From ab8184470ea617a63438b8f3931d7fe3291218e4 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Wed, 1 Apr 2020 14:43:13 +0200 Subject: [PATCH 01/17] Add link to malware persistence information repo --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 593b04a..c663ae2 100644 --- a/README.md +++ b/README.md @@ -823,6 +823,9 @@ the [browser malware](#browser-malware) section.* Presentation introducing the concepts of malware analysis, threat intelligence and reverse engineering. Experience or prior knowledge is not required. Labs link in description. +* [Malware Persistence](https://github.com/Karneades/malware-persistence) - Collection + of various information focused on malware persistence: detection (techniques), + response, pitfalls and the log collection (tools). * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - This blog focuses on network traffic related to malware infections. * [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) Firefox extension allows From 408db762735fad260b169a61c595e0d6640cd187 Mon Sep 17 00:00:00 2001 From: Daniele Cono D'Elia Date: Wed, 3 Jun 2020 00:54:19 +0200 Subject: [PATCH 02/17] BluePill (Black Hat Europe 2019) https://www.blackhat.com/eu-19/briefings/schedule/index.html#bluepill-neutralizing-anti-analysis-behavior-in-malware-dissection-17685 https://www.diag.uniroma1.it/~delia/papers/tifs20.pdf --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c663ae2..8ffa2f1 100644 --- a/README.md +++ b/README.md @@ -533,6 +533,7 @@ the [browser malware](#browser-malware) section.* * [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA. * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. +* [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables. * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. From 1578063cea3d864808a9bdfbabac774b4f00e492 Mon Sep 17 00:00:00 2001 From: Fred HK <51206854+FR3DHK@users.noreply.github.com> Date: Sun, 21 Jun 2020 18:13:55 +0100 Subject: [PATCH 03/17] Add ThreatShare Add link to threatshare --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 8ffa2f1..76750c1 100644 --- a/README.md +++ b/README.md @@ -209,6 +209,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 intelligence, with search. * [threatRECON](https://threatrecon.co/) - Search for indicators, up to 1000 free per month. +* [ThreatShare](https://threatshare.io/) - C2 panel tracker * [Yara rules](https://github.com/Yara-Rules/rules) - Yara rules repository. * [YETI](https://github.com/yeti-platform/yeti) - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS From f89a440b0949048a04d20db1fc640faf99845f23 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 18 Jul 2020 00:01:38 +0200 Subject: [PATCH 04/17] Add FireEye capa --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 76750c1..0d4ee5c 100644 --- a/README.md +++ b/README.md @@ -535,6 +535,7 @@ the [browser malware](#browser-malware) section.* that is an alternative to IDA. * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. * [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables. +* [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. From 0565cbd96f86a244b18676d3ee75080212d678ff Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Sat, 18 Jul 2020 00:05:52 +0200 Subject: [PATCH 05/17] Move capa to Detection and Classification section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d4ee5c..134561e 100644 --- a/README.md +++ b/README.md @@ -226,6 +226,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 * [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules. +* [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. * [ClamAV](http://www.clamav.net/) - Open source antivirus engine. * [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - A program for @@ -535,7 +536,6 @@ the [browser malware](#browser-malware) section.* that is an alternative to IDA. * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. * [BluePill](https://github.com/season-lab/bluepill) - Framework for executing and debugging evasive malware and protected executables. -* [capa](https://github.com/fireeye/capa) - Detects capabilities in executable files. * [Capstone](https://github.com/aquynh/capstone) - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. From 60f4be3557dc7f8e618878d7cc5a5c9e753a13c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B0=AD=E5=85=B4=E9=82=A6?= Date: Sun, 26 Jul 2020 20:54:44 +0800 Subject: [PATCH 06/17] update of chinese translation --- 恶意软件分析大合集.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/恶意软件分析大合集.md b/恶意软件分析大合集.md index 775bbbf..ca4a33b 100644 --- a/恶意软件分析大合集.md +++ b/恶意软件分析大合集.md @@ -54,6 +54,8 @@ * [Glastopf](http://glastopf.org/) - Web 应用蜜罐 * [Honeyd](http://honeyd.org/) - 创建一个虚拟蜜罐 * [HoneyDrive](http://bruteforcelab.com/honeydrive) - 蜜罐包的 Linux 发行版 +* [Honeytrap](https://github.com/honeytrap/honeytrap) - 运行、监控、管理蜜罐的开源系统 +* [MHN](https://github.com/pwnlandia/mhn) - MHN 是管理蜜罐的集中式服务器,可以快速部署蜜罐收集数据,并提供统一的 Web 界面 * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - 受 Dinoaea 支持的蜜罐数据标准化 * [Thug](https://github.com/buffer/thug) - 用来调查恶意网站的低交互蜜罐 @@ -141,6 +143,7 @@ * [SystemLookup](https://www.systemlookup.com/) - SystemLookup 可以提供合法的或PUP的组件信息 * [ThreatMiner](https://www.threatminer.org/) - 威胁情报数据挖掘接口 * [threatRECON](https://threatrecon.co/) - 搜索指标,每月最多一千次 +* [ThreatShare](https://threatshare.io/) - C2 面板跟踪 * [Yara rules](https://github.com/Yara-Rules/rules) - Yara 规则集 * [YETI](https://github.com/yeti-platform/yeti) - Yeti 是一个旨在组织数据中的可观察性、IOC 指标、TTP 和威胁情报 * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS 黑名单 @@ -152,6 +155,7 @@ * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Windows PE 文件的分析器 * [Assemblyline](https://bitbucket.org/cse-assemblyline/assemblyline) - 大规模分布式文件分析框架 * [BinaryAlert](https://github.com/airbnb/binaryalert) - 开源、无服务 AWS 管道,用于对上传的文件使用 YARA 进行扫描和报警 +* [capa](https://github.com/fireeye/capa) - 检测可执行文件的攻击能力 * [chkrootkit](http://www.chkrootkit.org/) - 本地 Linux rootkit 检测 * [ClamAV](http://www.clamav.net/) - 开源反病毒引擎 * [Detect It Easy(DiE)](https://github.com/horsicq/Detect-It-Easy) - 用于确定文件类型的程序 @@ -170,6 +174,7 @@ * [nsrllookup](https://github.com/rjhansen/nsrllookup) - 查询 NIST's National Software Reference Library 数据库中哈希的工具 * [packerid](http://handlers.sans.org/jclausing/packerid.py) - 跨平台的 PEiD 的替代品 * [PE-bear](https://hshrzd.wordpress.com/pe-bear/) - PE 文件的逆向工具 +* [PEframe](https://github.com/guelfoweb/peframe) - PEframe 可以对 PE 文件与 Office 文档文件进行静态分析 * [PEV](http://pev.sourceforge.net/) - 为正确分析可疑的二进制文件提供功能丰富工具的 PE 文件多平台分析工具集 * [PortEx](https://github.com/katjahahn/PortEx) - 聚焦于与 PE 文件相关恶意软件分析的 Java 库 * [Quark-Engine](https://github.com/quark-engine/quark-engine) - 能够对抗混淆的 Android 恶意软件评估系统 @@ -177,7 +182,6 @@ * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - 计算模糊哈希值 * [totalhash.py](https://gist.github.com/malc0de/10270150) - 一个简单搜索[TotalHash.com](http://totalhash.com/) 数据库的 Python 脚本 * [TrID](http://mark0.net/soft-trid-e.html) - 文件识别 -* [virustotal-falsepositive-detector](https://github.com/uppusaikiran/virustotal-falsepositive-detector) - 基于命名相似性来分析 Virustotal Report 来寻找潜在误报的工具 * [YARA](https://plusvic.github.io/yara/) - 分析师利用的模式识别工具 * [Yara rules generator](https://github.com/Neo23x0/yarGen) - 基于恶意样本生成 yara 规则,也包含避免误报的字符串数据库 * [Yara Finder](https://github.com/uppusaikiran/yara-finder) - 使用不同 yara 规则匹配文件的简单工具,以期找到可疑指标 @@ -245,6 +249,7 @@ * [Multi rbl](http://multirbl.valli.org/) - 多个 DNS 黑名单,反向查找超过 300 个 RBL * [NormShield Services](https://services.normshield.com/) - 用于检测潜在的钓鱼域名、黑名单中的 IP 地址与非法账户 * [PhishStats](https://phishstats.info/) - 搜索IP、域名和网站标题的钓鱼统计信息 +* [Spyse](https://spyse.com/) - 子域名、whois、相关域名、DNS、主机自治域、证书信息 * [SecurityTrails](https://securitytrails.com/) - 历史与当前WHOIS、DNS数据,相似域名、证书信息以及其他与域名和 IP 相关的数据 * [SpamCop](https://www.spamcop.net/bl.shtml) - 垃圾邮件 IP 黑名单IP * [SpamHaus](http://www.spamhaus.org/lookup/) - 基于域名和 IP 的黑名单 @@ -282,7 +287,6 @@ * [box-js](https://github.com/CapacitorSet/box-js) - 用于研究 JavaScript 恶意软件的工具,支持 JScript/WScript 和 ActiveX 仿真功能 * [diStorm](http://www.ragestorm.net/distorm/) - 分析恶意 Shellcode 的反汇编器 * [JS Beautifier](http://jsbeautifier.org/) - JavaScript 脱壳和去混淆 -* [JS Deobfuscator ](http://www.kahusecurity.com/2015/new-javascript-deobfuscator-tool/) - 对那些使用 eval 或 document.write 的简单 Javascript 去混淆 * [libemu](http://libemu.carnivore.it/) - x86 shellcode 仿真的库和工具 * [malpdfobj](https://github.com/9b/malpdfobj) - 解构恶意 PDF 为 JSON 表示 * [OfficeMalScanner](http://www.reconstructer.org/code.html) - 扫描 MS Office 文档中的恶意跟踪 @@ -334,6 +338,7 @@ * [binnavi](https://github.com/google/binnavi) - 基于图形可视化的二进制分析 IDE * [Binary ninja](https://binary.ninja/) - 可替换 IDA 的逆向工程平台 * [Binwalk](http://binwalk.org/) - 固件分析工具 +* [BluePill](https://github.com/season-lab/bluepill) - 用于执行和调试逃避型恶意软件和受保护的可执行文件的框架 * [Capstone](https://github.com/aquynh/capstone) - 二进制分析反汇编框架,支持多种架构和许多语言 * [codebro](https://github.com/hugsy/codebro) - 使用 clang 提供基础代码分析的 Web 端代码浏览器 * [Cutter](https://github.com/radareorg/cutter) - Radare2 的 GUI @@ -492,6 +497,7 @@ * [Malware Analysis Search](https://cse.google.com/cse/home?cx=011750002002865445766%3Apc60zx1rliu) - [Corey Harrell](journeyintoir.blogspot.com/) 自定义的用于恶意软件分析的 Google 搜索 * [Malware Analysis Tutorials](http://fumalwareanalysis.blogspot.nl/p/malware-analysis-tutorials-reverse.html) - 由 Xiang Fu 博士提供的恶意软件分析教程,是一个学习恶意软件分析的重要资源 * [Malware analysis, threat intelligence and reverse engineering](https://www.slideshare.net/bartblaze/malware-analysis-threat-intelligence-and-reverse-engineering) - 不需要先验知识的恶意软件分析、威胁情报和逆向工程概念介绍 +* [Malware Persistence](https://github.com/Karneades/malware-persistence) - 专注于恶意软件持久化的仓库,包括检测、响应与日志收集等 * [Malware Samples and Traffic](http://malware-traffic-analysis.net/) - 此博客重点介绍与恶意软件感染相关的网络流量 * [Malware Search+++](https://addons.mozilla.org/fr/firefox/addon/malware-search-plusplusplus/) - 搜索常用恶意软件数据库的 Firefox 浏览器插件 * [Practical Malware Analysis Starter Kit](https://bluesoul.me/practical-malware-analysis-starter-kit/) - 此软件包包含 Practical Malware Analysis 书中引用的大多数软件 From 05d659f365b1461a260fa1aab57e3ccee01f3c1a Mon Sep 17 00:00:00 2001 From: lubiedo <63729414+lubiedo@users.noreply.github.com> Date: Thu, 13 Aug 2020 08:39:20 -0600 Subject: [PATCH 07/17] Update README.md Adding Tsurugi Linux to _misc_ section. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 134561e..6466d2d 100644 --- a/README.md +++ b/README.md @@ -774,6 +774,7 @@ the [browser malware](#browser-malware) section.* environments in the same way as malware families do. * [REMnux](https://remnux.org/) - Linux distribution and docker images for malware reverse engineering and analysis. +* [Tsurugi Linux](https://tsurugi-linux.org/) - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities. * [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile forensics, malware analysis, and security. From 34cadb9f0249b459acb37cf6fd0c2a42f9e48ec8 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:17:42 +0000 Subject: [PATCH 08/17] add Bytecode Viewer --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 134561e..c38055d 100644 --- a/README.md +++ b/README.md @@ -412,6 +412,9 @@ executables. *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* +* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - combines + multiple Java bytecode viewers and decompilers into one tool, including + APK/DEX support. * [Firebug](https://getfirebug.com/) - Firefox extension for web development. * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java From d5e5032656add9b8d1061c37959f4b5f86203258 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:32:44 +0000 Subject: [PATCH 09/17] add PyInstaller Extractor --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index c38055d..e086ca4 100644 --- a/README.md +++ b/README.md @@ -506,6 +506,11 @@ the [browser malware](#browser-malware) section.* XOR key using frequency analysis. * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic hidden code extractor for Windows malware. +* [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - + a Python script to extract the contents of a PyInstaller generated Windows + executable file. The contents of the pyz file (usually pyc files) present + inside the executable are also extracted and automatically fixed so that a + Python bytecode decompiler will recognize it. * [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and platform-independent unpacker for Windows binaries based on emulation. * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware From 34799bcd505b129f30f9cc0a58cda312160c82bf Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:36:32 +0000 Subject: [PATCH 10/17] add uncompyle6 --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index e086ca4..bcb5c17 100644 --- a/README.md +++ b/README.md @@ -511,6 +511,9 @@ the [browser malware](#browser-malware) section.* executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it. +* [uncompyle6](https://github.com/rocky/python-uncompyle6/) - A cross-version + Python bytecode decompiler. Translates Python bytecode back into equivalent + Python source code. * [un{i}packer](https://github.com/unipacker/unipacker) - Automatic and platform-independent unpacker for Windows binaries based on emulation. * [unpacker](https://github.com/malwaremusings/unpacker/) - Automated malware From 1ce7f02103b7e8adbc7323a13b4420739707ff21 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:48:27 +0000 Subject: [PATCH 11/17] add OllyDumpEx --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index bcb5c17..8a15501 100644 --- a/README.md +++ b/README.md @@ -592,6 +592,9 @@ the [browser malware](#browser-malware) section.* for static analysis of Linux binaries. * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows executables. +* [OllyDumpEx](https://low-priority.appspot.com/ollydumpex/) - Dump memory + from (unpacked) malware Windows process and store raw or rebuild PE file. + This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg. * [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis. * [PEDA](https://github.com/longld/peda) - Python Exploit Development From 2dd42682bd1727daaa45bb725d86e7ce8cb712fb Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:52:01 +0000 Subject: [PATCH 12/17] add ScyllaHide --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a15501..35c80c6 100644 --- a/README.md +++ b/README.md @@ -631,6 +631,8 @@ the [browser malware](#browser-malware) section.* [API](https://retdec.com/api/) that you can use in your tools. * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks. +* [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library + and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine. * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for From 986dc7717411deb964bb1baf9c0ff21d25be1a1e Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 02:55:25 +0000 Subject: [PATCH 13/17] add Scylla Imports Reconstructor --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 35c80c6..73ab7aa 100644 --- a/README.md +++ b/README.md @@ -631,6 +631,8 @@ the [browser malware](#browser-malware) section.* [API](https://retdec.com/api/) that you can use in your tools. * [ROPMEMU](https://github.com/Cisco-Talos/ROPMEMU) - A framework to analyze, dissect and decompile complex code-reuse attacks. +* [Scylla Imports Reconstructor](https://github.com/NtQuery/Scylla) - Find and fix + the IAT of an unpacked / dumped PE32 malware. * [ScyllaHide](https://github.com/x64dbg/ScyllaHide) - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine. * [SMRT](https://github.com/pidydx/SMRT) - Sublime Malware Research Tool, a From 78f1c9611ded404848ba7d98322dc65f40324922 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:10:20 +0000 Subject: [PATCH 14/17] add fn2yara --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 73ab7aa..f4d2b38 100644 --- a/README.md +++ b/README.md @@ -237,6 +237,8 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 edit file metadata. * [File Scanning Framework](https://github.com/EmersonElectricCo/fsf) - Modular, recursive file scanning solution. +* [fn2yara](https://github.com/cmu-sei/pharos) - FN2Yara is a tool to generate + Yara signatures for matching functions (code) in an executable program. * [Generic File Parser](https://github.com/uppusaikiran/generic-parser) - A Single Library Parser to extract meta information,static analysis and detect macros within the files. * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with a variety of algorithms. From 0dcd51b2173cdc8af97503fbc9aa3d41c380a536 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:13:44 +0000 Subject: [PATCH 15/17] fix capitalization for Bytecode Viewer --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f4d2b38..ac07577 100644 --- a/README.md +++ b/README.md @@ -414,7 +414,7 @@ executables. *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* -* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - combines +* [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support. * [Firebug](https://getfirebug.com/) - Firefox extension for web development. From 3b24662087e0a92b6672b20e798739a2e33de381 Mon Sep 17 00:00:00 2001 From: knowmalware Date: Sat, 15 Aug 2020 03:14:29 +0000 Subject: [PATCH 16/17] fix capitalization for PyInstaller Extractor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac07577..0cc38eb 100644 --- a/README.md +++ b/README.md @@ -509,7 +509,7 @@ the [browser malware](#browser-malware) section.* * [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker) - A generic hidden code extractor for Windows malware. * [PyInstaller Extractor](https://github.com/extremecoders-re/pyinstxtractor) - - a Python script to extract the contents of a PyInstaller generated Windows + A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it. From d62b7615f9304cde4daf7a3e11900fa18a6903df Mon Sep 17 00:00:00 2001 From: yunginnanet <49010538+yunginnanet@users.noreply.github.com> Date: Wed, 19 Aug 2020 01:45:05 -0700 Subject: [PATCH 17/17] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 134561e..9a1ef7e 100644 --- a/README.md +++ b/README.md @@ -107,6 +107,7 @@ View Chinese translation: [恶意软件分析大合集.md](恶意软件分析大 of malware sample sources put together by Lenny Zeltser. * [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus trojan leaked in 2011. +* [VX Underground](http://vx-underground.org/) - Massive and growing collection of free malware samples. ## Open Source Threat Intelligence