Detection and Classification

PEstudio – This tool is used by Computer Emergency Response Teams (CERT) and Labs worldwide in order to perform Malware Initial Assessment. It’s very useful to perform an initial analysis.

PEView – PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.

FileAnalyzer – FileAlyzer brings more to offer than PEview as far as features, being able to provide basic PE information as well as offer some new functionality, such as automated unpacking for files packed with UPX and PECompact.

CFF Explorer – A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. My favorite tool to analyze the structure of a PE file, its imports, sections, etc.

PEiD – PEiD detects most common packers, cryptors and compilers for PE files (KANAL – crypto detector plugin).

Exeinfo PE – It is a packer and compiler detector and also a bin data detector.

Detect IT Easy – Detect It Easy, or abbreviated “DIE” is a program for determining types of files.

RDG Packer Detector – RDG Packer Detector is a detector packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers. It’s very important when a malware is protected with a crypter. This tool can provide some information about that.

Loki – Host based scanner for IOCs.

ClamAV – Open source antivirus engine.

FastIR Collector – This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.

exiftool – ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.

yara – Creating Yara Signatures for Malware Detection.

yarGen – It is a generator for YARA rules.

pev – pev is a full-featured, open source, multiplatform command line toolkit to work with PE (Portable Executables) binaries.

binwalk – Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.

peframe – PEframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file.

PortexAnalyser – PortEx is a Java library for static malware analysis of Portable Executable files.

TrID – Binary identification.

PEBear – PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.

Last updated