HaboMalHunter
by Tencent
HaboMalHunter is an automated Linux malware analysis tool that performs comprehensive static and dynamic analysis of ELF files to aid security assessment and threat hunting.
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
Primary Use Case
This tool is designed for security analysts and researchers who need to analyze Linux ELF malware samples efficiently by extracting detailed static and dynamic behavioral features. It is particularly useful for automated malware analysis, intrusion detection, and threat hunting on Linux x86/x64 systems.
- Static analysis of ELF files including md5, file type, size, SSDEEP, and ELF headers
- Dynamic analysis capturing process activities, file I/O, network traffic, and system calls
- Detection of typical malicious actions such as self-deletion and file modification
- Generation of detailed HTML and JSON reports summarizing analysis results
- Support for Linux x86 and x64 platforms
- Extraction of SO file dependencies and source file names
- Monitoring of API calls and syscall sequences
- Open source under MIT license with active community contributions
Installation
- Clone the repository: git clone https://github.com/Tencent/HaboMalHunter.git
- Run the third-party software installation script inside the VM: cd ./util/update_image && bash update_image.sh
- Upload source code to the VM (VirtualBox with Ubuntu 14.04 LTS recommended)
- Copy source files into /root directory in the VM: cp -ra /media/sf_Source/* .
- Compile and package the source code by running: bash package.sh
Usage
>_ python AnalyzeControl.py -v -l ./test/bin/read.32.elfRun malware analysis on the specified ELF file with verbose output
>_ cp ./log/output.zip /media/sf_Source/Copy the generated analysis report and logs from VM to host system
- Integrate HaboMalHunter with SIEM solutions to automate alerting on suspicious Linux ELF behaviors.
- Use the tool in purple team exercises to validate detection rules and improve blue team response capabilities.
- Leverage the detailed syscall and API call monitoring to develop custom detection signatures for emerging threats.
- Deploy in CI/CD pipelines to analyze newly built Linux binaries for malicious behaviors before deployment.
- Combine with sandbox environments to enhance dynamic analysis coverage and reduce false positives.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about HaboMalHunter. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
x64dbg
x64dbg/x64dbg
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
theZoo
ytisf/theZoo
A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.
flare-vm
mandiant/flare-vm
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
capa
mandiant/capa
The FLARE team's open-source tool to identify capabilities in executable files.
retoolkit
mentebinaria/retoolkit
Reverse Engineer's Toolkit
awesome-yara
InQuest/awesome-yara
A curated list of awesome YARA rules, tools, and people.