Deobfuscation

Examine Static Properties

CyberChef

Decode and otherwise analyze data using this browser app.

Website: https://github.com/gchq/CyberChef/ Author: GCHQ License: Apache License 2.0: https://github.com/gchq/CyberChef/blob/master/LICENSE Notes: cyberchef State File: remnux.tools.cyberchef

Malchive

Perform static analysis of various aspects of malicious code.

Website: https://github.com/MITRECND/malchive Author: The MITRE Corporation, https://github.com/MITRECND/malchive/graphs/contributors License: Apache License 2.0: https://github.com/MITRECND/malchive/blob/main/LICENSE Notes: Malchive command-line tools start with the prefix malutil-. See utilities documentation for details. State File: remnux.python3-packages.malchive

Cobalt Strike Configuration Extractor (CSCE) and Parser

Analyze Cobalt Strike beacons.

Website: https://github.com/strozfriedberg/cobaltstrike-config-extractor Author: Aon / Stroz Friedberg License: Apache License 2.0: https://github.com/strozfriedberg/cobaltstrike-config-extractor/blob/master/LICENSE Notes: csce, list-cs-settings State File: remnux.python3-packages.csce

xortool

Analyze XOR-encoded data.

Website: https://github.com/hellman/xortool Author: Aleksei Hellman License: MIT License: https://github.com/hellman/xortool/blob/master/LICENSE State File: remnux.python3-packages.xortool

DC3-MWCP

Parsing configuration information from malware.

Website: https://github.com/Defense-Cyber-Crime-Center/DC3-mwcp Author: Defense Cyber Crime Center - United States Government License: Some parts Public Domain, some MIT License: https://github.com/Defense-Cyber-Crime-Center/DC3-mwcp/blob/master/LICENSE.txt Notes: mwcp State File: remnux.python3-packages.dc3-mwcp

unicode

Display Unicode character properties.

Website: https://github.com/garabik/unicode Author: Radovan Garabik License: GNU General Public License (GPL) v3: https://github.com/garabik/unicode/blob/master/COPYING State File: remnux.python3-packages.unicode

Chepy

Decode and otherwise analyze data using this command-line tool and Python library.

Website: https://github.com/securisec/chepy Author: securisec: https://x.com/securisec License: GNU General Public License (GPL) v3: https://github.com/securisec/chepy/blob/master/LICENSE Notes: chepy State File: remnux.python3-packages.chepy

Balbuzard

Extract and deobfuscate patterns from suspicious files.

Website: https://github.com/digitalsleuth/balbuzard Author: Philippe Lagadec / Corey Forman (digitalsleuth) License: Free, custom license: https://github.com/digitalsleuth/balbuzard Notes: balbuzard, bbcrack, bbharvest, bbtrans State File: remnux.python3-packages.balbuzard

NoMoreXOR.py

Help guess a file's 256-byte XOR by using frequency analysis.

Website: https://github.com/digitalsleuth/NoMoreXOR Author: Glenn P. Edwards Jr. License: Free, unknown license State File: remnux.scripts.nomorexor

unXOR

Deobfuscate XOR'ed files.

Website: https://github.com/tomchop/unxor/ Author: Thomas Chopitea License: Apache License 2.0: https://github.com/tomchop/unxor/blob/master/LICENSE State File: remnux.scripts.unxor

brxor.py

Bruteforce XOR'ed strings to find those that are English words.

Website: https://github.com/REMnux/distro/blob/master/files/brxor.py Author: Alexander Hanel, Trenton Tait License: Free, unknown license State File: remnux.scripts.brxor

xorBruteForcer.py

Bruteforce an XOR-encoded file.

Website: https://eternal-todo.com/category/bruteforcer Author: Jose Miguel Esparza License: Free, unknown license State File: remnux.scripts.xorbruteforcer

strdeob.pl

Locate and decode stack strings in executable files.

Website: https://github.com/REMnux/distro/blob/master/files/strdeob.pl Author: TotalHash License: Free, unknown license State File: remnux.scripts.strdeob

XORStrings

Search for XOR encoded strings in a file.

Website: https://blog.didierstevens.com/2013/04/15/new-tool-xorstrings/ Author: Didier Stevens License: Free, unknown license State File: remnux.packages.xorstrings

XORSearch

Locate and decode strings obfuscated using common techniques.

Website: https://blog.didierstevens.com/programs/xorsearch/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain Notes: xorsearch State File: remnux.packages.xorsearch

FLOSS

Extract and deobfuscate strings from PE executables.

Website: https://github.com/mandiant/flare-floss Author: Mandiant, Willi Ballenthin: https://x.com/williballenthin, Moritz Raabe License: Apache License 2.0: https://github.com/mandiant/flare-floss/blob/master/LICENSE.txt Notes: floss State File: remnux.packages.flare-floss

ex_pe_xor.py

Search an XOR'ed file for indications of executable binaries.

Website: https://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html Author: Alexander Hanel License: Free, unknown license State File: remnux.scripts.ex-pe-xor

cs-decrypt-metadata.py

Decrypt Cobalt Strike metadata.

Website: https://blog.didierstevens.com/2021/11/12/update-cs-decrypt-metadata-py-version-0-0-2/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

base64dump.py

Locate and decode strings encoded in Base64 and other common encodings.

Website: https://blog.didierstevens.com/2020/07/03/update-base64dump-py-version-0-0-12/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

xor-kpa.py

Implement a XOR known plaintext attack.

Website: https://blog.didierstevens.com/2017/06/06/update-xor-kpa-py-version-0-0-5/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

cut-bytes.py

Cut out a part of a data stream.

Website: https://blog.didierstevens.com/2015/10/14/cut-bytes-py/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

format-bytes.py

Decompose structured binary data with format strings.

Website: https://blog.didierstevens.com/2020/02/17/update-format-bytes-py-version-0-0-13/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

translate.py

Translate bytes according to a Python expression.

Website: https://blog.didierstevens.com/programs/translate/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

sets.py

Perform set operations on lines or bytes in text files.

Website: https://blog.didierstevens.com/2017/03/05/new-tool-sets-py/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

1768.py

Analyze Cobalt Strike beacons.

Website: https://blog.didierstevens.com/2021/05/22/update-1768-py-version-0-0-6/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

xorsearch.py

Search for XOR, ROL, ROT, and SHIFT encoded strings with YARA and regex support.

Website: https://blog.didierstevens.com/2020/08/23/new-tool-xorsearch-py/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

re-search.py

Search files using regular expressions from a built-in library or custom patterns.

Website: https://blog.didierstevens.com/2023/04/03/update-re-search-py-version-0-0-22/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

hex-to-bin.py

Convert hexadecimal text dumps to binary data.

Website: https://blog.didierstevens.com/2020/04/19/update-hex-to-bin-py-version-0-0-5/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

numbers-to-string.py

Translate number sequences into ASCII characters.

Website: https://blog.didierstevens.com/2020/12/12/update-numbers-to-string-py-version-0-0-11/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

cs-analyze-processdump.py

Analyze Cobalt Strike beacon process dumps to detect sleep mask encoding.

Website: https://blog.didierstevens.com/2021/11/25/new-tool-cs-analyze-processdump-py/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

cs-extract-key.py

Extract AES and HMAC keys from Cobalt Strike beacon process memory.

Website: https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/ Author: Didier Stevens: https://x.com/DidierStevens License: Public Domain State File: remnux.scripts.didier-stevens-scripts

PreviousGo NextStatically Analyze Code

Last updated 5 days ago

hashtagCyberChef

hashtagMalchive

hashtagCobalt Strike Configuration Extractor (CSCE) and Parser

hashtagxortool

hashtagDC3-MWCP

hashtagunicode

hashtagChepy

hashtagBalbuzard

hashtagNoMoreXOR.py

hashtagunXOR

hashtagbrxor.py

hashtagxorBruteForcer.py

hashtagstrdeob.pl

hashtagXORStrings

hashtagXORSearch

hashtagFLOSS

hashtagex_pe_xor.py

hashtagcs-decrypt-metadata.py

hashtagbase64dump.py

hashtagxor-kpa.py

hashtagcut-bytes.py

hashtagformat-bytes.py

hashtagtranslate.py

hashtagsets.py

hashtag1768.py

hashtagxorsearch.py

hashtagre-search.py

hashtaghex-to-bin.py

hashtagnumbers-to-string.py

hashtagcs-analyze-processdump.py

hashtagcs-extract-key.py