Malware Analysis

Last modified: 2023-04-04


Build a Sandbox

Before analyzing malware, it’s recommended to build a sandbox for malware analysis.
Below are useful tools for building such an environment.


    It is a collection of software installations scripts for Windows systems to maintain a reverse engineering environment on a virtual machine.

  • REMnux

    A Linux toolkit for malware analysis.


    An interactive online malware sandbox.

  • Hybrid Analysis

    A free online malware analysis.

Get Information About Malware

First off, we get the hash of the malware.

# Linux
md5sum example
sha256sum example

# PowerShell
Get-FileHash -Algorithm MD5 example.exe
Get-FileHash -Algorithm SHA256 example.exe

We can use the hash for finding details of malware, so copy the output hash.

We can search the information about malware by searching the hash.

In search form, input the hash value as below.


Now access to websites listed the search result.


VirusTotal analyses suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
To search the information about suspicious files, first get the hash in our terminal.

MalwareBazaar in

MalwareBazaar also analyses suspicious files.

We can input the hash in Browse Database as below.


Resource Hacker

Resource Hacker is a resource extraction utility and resource compiler for Windows.

By opening a malware file, we can retrieve detail information about the file in “Version Info”.


capa detects capabilities in executable files.

capa example.exe
# -vv: All feature match details
capa -vv example.exe


We can find specific text contained in the malware.

# Linux
strings example | grep "text_here"

# PowerShell
strings example.exe | findstr "text_here"

Reverse Engineering


Ghidra is a reverse engineering software.


PE-bear is a multi-platform reversing tool for PE files.

Analysis Tools

  • Pithus

    An open-source mobile threat Intelligence platform.


  • Process Hacker

    It monitors system resources, debug software and detect malware.

  • ProcDOT

    ProcDOT is a visual malware analysis tool.
    To investigate logs, in Monitoring Logs, open a log file (.csv) in Procmon and open a dump file in WinDump. Then click “Refresh”. Executable files and PID listed.


  • Yara

    The pattern matching swiss knife for malware researchers.

    • Automation Tools

      • Loki

        # Update first, then will add `signature-base` directory
        python ~/Loki/ --update
        # Run
        python ~/Loki/ -p ./suspicious_files_dir
        # Run & output a log file
        python -p ./suspicious_files_dir -l log.txt
      • yarGen

        # Update first
        python ~/yarGen/ --update
        # Generate Yara ruls for specific file
        python ~/yarGen/ -m ./suspicious_files_dir --excludegood -o ./suspicious_files_dir/rule.yar
        # Check if the file flagged
        yara ./suspicious_files_dir/rule.yar ./suspicious_files_dir/somefile.php
        # If flagged, copy this ruls to Loki's signature yara directory
        cp ./suspicious_files_dir/rule.yar ~/Loki/signature-base/yara
        # Then run Loki
        # ...
    • Manual

      • Find Files Matches Rules

        yara rule.yar ./somedir
        # Print only number of matches
        yara -c rule.yar ./somedir
        # Print only not satisfied rules 
        yara -n rule.yar ./somedir
        # Print metadata
        yara -m rule.yar ./somedir
      • Create Rules

        Create "rule.yar".

        rule rule_name {
                author = "pentester"
                description = "test rule"
                created = "6/20/2022 00:00"
                $hello = "Hello"
                $text_file = ".txt"
                $hello and $text_file

Attack with Malware