsub is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A Python RESTful API framework for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

MaltegoVT

• Website: https://github.com/michael-yip/MaltegoVT
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: MaltegoVT is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Maltego transform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Malware Analysis Search

• Website: https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware Analysis Search is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

Malware config

• Website: https://malwareconfig.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware config is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Extract, decode and display online.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Malware Museum

• Website: https://archive.org/details/malwaremuseum
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware Museum is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Collection of.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

Malware Organiser

• Website: https://github.com/uppusaikiran/malware-organiser
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware Organiser is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A simple tool to organise large malicious/benign files into a organised Structure.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

Malware Persistence

• Website: https://github.com/Karneades/malware-persistence
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Threat Detection

What it does: Malware Persistence is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Malware Samples and Traffic

• Website: http://malware-traffic-analysis.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware Samples and Traffic is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: This.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

Malware Search+++

• Website: https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malware Search+++ is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Firefox extension allows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

malware-jail

• Website: https://github.com/HynekPetrak/malware-jail
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Web Security

What it does: malware-jail is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Detecting.

Back to Name Jump

MalwareAnalyser.io

• Website: https://malwareanalyser.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: MalwareAnalyser.io is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

MalwareBazaar

• Website: https://bazaar.abuse.ch/browse/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome OSINT

What it does: MalwareBazaar is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Search and download confirmed malware samples by hash, family, tag, and other criteria.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

Malwarehouse

• Website: https://github.com/sroberts/malwarehouse
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Malwarehouse is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Store, tag, and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Storage and Workflow.

Back to Name Jump

Malwr

• Website: https://malwr.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Malwr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free malware analysis service and community.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Malzilla

• Website: http://malzilla.sourceforge.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking, Awesome CTF

What it does: Malzilla is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Analyze malicious web pages.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Manalyze

• Website: https://github.com/JusticeRage/Manalyze
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Manalyze is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Static analyzer for PE.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Mastering Malware Analysis

• Website: https://www.packtpub.com/networking-and-servers/mastering-malware-analysis
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Mastering Malware Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercime, and IoT attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

Mastering Reverse Engineering

• Website: https://www.packtpub.com/networking-and-servers/mastering-reverse-engineering
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Mastering Reverse Engineering is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Mastering Reverse Engineering: Re-engineer your ethical hacking skills.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

MASTIFF

• Website: https://github.com/KoreLogicSecurity/mastiff
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: MASTIFF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Medusa

• Website: https://github.com/wisk/medusa
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Medusa is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open source, cross-platform interactive disassembler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

MHN

• Website: https://github.com/pwnlandia/mhn
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: MHN is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

mitmproxy

• Website: https://github.com/mitmproxy/mitmproxy
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking, Awesome Web Security

What it does: mitmproxy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

Mnemosyne

• Website: https://github.com/johnnykv/mnemosyne
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Mnemosyne is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A normalizer for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Multi rbl

• Website: http://multirbl.valli.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Multi rbl is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Multiple DNS blacklist and forward.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

MultiScanner

• Website: https://github.com/mitre/multiscanner
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: MultiScanner is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.

Back to Name Jump

Muninn

• Website: https://github.com/ytisf/muninn
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Muninn is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A script to automate portions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Memory Forensics.

Back to Name Jump

mwcollectd

• Website: https://www.openhub.net/p/mwcollectd
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Honeypots

What it does: mwcollectd is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Letter N

This letter section contains 6 tools.

Nauz File Detector(NFD)

• Website: https://github.com/horsicq/Nauz-File-Detector
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Nauz File Detector(NFD) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Linker/Compiler/Tool detector for Windows, Linux and MacOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

NetworkTotal

• Website: https://www.networktotal.com/index.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: NetworkTotal is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A service that analyzes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

NoMoreXOR

• Website: https://github.com/hiddenillusion/NoMoreXOR
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: NoMoreXOR is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Guess a 256 byte.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

Noriben

• Website: https://github.com/Rurik/Noriben
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Noriben is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Uses Sysinternals Procmon to.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

NormShield Services

• Website: https://services.normshield.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: NormShield Services is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free API Services.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

nsrllookup

• Website: https://github.com/rjhansen/nsrllookup
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: nsrllookup is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool for looking.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Letter O

This letter section contains 8 tools.

objdump

• Website: https://en.wikipedia.org/wiki/Objdump
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: objdump is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Part of GNU binutils,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

OfficeMalScanner

• Website: http://www.reconstructer.org/code.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: OfficeMalScanner is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Scan for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

Oh My Malware

• Website: https://ohmymalware.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: Oh My Malware is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A video series focused on malware execution and investigations using Elastic Security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

olevba

• Website: http://www.decalage.info/python/olevba
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: olevba is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A script for parsing OLE.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

OllyDbg

• Website: http://www.ollydbg.de/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Cyber Security Tools, Awesome Hacking

What it does: OllyDbg is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: x86 debugger for Windows binaries that emphasizes binary code analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

OllyDumpEx

• Website: https://low-priority.appspot.com/ollydumpex/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: OllyDumpEx is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Dump memory.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Open Malware

• Website: http://www.offensivecomputing.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Open Malware is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > General.

Back to Name Jump

Origami PDF

• Website: https://code.google.com/archive/p/origami-pdf
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Origami PDF is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A tool for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

Letter P

This letter section contains 38 tools.

PackerAttacker

• Website: https://github.com/BromiumLabs/PackerAttacker
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PackerAttacker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A generic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

packerid

• Website: https://github.com/sooshie/packerid
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: packerid is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A cross-platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Pafish

• Website: https://github.com/a0rtega/pafish
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools

What it does: Pafish is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Detects virtual machines and malware analysis environments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > Anti-Analysis Detector.

Back to Name Jump

PANDA

• Website: https://github.com/moyix/panda
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PANDA is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Platform for Architecture-Neutral.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

PDF Examiner

• Website: http://www.pdfexaminer.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PDF Examiner is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Analyse suspicious PDF files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

PDF Tools

• Website: https://blog.didierstevens.com/programs/pdf-tools/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools

What it does: PDF Tools is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Scans for PDF keywords indicating JavaScript or actions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

PDF X-Ray Lite

• Website: https://github.com/9b/pdfxray_lite
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PDF X-Ray Lite is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A PDF analysis tool,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

PE-bear

• Website: https://hshrzd.wordpress.com/pe-bear/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PE-bear is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reversing tool for PE.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

PEDA

• Website: https://github.com/longld/peda
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome CTF

What it does: PEDA is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python Exploit Development Assistance for GDB.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

peepdf

• Website: http://eternal-todo.com/tools/peepdf-pdf-analysis-tool
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: peepdf is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

PEframe

• Website: https://github.com/guelfoweb/peframe
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PEframe is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

pestudio

• Website: https://winitor.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: pestudio is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Perform static analysis of Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

PEV

• Website: http://pev.sourceforge.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PEV is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A multiplatform toolkit to work with PE.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

PEview

• Website: http://wjradburn.com/software/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: PEview is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

plasma

• Website: https://github.com/plasma-disassembler/plasma
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Web Security

What it does: plasma is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Plasma is an interactive disassembler for x86/ARM/MIPS by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

plasma

• Website: https://github.com/joelpx/plasma
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing, Awesome Hacking, Awesome CTF

What it does: plasma is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An interactive disassembler for x86/ARM/MIPS which can generate indented pseudo-code with colored syntax.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Polichombr

• Website: https://github.com/ANSSI-FR/polichombr
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Polichombr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Storage and Workflow.

Back to Name Jump

Pompelmi

• Website: https://github.com/pompelmi/pompelmi
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Security

What it does: Pompelmi is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Node.js file-upload malware scanner with MIME sniffing, ZIP-bomb protection and optional YARA rules.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Development.

Back to Name Jump

PortEx

• Website: https://github.com/katjahahn/PortEx
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PortEx is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

PPEE (puppy)

• Website: https://www.mzrst.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PPEE (puppy) is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A Professional PE file Explorer for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Practical Malware Analysis

• Website: https://amzn.com/dp/1593272901
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Practical Malware Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: The Hands-On.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

Practical Malware Analysis Starter Kit

• Website: https://bluesoul.me/practical-malware-analysis-starter-kit/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Practical Malware Analysis Starter Kit is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

Practical Reverse Engineering

• Website: https://www.amzn.com/dp/1118787315/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Practical Reverse Engineering is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

Practical Reverse Engineering by Bruce Dang et al., 2014

• Website: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118787315.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Practical Reverse Engineering by Bruce Dang et al., 2014 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Books.

Back to Name Jump

Privoxy

• Website: http://www.privoxy.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Privoxy is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An open source proxy server with some.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Anonymizers.

Back to Name Jump

ProcDot

• Website: http://www.procdot.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ProcDot is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A graphical malware analysis tool kit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

Process Explorer

• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Process Explorer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Process Hacker

• Website: http://processhacker.sourceforge.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Process Hacker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Tool that monitors.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Process Monitor

• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools

What it does: Process Monitor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Monitors and logs real-time file system, Registry, and process/thread activity (SysInternals).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

procyon

• Website: https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: procyon is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Protobuf inspector

• Website: https://github.com/jmendeth/protobuf-inspector
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Protobuf inspector is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Other.

Back to Name Jump

PSTools

• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/pstools
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PSTools is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

pwndbg

• Website: https://github.com/pwndbg/pwndbg
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing, Awesome CTF

What it does: pwndbg is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: GDB plug-in that eases debugging with GDB, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers, and exploit developers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Pyew

• Website: https://github.com/joxeankoret/pyew
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Pyew is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python tool for malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

PyInstaller Extractor

• Website: https://github.com/extremecoders-re/pyinstxtractor
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: PyInstaller Extractor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

PyREBox

• Website: https://github.com/Cisco-Talos/pyrebox
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: PyREBox is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python scriptable Reverse Engineering sandbox by Cisco-Talos.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

python-evt

• Website: https://github.com/williballenthin/python-evt
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Forensics

What it does: python-evt is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Pure Python parser for classic Windows Event Log files (.evt).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Windows Artifacts.

Back to Name Jump

python-registry

• Website: http://www.williballenthin.com/registry/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: python-registry is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Windows Artifacts.

Back to Name Jump

Letter Q

This letter section contains 4 tools.

Qiling Framework

• Website: https://www.qiling.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Qiling Framework is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Cross platform emulation and sanboxing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

QKD

• Website: https://github.com/ispras/qemu/releases/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: QKD is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: QEMU with embedded WinDbg.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Qubes OS

• Website: https://qubes-os.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Qubes OS is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Desktop environment built atop the Xen hypervisor project that runs each end-user program in its own virtual machine intended to provide strict security controls to constrain the reach of any successful malware exploit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Operating System distributions.

Back to Name Jump

QuickSand

• Website: https://www.quicksand.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: QuickSand is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: QuickSand is a compact C framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

Letter R

This letter section contains 20 tools.

RABCDAsm

• Website: https://github.com/CyberShadow/RABCDAsm
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: RABCDAsm is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Collection of utilities including an ActionScript 3 assembler/disassembler.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Radare2

• Website: http://www.radare.org/r/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Radare2 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Reverse engineering framework, with.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Radare2

• Website: http://rada.re/r/index.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Radare2 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open source, crossplatform reverse engineering framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

radare2

• Website: https://github.com/radare/radare2
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking, Awesome CTF, Awesome Web Security

What it does: radare2 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Unix-like reverse engineering framework and commandline tools by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Disassemblers and debuggers.

Back to Name Jump

Ragpicker

• Website: https://github.com/robbyFux/Ragpicker
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Ragpicker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Plugin based malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Recomposer

• Website: https://github.com/secretsquirrel/recomposer
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Recomposer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A helper.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

recon

• Website: https://github.com/rusty-ferris-club/recon
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Security, Awesome Forensics

What it does: recon is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: a fast Rust based CLI that uses SQL to query over files, code, or malware with content classification and processing for security experts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Name Jump

RegRipper

• Website: http://brettshavers.cc/index.php/brettsblog/tags/tag/regripper/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: RegRipper is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Windows Artifacts.

Back to Name Jump

RegShot

• Website: https://sourceforge.net/projects/regshot/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: RegShot is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Registry compare utility.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Rekall

• Website: http://www.rekall-forensic.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: Rekall is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > IR management consoles.

Back to Name Jump

REMnux

• Website: https://remnux.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cyber Security Tools, Awesome CTF, Awesome Forensics, Awesome SOC

What it does: REMnux is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Distro for reverse-engineering and analyzing malicious software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

RetDec

• Website: https://retdec.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: RetDec is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Retargetable machine-code decompiler with an.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

retdec

• Website: https://github.com/avast-tl/retdec
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: retdec is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

Reverse Engineering for Beginners by Dennis Yurichev

• Website: http://beginners.re/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: Reverse Engineering for Beginners by Dennis Yurichev is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Books.

Back to Name Jump

Reverse engineering the analyst: building machine learning models for the SOC

• Website: https://www.mandiant.com/resources/blog/build-machine-learning-models-for-the-soc
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: Reverse engineering the analyst: building machine learning models for the SOC is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Data Science.

Back to Name Jump

Reversing.kr

• Website: http://www.reversing.kr/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Reversing.kr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: This site tests your ability to Cracking & Reverse Code Engineering.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Wargame > Reverse Engineering.

Back to Name Jump

Rootkits and Bootkits

• Website: https://www.amazon.com/dp/1593277164
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Rootkits and Bootkits is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Books.

Back to Name Jump

ROPMEMU

• Website: https://github.com/Cisco-Talos/ROPMEMU
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ROPMEMU is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A framework to analyze, dissect.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

RPISEC Malware Analysis

• Website: https://github.com/RPISEC/Malware
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: RPISEC Malware Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: These are the.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Other.

Back to Name Jump

rVMI

• Website: https://github.com/fireeye/rVMI
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: rVMI is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

Letter S

This letter section contains 24 tools.

sandboxapi

• Website: https://github.com/InQuest/python-sandboxapi
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: sandboxapi is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Minimal, consistent Python API for building integrations with malware sandboxes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.

Back to Name Jump

Santoku Linux

• Website: https://santoku-linux.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Santoku Linux is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Linux distribution for mobile.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Miscellaneous.

Back to Name Jump

Scalpel

• Website: https://github.com/sleuthkit/scalpel
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Scalpel is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Another data carving.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > File Carving.

Back to Name Jump

ScratchABit

• Website: https://github.com/pfalcon/ScratchABit
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: ScratchABit is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Disassemblers and debuggers.

Back to Name Jump

Scylla Imports Reconstructor

• Website: https://github.com/NtQuery/Scylla
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Scylla Imports Reconstructor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Find and fix.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

ScyllaHide

• Website: https://github.com/x64dbg/ScyllaHide
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ScyllaHide is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: An Anti-Anti-Debug library.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

SecurityTrails

• Website: https://securitytrails.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SecurityTrails is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Historical and current WHOIS,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

SEE

• Website: https://github.com/F-Secure/see
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SEE is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Sandboxed Execution Environment (SEE).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

SEKOIA Dropper Analysis

• Website: https://malware.sekoia.fr/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SEKOIA Dropper Analysis is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Online dropper analysis (Js, VBScript, Microsoft Office, PDF).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Online Scanners and Sandboxes.

Back to Name Jump

SFlock

• Website: https://github.com/jbremer/sflock
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SFlock is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Nested archive.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > File Carving.

Back to Name Jump

simples.kr

• Website: http://simples.kr/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: simples.kr is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: (Korean).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Wargame > Reverse Engineering.

Back to Name Jump

SMRT

• Website: https://github.com/pidydx/SMRT
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SMRT is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Sublime Malware Research Tool, a.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

snowman

• Website: https://github.com/yegord/snowman
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: snowman is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

SpamCop

• Website: https://www.spamcop.net/bl.shtml
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SpamCop is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: IP based spam block list.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

SpamHaus

• Website: https://www.spamhaus.org/lookup/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SpamHaus is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Block list based on.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

Spidermonkey

• Website: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Spidermonkey is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Documents and Shellcode.

Back to Name Jump

ssdeep

• Website: https://ssdeep-project.github.io/ssdeep/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: ssdeep is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Compute fuzzy hashes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

stoQ

• Website: http://stoq.punchcyber.com
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: stoQ is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Distributed content analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Storage and Workflow.

Back to Name Jump

strace

• Website: https://sourceforge.net/projects/strace/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: strace is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Dynamic analysis for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

StringSifter

• Website: https://github.com/fireeye/stringsifter
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: StringSifter is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A machine learning tool that ranks strings based on their relevance for malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Sucuri SiteCheck

• Website: https://sitecheck.sucuri.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Sucuri SiteCheck is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free Website Malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

SWF Investigator

• Website: https://labs.adobe.com/technologies/swfinvestigator/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: SWF Investigator is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

swftools

• Website: http://www.swftools.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome CTF

What it does: swftools is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Collection of utilities to work with SWF files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Browser Malware.

Back to Name Jump

Synalize It

• Website: https://www.synalysis.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: Synalize It is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: / -.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Binary files examination and editing > Hex editors.

Back to Name Jump

Letter T

This letter section contains 14 tools.

Talos Intelligence

• Website: https://talosintelligence.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Talos Intelligence is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Search for IP, domain.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

TekDefense Automater

• Website: http://www.tekdefense.com/automater/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: TekDefense Automater is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: OSINT tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

TensorFuzz: Debugging Neural Networks with Coverage-Guided Fuzzing, 2018

• Website: https://arxiv.org/abs/1807.10875
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Fuzzing

What it does: TensorFuzz: Debugging Neural Networks with Coverage-Guided Fuzzing, 2018 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > ArXiv (Fuzzing with Artificial Intelligence & Machine Learning).

Back to Name Jump

Thale's Cyberthreat Map

• Website: https://cds.thalesgroup.com/en/cyberthreat/hitmap
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome OSINT

What it does: Thale's Cyberthreat Map is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Discover cybersecurity trends with Thales' Cyberthreat map. Explore targeted areas, frequent attacks, affected sectors, and prevalent malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Live Cyber Threat Maps.

Back to Name Jump

The Art of Memory Forensics

• Website: https://memoryanalysis.net/amf/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Forensics

What it does: The Art of Memory Forensics is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Detecting Malware and Threats in Windows, Linux, and Mac Memory.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Books.

Back to Name Jump

theZoo

• Website: https://github.com/ytisf/theZoo
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Threat Detection

What it does: theZoo is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A repository of LIVE malwares.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Threat Hunting for Fileless Malware

• Website: https://www.countercept.com/our-thinking/threat-hunting-for-fileless-malware/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Threat Detection

What it does: Threat Hunting for Fileless Malware is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Thug

• Website: https://github.com/buffer/thug
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Thug is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Low interaction honeyclient, for.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Name Jump

Tor

• Website: https://www.torproject.org/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome OSINT

What it does: Tor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Free software and onion routed overlay network that helps you defend against traffic analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Anonymizers.

Back to Name Jump

totalhash.py

• Website: https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: totalhash.py is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

TotalRecall

• Website: https://github.com/sketchymoose/TotalRecall
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: TotalRecall is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Script based.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Memory Forensics.

Back to Name Jump

Tracker h3x

• Website: http://tracker.h3x.eu/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Tracker h3x is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Agregator for malware corpus tracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

TrID

• Website: http://mark0.net/soft-trid-e.html
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: TrID is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: File identifier.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.

Back to Name Jump

Triton

• Website: https://triton.quarkslab.com/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Triton is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: A dynamic binary analysis (DBA) framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Letter U

This letter section contains 12 tools.

Udis86

• Website: https://github.com/vmt/udis86
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: Udis86 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Disassembler library and tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

UEFITool

• Website: https://github.com/LongSoft/UEFITool
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Penetration Testing

What it does: UEFITool is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: UEFI firmware image viewer and editor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Reverse Engineering > Reverse Engineering Tools.

Back to Name Jump

uncompyle6

• Website: https://github.com/rocky/python-uncompyle6/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome Hacking

What it does: uncompyle6 is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: decompiler for the over 20 releases and 20 years of CPython.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Decompilers.

Back to Name Jump

unpacker

• Website: https://github.com/malwaremusings/unpacker/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: unpacker is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Automated malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

unxor

• Website: https://github.com/tomchop/unxor/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: unxor is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Guess XOR keys using.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

un{i}packer

• Website: https://github.com/unipacker/unipacker
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis

What it does: un{i}packer is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Automatic and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Deobfuscation.

Back to Name Jump

UPX

• Website: http://upx.sourceforge.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: UPX is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: the Ultimate Packer (and unpacker) for eXecutables.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Other.

Back to Name Jump

URLhaus

• Website: https://urlhaus.abuse.ch/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome OSINT

What it does: URLhaus is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: URLhaus shares malicious URLs to combat malware and botnet threats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

URLQuery

• Website: http://urlquery.net/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome OSINT

What it does: URLQuery is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Domain Analysis.

Back to Name Jump

urlscan.io

• Website: https://urlscan.io/
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Malware Analysis, Awesome OSINT, Awesome Web Security

What it does: urlscan.io is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: Service which analyses websites and the resources they request by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Reconnaissance > OSINT - Open-Source Intelligence.

Back to Name Jump

usbmon

• Website: https://www.kernel.org/doc/Documentation/usb/usbmon.txt
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: usbmon is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: USB capture for Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

USBPcap

• Website: https://github.com/desowin/usbpcap
• Model: Open Source
• Category: Malware Analysis & Reverse Engineering
• Source Lists: Awesome Hacking

What it does: USBPcap is used in malware analysis & reverse engineering programs to support sample triage, static/dynamic analysis, and malware behavior profiling. Source summaries describe it as: USB capture for Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Reverse Engineering > Tools > Execution logging and tracing.

Back to Name Jump

Letter V

This letter section contains 14 tools.

vduddu malware repo