Tooling

Malware Analysis & Sandboxes

REMnux, CAPE, Joe Sandbox, ANY.RUN — detonate samples and learn what they do.

Malware analysis splits into static (read the binary), dynamic (run it in isolation), and hybrid. For binary RE see Reverse Engineering (Ghidra). For memory analysis see Memory Forensics. For DFIR after an incident see DFIR (Velociraptor). For YARA / detection content see Detection (Sigma / YARA / ATT&CK).

Analyst Linux distro

  • REMnux (Lenny Zeltser) — Ubuntu-based distro pre-loaded with malware analysis tools (Ghidra, oletools, Yara, capa, Volatility, etc.). The reference analyst workstation. Free.
  • FlareVM (Mandiant) — Windows reverse-engineering / malware analysis distro; sister to Commando VM. Free.
  • See Pentest Linux Distros.

Self-hosted sandboxes

  • CAPE Sandbox — modernised Cuckoo fork; config-extraction friendly; the 2024–26 default for self-hosted dynamic analysis. Free.
  • Cuckoo Sandbox 3 (rewrite, "Cuckoo3") — official Cuckoo successor; Python 3 / FastAPI / modern stack. Free; less complete than CAPE in 2024–26.
  • Cuckoo 2 — legacy; some tutorials still reference it.
  • DRAKVUF (CERT.PL) — agentless VMI-based dynamic analysis — runs malware without an in-guest agent so it's harder to detect. Free.
  • Intezer Analyze — paid; static + dynamic + code-reuse hunting; free tier.
  • VMRay — paid; high-end commercial sandbox.
  • Joe Sandbox — paid commercial; broad coverage.

Hosted / SaaS sandboxes

  • ANY.RUN — interactive sandbox; click around in the malware as it runs; free public submissions (results public), paid private. The differentiator: human-in-the-loop detonation.
  • Hybrid Analysis (Falcon Sandbox / CrowdStrike) — free, public; reasonable depth.
  • VirusTotal — multi-engine static + sandbox; free + paid.
  • Triage (Hatching) — free public + paid; high-volume.
  • MalwareBazaar / Bazaar Hunting (abuse.ch) — sample sharing platform.
  • ThreatGrid / Talos — Cisco's sandbox.

Static analysis (Windows-y)

  • PEStudio — the analyst's quick-look PE inspector; freemium.
  • PE-bear — alternative.
  • Detect It Easy (DIE) — file format / packer / signature ID.
  • CFF Explorer / pestudio / pe-tree — PE walking.
  • bintext / strings — ye olde reliable.
  • capa (Mandiant) — capability detection: "this binary creates registry persistence, exfils via HTTPS." Free.
  • FLOSS (Mandiant) — extract obfuscated / encoded strings.
  • ssdeep / TLSH / sdhash — fuzzy hashing.
  • YARA — pattern matching; see Detection.

Office / script unpackers

  • oletools (Decalage) — olevba, oledump, mraptor, msodde; the analyst's macro toolkit.
  • didier-stevens-suite (oledump.py, pdf-parser.py, base64dump.py).
  • emldump / mailparse / msgconvert — phishing artifact triage.
  • OneNoteAnalyzer / pyOneNote — OneNote-borne malware (2023+).
  • box-js — JavaScript malware deobfuscator.
  • CyberChef — universal decode/decrypt; see DFIR (Velociraptor).
  • floss + capa — the static "what does it do" duo.

Network / behaviour capture

  • INetSim / FakeNet-NG — fake internet for sandboxing.
  • Wireshark / tcpdump / Zeek — capture sandbox traffic.
  • mitmproxy — TLS-MitM the malware.
  • Sysmon — capture host events; Sigma-rule them.
  • Procmon (Sysinternals) — process / file / registry events.

Config / IoC extraction

  • CAPE config extractors — ship with CAPE; pull C2 configs out of common families.
  • MWCP (Mandiant Malware Config Parser).
  • MalConfScan — Volatility plugin for memory-side config extraction.
  • TrigCAPA / CAPA + IDA / Ghidra integration.
  • DC3-MWCP / CACTUSTORCH community config sets.

Repositories / corpora

  • MalwareBazaar (abuse.ch) — clean sample feed.
  • VX Underground — large historical archive.
  • theZoo — research corpora.
  • VirusShare — invitation-only.
  • MalShare — community dump.
  • URLhaus (abuse.ch) — malicious URLs.

Operating safely

  • Use a dedicated lab network; no production routes.
  • Snapshot your VM before every detonation.
  • No copy-paste / shared clipboard between host and guest.
  • Disable VM Tools for some samples that detect them.
  • Manage hashes carefully — sharing certain hashes can tip off attackers via VT public submissions.

Pick this if…

  • Default analyst Linux: REMnux + FlareVM in Hyper-V / VMware.
  • Self-hosted dynamic sandbox: CAPE.
  • Interactive cloud sandbox: ANY.RUN.
  • Single-binary triage: PEStudio + DIE + capa + FLOSS + YARA.
  • VMI agentless dynamic: DRAKVUF.
  • Office / script malware: oletools + box-js + didier-stevens.
  • Family hunting at scale: YARA + ssdeep / TLSH.

On this page