Free Malware Analysis Tools
Analyze malware, reverse engineer binaries, and understand threats with free and open source tools. Browse dynamic analysis sandboxes, static analysis frameworks, and disassemblers.
Showing 24 of 190 tools
x64dbg
x64dbg/x64dbg
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
theZoo
ytisf/theZoo
A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.
flare-vm
mandiant/flare-vm
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
capa
mandiant/capa
The FLARE team's open-source tool to identify capabilities in executable files.
retoolkit
mentebinaria/retoolkit
Reverse Engineer's Toolkit
awesome-yara
InQuest/awesome-yara
A curated list of awesome YARA rules, tools, and people.
flare-floss
mandiant/flare-floss
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
pe-bear
hasherezade/pe-bear
Portable Executable reversing tool with a friendly GUI
botnets
maestron/botnets
This is a collection of #botnet source codes, unorganized. For EDUCATIONAL PURPOSES ONLY
oletools
decalage2/oletools
oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
malware_training_vol1
hasherezade/malware_training_vol1
Materials for Windows Malware Analysis training (volume 1)
speakeasy
mandiant/speakeasy
Windows kernel and user mode emulation.
malware-samples
fabrimagic72/malware-samples
A collection of malware samples caught by several honeypots i manage
hrtng
KasperskyLab/hrtng
IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition and various pseudocode transformations
awesome-executable-packing
packing-box/awesome-executable-packing
A curated list of awesome resources related to executable packing
CS7038-Malware-Analysis
ckane/CS7038-Malware-Analysis
Course Repository for University of Cincinnati Malware Analysis Class (CS[567]038)
drakvuf-sandbox
CERT-Polska/drakvuf-sandbox
DRAKVUF Sandbox - automated hypervisor-level malware analysis system
Malware-Exhibit
alvin-tosh/Malware-Exhibit
🚀🚀 This is a 🎇🔥 REAL WORLD🔥 🎇 Malware Collection I have Compiled & analysed by researchers🔥 to understand more about Malware threats😈, analysis and mitigation🧐.
ViperMonkey
decalage2/ViperMonkey
A VBA parser and emulation engine to analyze malicious macros.
refinery
binref/refinery
High Octane Triage Analysis
HaboMalHunter
Tencent/HaboMalHunter
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
Ransomware
Err0r-ICA/Ransomware
Ransomwares Collection. Don't Run Them on Your Device.
binlex
c3rb3ru5d3d53c/binlex
A Binary Genetic Traits Lexer Framework
Malware-Database
cryptwareapps/Malware-Database
A large repository of malware samples with 2500+ malware samples & source codes for a variety of platforms by Cryptware Apps.
Related Security Domains
Frequently Asked Questions
What is the difference between static and dynamic malware analysis?
Static analysis examines malware without executing it — inspecting code, strings, imports, and structure using disassemblers like Ghidra and IDA Free. Dynamic analysis executes malware in a controlled sandbox to observe its behavior — network connections, file system changes, registry modifications. Both approaches are complementary.
What is the best free malware sandbox?
Cuckoo Sandbox is the leading open source automated malware analysis system, providing behavioral reports for Windows, Linux, macOS, and Android samples. CAPE Sandbox extends Cuckoo with configuration extraction. Any.run and Joe Sandbox offer free online analysis tiers for quick triage.
What is Ghidra?
Ghidra is a free, open source reverse engineering framework developed and released by the NSA. It supports disassembly, decompilation, and analysis of binaries across multiple architectures. It's considered the best free alternative to IDA Pro and is widely used by malware analysts and vulnerability researchers.
How do I analyze a suspicious file safely?
Never execute suspicious files on your main system. Use an isolated VM (preferably with no network access or a controlled network), submit to an online sandbox like Any.run or Hybrid Analysis, or deploy a local Cuckoo instance. Always use snapshots so you can revert after analysis.