Malware analysis involves studying malicious software to discover its functionality and behavior. Using the right malware analysis tools for the job can be the difference between spending hours studying a piece of malware or weeks!
Malware analysis tools allow you to examine, dissect, and investigate malware so that you can find ways to defend against it and protect your organization. You must be efficient at this process to ensure your organization is protected against the latest threats. That’s why you need the right tools for the job.
This article details the top 20 malware analysis tools you should master to become a proficient malware analyst. Let’s begin!
What Is Malware and Malware Analysis?
Malware (malicious software) is any software designed to compromise the confidentiality, integrity, or availability of a computer system or its data. There are various kinds of malware, such as viruses, worms, backdoors, ransomware, spyware, keyloggers, botnets, and more.
Malware analysis involves examining, dissecting, and investigating suspected malware to discover its intent, functionality, and behavior. This analysis allows you to determine the impact a piece of malware may have on a system and how to protect against it.
You can use various tools to perform this analysis, from basic static analysis tools like PEiD to entire analysis platforms like Flare VM. Let’s look at the top 20 malware analysis tools you should be using!
Static Analysis Tools
Static analysis involves analyzing suspecting malware without executing the code by inspecting the file’s metadata, source code, bytecode, or assembly code for indications that it is malicious. Here are the tools that will allow you to perform static malware analysis efficiently.
IDA Pro
IDA Pro is an “interactive dissembler” widely used in the malware analysis community to perform static binary file analysis. Its powerful disassembly and decompilation capabilities allow you to interactively map a binary’s potential execution path to investigate its functionality and intent without executing any code.
Why we like IDA Pro:
- Decompiler support for various software architectures.
- It can be extended with plugins and Python scripts.
- Cross-platform support for Windows, Linux, and macOS.
- Supports collaboration and teamwork through the IDA Pro server.
- Has debugging capabilities.
An IDA Pro license costs $15,016 (€14,157) for all decompilers or $6,218 (€5,862) for just x86 and x64 decompilers. There is also a free version which supports less features.
Ghidra
Ghidra is a suite of software reverse engineering tools created by the US National Security Agency (NSA) and open-sourced in 2019. It is designed to provide a customizable and extensible platform to empower researchers in analyzing malicious code and tackling complex software reverse engineering problems.
Why we like Ghidra:
- Free and open-source.
- Cross-platform support for Windows, Linux, and macOS.
- It can be extended, automated, and customized using Python scripts.
- Integrates with version control systems like Git to manage changes and share analysis.
- Has a plugin ecosystem that is supported by a growing community.
- It can be used with external debuggers during dynamic analysis.
Ghidra is available to download for free on GitHub.
PEiD
PE Identifier (PEiD) is a popular Windows tool for analyzing files and detecting if they are being protected against malware analysis or reverse engineering by packers or cryptors. It can be used to identify protections used for Portable Executable (PE) files, Dynamic Link Libraries (DLLs), drivers, and other Windows programs.
Why we like PEiD:
- Identifies the file format of an executable file and provides feedback if it is a legitimate Windows file.
- Detects and displays information about the file’s digital signature to verify its authenticity and integrity.
- Detects and identifies protectors used to obfuscate the true functionality of an executable.
- Provides a command-line interface for automating analysis and an easy-to-use graphical interface.
PEiD is available to download on GitHub or install as a Python package.
Floss
Floss (FLARE Obfuscated Stringer Solver) is a free and open-source tool created by Mandiant for extracting and deobfuscating all strings from malware binaries. It can extract static strings, strings constructed at runtime, and decode them to reveal key information about a piece of malware.
Why we like Floss:
- Can extract and decode strings constructed at runtime.
- Very fast and cross-platform (written in Go and Rust).
- It can be integrated with other malware analysis tools, such as Binary Ninja and IDA Pro, using pre-built Python scripts.
Floss is available to download for free on GitHub.
Radare2
Radare2 (r2) is a free and open-source reverse engineering framework that is widely used as a static malware analysis and disassembly tool. It provides a comprehensive set of features for examining executable files, libraries, and firmware through its flexible and extensible interface.
Why we like Radare2:
- Powerful dissembler and decompiler for transforming assembly code into higher-level programming languages.
- Supports analyzing file formats, including PE (Windows), ELF (Linux), and Mach-O (macOS).
- It can be extended through a plugin ecosystem.
- Supports automated analysis using various scripting languages, including Python, JavaScript, and Ruby.
- Has an emulation engine to explore possible execution paths executing any code directly.
- Supports collaboration among multiple users through version control systems like Git.
Radare2 and its graphical interface iaito are available to download for free on GitHub.
Dynamic Analysis Tools
Dynamic malware analysis involves executing malware in a controlled environment and analyzing its behavior for signs that it is malicious. Here are the tools you can use.
Wireshark
Wireshark is a popular open-source network protocol analyzer and packet capture tool that is widely used to analyze network activity during dynamic malware analysis. It allows you to capture, inspect, and analyze network traffic generated by a piece of malware once it is detonated. Learn more in How to Use Wireshark to Capture Network Traffic.
Why we like Wireshark:
- It can capture and analyze network traffic in real-time.
- It can dissect and analyze a wide range of network protocols.
- Provides a detailed view of individual packets.
- Has powerful filtering and searching capabilities.
- It can be used to extract various files from streams of network traffic, including images, binary files, and more.
- Provides statistics and visualizations of network traffic.
- Cross-platform support for Windows, Linux, and macOS.
Wireshark is available to download for free from its download page.
ProcMon
Process Monitor (ProcMon) is a part of the Windows Sysinternals suite of tools that provide advanced system utilities and tools for Microsoft Windows operating systems. ProcMon is a monitoring tool that shows real-time system, application, and network activity. It is used during dynamic malware analysis to identify the behavior of malware once it is executed.
Why we like ProcMon:
- Provides real-time monitoring for capturing and displaying various system activities.
- Supports an extensive filtering system that lets you narrow down on specific system events.
- Provides detailed event information and comprehensive data about various types of events.
- Events in ProcMon logs can be color-coded based on rules you define to make your analysis more efficient.
- ProcMon is non-intrusive and only monitors system files or configurations without making any changes to the system.
You can download ProcMon for free on the Windows Sysinternal download page or the new Procmon for Linux on GitHub.
x64dbg
x64dbg is an open-source x64/x32 debugger for Windows. It is used during dynamic malware analysis to inspect the system calls and malware behavior once executed. The tool provides a comprehensive set of debugging and analysis features for inspecting, analyzing, and reverse engineering Windows executable files.
Why we like x64dbg:
- Provides a user-friendly and customizable graphical interface.
- Supports real-time debugging and analysis capabilities.
- Has a built-in scripting language that allows you to automate debugging tasks.
- Supports community plugins that extend the tool’s functionality.
- It can be integrated with static analysis tools like IDA Pro and Ghidra.
- Uses color-coded instructions, highlighted code paths, and graphs, allowing you to visualize code execution.
x64dbg is available to download for free from SourceForge.
Sandboxing Tools
Sandboxing tools let you execute malware in an isolated environment where you can monitor its behavior for signs of malicious activity without putting your computer or network at risk.
Joe Sandbox
Joe Sandbox is a commercial malware analysis platform that executes malware you upload in a sandboxed environment. It automatically analyzes the behavior of the malware and generates a report about its functionality, intent, and system changes made.
Why we like Joe Sandbox:
- Performs automated dynamic malware analysis to track file system changes, registry modifications, network communications, and memory operations.
- Identifies and reports on the behavior of a malware sample.
- Automatically generates a list of Indicators of Compromise (IOCs) from analyzed samples to use for threat detection and prevention.
- Integrates with other security solutions and threat intelligence feeds.
- Provides you with a pre-configured cloud environment to detonate malware.
Joe Sandbox is available in various tiers in the cloud or on-premise. You can use the basic cloud tier for free. The pro cloud tiers start at $4,999/year.
Hybrid Analysis
Hybrid Analysis is a cloud-based malware analysis platform powered by CrowdStrike’s Falcon Sandbox technology. The tool allows you to upload malware for detonation in a sandboxed environment. It will then analyze its behavior and report any malicious functionality. It also supports the analysis of potentially malicious URLs.
Why we like Hybrid Analysis:
- It is a free-to-use, cloud-based malware analysis platform that automates the dynamic malware analysis process.
- Integrates with other security solutions, threat intelligence feeds, and SIEM systems.
- Automatically generates a comprehensive report that details the malware’s behavior, indicators, and impact through logs, screenshots, and visualizations.
Hybrid Analysis is available to use for free on the tool’s webpage.
Cuckoo Sandbox
Cuckoo Sandbox is an open-source automated malware analysis platform that allows you to analyze malicious files efficiently in your environment. It provides a modular system that you can extend to suit your malware analysis requirements and tailor to your workflow.
Why we like Cuckoo Sandbox:
- Capable of analyzing many different malicious file types.
- Can trace API calls and general behavior of the file and distill this into high-level information and signature.
- Capable of analyzing encrypted network traffic (SSL/TLS).
- Can perform advanced memory analysis of the infected virtualized system through Volatility.
- Uses a module design, making it extensible and customizable to your malware analysis workflow.
- Does not rely on a third-party cloud environment and can be run on-premise under your full control.
Cuckoo Sandbox is free for use using the Python package manager pip. For more details on installation, see the official documentation.
Memory Analysis Tools
These tools are designed to examine and analyze a computer’s physical memory (RAM) and are often used in Digital Forensics and Incent Response (DFIR) investigations to uncover information about malware that has infected a system.
Volitility
Volitility is an open-source memory forensics framework and analysis tool that allows you to examine a computer system’s volatile memory (RAM). It is widely used for extracting valuable information from a live system’s memory during an incident response investigation or when performing malware analysis.
Why we like Volitility:
- Can analyze memory dumps from various operating systems.
- Can extract kernel data structures and objects to find rootkits and bootkits.
- Supports a plugin architecture that can be used to extend the tool’s functionality.
- Supports custom Python scripts that can automate memory analysis tasks.
- Has a growing community that actively supports the project’s development.
Volitility is available to download for free from the Volitility Foundation website or from GitHub.
Rekall
Rekall is a free and open-source advanced forensic and incident response framework. It is often used during DFIR investigations to extract valuable information from a system’s physical memory (RAM) when a system has been infected by malware.
Why we like Rekall:
- Can analyze memory dumps from various operating systems.
- Provides a command-line interface for automating analysis and an easy-to-use graphical interface.
- Can extract kernel data structures and objects by leveraging system debugging information.
- It can be deployed at scale using the Rekall Agent to collect and preserve volatile endpoint evidence across an enterprise.
Rekall is available for free using the Python package manager pip and on GitHub.
Decompilers
These tools are used to transform binary code into a higher-level programming language so a malware analyst or reverse engineer can better understand the functionality and behavior of a compiled executable without executing it.
UPX
The Ultimate Packer for eXecutables (UPX) is a free, high-performance executable packer that allows you to compress an executable file or DLL and reduce its size by 50%-70%. It is often used to “pack” malicious software, making it more difficult for malware analysis. However, the tool can also be used to “unpack” malware and produce bytecode that can be decompiled and read in a tool like IDA Pro or Ghidra.
Why we like UPX:
- Can quickly compress and decompress executable files.
- Provides multiple compression levels or algorithms depending on your needs.
- Provides a command line interface, making it scriptable and ideal for automated software build processes.
- Available on various operating systems.
- Capable of recovering files that have lost their original PE file header.
UPX is available to download for free on GitHub.
OllyDbg
OllyDbg is a 32-bit debugger for Microsoft Windows applications used for reverse engineering malicious executables that target older Windows operating systems. The tool provides a comprehensive set of debugging and analysis tools, including a configurable disassembler that you can use for malware analysis.
Why we like OllyDbg:
- Intuitive user interface.
- Allows for user-defined labels, comments, and function descriptions.
- Capable of debugging multi-threaded programs.
- Can attach to running programs to “patch” files during execution.
- Can decode over 1900 standard API and 400 C functions.
- Provides scripting and plugin support to automate common debugging tasks.
OllyDbg is available to download for free on the tool’s webpage.
dnSpy
dnSpy is an open-source .NET assembly browser and debugger that is used to reverse engineer, inspect, and analyze malicious .NET applications. The tool has a built-in decompiler that can convert compiled code into human-readable C# so you can better understand the functionality and intent of a malicious executable.
Why we like dnSpy:
- Provides a simple and intuitive interface.
- Automatically decompiles code into C# for you.
- You can modify decompiled code directly within the tool when you need to patch an application.
- It can be used for both static and dynamic analysis with its decompiler and debugging features.
- Supports multiple .NET framework versions.
- Provides plugin support to extend its functionality.
dnSpy is available to download for free on GitHub.
Analysis Platforms
Analysis platforms are specialized environments designed to analyze and dissect suspicious software manually or automatically. They allow malware analysts to execute and research malware in an isolated environment they control.
VirusTotal
VirusTotal is a popular online platform for analyzing malicious files and URLs and validating if a particular Indicator of Compromise (IOC) is suspicious or malicious. The tool is extensively used by all members of the blue team, including SOC analysts, incident responders, threat hunters, security researchers, and malware analysts.
Why we like VirusTotal:
- Can analyze a variety of IOCs.
- Provides detailed metadata about IOCs, which lets you pivot during investigations.
- Has an active community that contributes to VirusTotal's database.
- Produces a threat score based on a list of antivirus engines that detect potential threats.
- Provides API access to integrate with other security tools and systems for automated analysis.
VirusTotal is available to use for free on the tool’s webpage and includes both a community (free) and premium (paid) API.
ANY.RUN
ANY.RUN is an online malware analysis platform that provides an interactive sandbox environment to analyze the behavior of potentially malicious files. It is ideal to perform dynamic malware analysis in a controlled environment to assess malware's impact on a system.
Why we like ANY.RUN:
- You can interact with the analysis environment in real time.
- It provides screenshots and video capture of the infected system.
- Generates a comprehensive report that details the malware’s behavior and functionality.
- Integrates with other security tools, threat intelligence feeds, and SIEM systems.
ANY.RUN is available to use for free on the tool’s webpage. It also includes paid versions starting at $109/month.
Flare VM
Flare VM is a collection of software installation scripts that turn your Windows virtual machine into a dedicated malware analysis and reverse engineering environment. These installation scripts will install a collection of tools and resources you can use to perform static and dynamic analysis on malicious software in a controlled environment.
Why we like Flare VM:
- Installs all the malware analysis and reverse engineering tools you need.
- Installs PowerShell and Python to automate common analysis tasks.
- Uses Windows, the operating system most malware targets.
- Has extensive documentation and tutorials to help you get started.
- It can be integrated into your own larger malware analysis environment.
Once you have a Windows 10+ virtual machine, you can use the install instructions on GitHub to turn it into a Flare VM instance.
REMnux
REMnux is a Linux distribution that is designed for analyzing malware and performing reverse engineering in a safe, controlled environment. It provides you with a collection of tools for performing malware analysis investigations, saving you from finding, installing, and configuring the tools yourself.
Why we like REMnux:
- Provides are pre-configured environment for malware analysis and reverse engineering.
- Includes a wide variety of tools that are accessible through a user-friendly interface.
- Supports Docker containers so you can easily integrate them into your malware analysis workflow.
- Actively maintained and regularly updated to include the latest tools.
- Supported by a strong community of users and contributors.
REMnux is free to download as a virtual appliance on the tool’s documentation page.
Conclusion
This article showcased the top 20 malware analysis tools you should learn to efficiently respond to new and emerging threats. You saw tools that can be used for static and dynamic analysis, sandboxing, memory analysis, and decompiling, as well as entire malware analysis platforms you can use to perform your research in an isolated and controlled environment.
Try using these tools yourself, build your own malware analysis environment, and explore the full capabilities of the tools detailed in this article!
Malware analysis is an important skill to have as a defender. If you want to learn more, try one of the courses below, and if you wish to enter a career in malware analysis, our Accelerator Program can provide the mentorship and career roadmap you need to get there.