Malware analysis

Malware analysis arsenal: Top 15 tools

Pedro Tavares
December 15, 2021 by
Pedro Tavares

We live in an era where digital transformation is part of our lives. With this, malware has become a critical and huge threat to organizations and people around the globe that are faced every day with the most recent and sophisticated malicious schemas disseminated by well-organized cyber gangs. According to the Threat Report Q3 Portugal, many malware families were disseminated in Portugal during Q3 2021, as presented below.

Figure 1: Different malware families disseminated during Q3 2021 in Portugal (source).

The vehicle used by criminals to target victims is often the email or a simple SMS which can cost a company millions of dollars if the right controls are not in place.

Popular tools for reversing malware

Debuggers/disassemblers

IDA Pro

IDA is a multi-platform, multi-processor disassembler that interprets machine-executable code into assembly code, allowing the debugging and the reverse engineering process. IDA PRO is commercial software and the most used worldwide until Ghidra’s release in 2019 by NSA. IDA has a panoply of plugins developed by the community, and some popular pieces are VT-IDA Plugin, BinDiff and Bincat.

URL: https://hex-rays.com/ida-pro/

GHIDRA

GHIDRA is a software reverse engineering (SRE) framework created by NSA. This framework provides a suite of tools that enable experts to analyze compiled code on various platforms, including Windows, macOS and Linux. It is an open-source tool maintained by the NSA and the community on GitHub and many plugins, including VTGrep, Binwalk and Golang Renamer.

URL: https://github.com/NationalSecurityAgency/ghidra

Radare2

This is a command-line debugger that can be used on Windows and Linux. Radare2 is open-source and can be used over a GUI interface known as iaito

URL: https://rada.re/n/

x64dbg

x64dbg is an open-source debugger for Windows for reverse engineering purposes. There are a lot of features available, and it comes with a comprehensive plugin system. More plugins can be found on the wiki page here

URL: https://github.com/x64dbg/x64dbg

Decompilers

DotPeek

DotPeek is a standalone tool based on ReSharper’s bundled decompiler. It can decompile any .NET assembly into equivalent C# or IL code. The decompiler supports multiple formats including libraries (.dll), executables (.exe), and Windows metadata files (.winmd).

URL: https://www.jetbrains.com/decompiler/

Interactive Delphi Reconstructor (IDR)

IDR is a popular decompiler written in Delphi and executed in Windows32 environment capable of decompiling Delphi code. It is free-of-use and most used to analyze banking malware.

URL: https://github.com/crypto2011/IDR

PE Analysis

PEstudio

PEstudio is a tool used to perform Malware Initial Assessment. It’s very useful to perform an initial analysis and collects details and IoCs from a binary file.

URL: https://www.winitor.com/

Detect IT Easy

"DIE" is a cross-platform application. Apart from the Windows version, there are also available versions for Linux and Mac OS. It is used to analyze executable files, change the binary protections, search by strings, calculate the binary entropy etc. It is a useful tool to analyze binary internals.

URL: https://github.com/horsicq/Detect-It-Easy

PE-bear

PE-bear is a freeware reversing tool for PE files. Its objective was to deliver a fast and flexible “first view” tool for malware analysts, stable and capable of handling malformed PE files.

URL: https://github.com/hasherezade/pe-bear-releases/

Deobfuscation

FLOSS

The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.

URL: https://github.com/mandiant/flare-floss

CyberChef

CyberChef is a simple and intuitive web app to perform a panoply of "cyber" operations within a web browser. It is known as the Cyber Swiss Army Knife.

URL: https://gchq.github.io/CyberChef/

Monitor

Process Monitor

It is an advanced monitoring tool for Windows programs developed by Microsoft. It shows real-time file system, Registry and process/thread activity. 

URL: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Process Explorer

This is an advanced task manager for Windows and lists the currently active processes, including the names of their owning accounts. This tool was developed and maintained by Microsoft.

URL: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

PE-Sieve

PE-Sieve scans a given process, recognizes and dumps a variety of potentially malicious implants such as replaced/injected PEs, shellcodes, hooks and in-memory patches.

URL: https://github.com/hasherezade/pe-sieve

Fakenet

This tool simulates a network so that malware interacting with a remote host runs, allowing the analyst to observe the malware’s network activity within a safe environment. This is my favorite tool to fake DNS responses.

URL: https://github.com/mandiant/flare-fakenet-ng

Please see here for more details about these tools and a complete list of tools used during malware analysis.

 

Sources

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.