📄
REMnux Documentation
  • REMnux: A Linux Toolkit for Malware Analysis
  • Install the Distro
    • Get the Virtual Appliance
    • Install from Scratch
    • Add to an Existing System
    • Run REMnux as a Container
    • Keep the Distro Up to Date
  • Discover the Tools
    • Examine Static Properties
      • General
      • PE Files
      • ELF Files
      • .NET
      • Deobfuscation
    • Statically Analyze Code
      • General
      • Unpacking
      • PE Files
      • Python
      • Scripts
      • Java
      • .NET
      • Flash
      • Android
    • Dynamically Reverse-Engineer Code
      • General
      • Shellcode
      • Scripts
      • ELF Files
    • Perform Memory Forensics
    • Explore Network Interactions
      • Monitoring
      • Connecting
      • Services
    • Investigate System Interactions
    • Analyze Documents
      • General
      • PDF
      • Microsoft Office
      • Email Messages
    • Gather and Analyze Data
    • View or Edit Files
    • General Utilities
  • Run Tools in Containers
    • Docker Images of Malware Analysis Tools
  • Behind the Scenes
    • People
    • Technologies
      • SaltStack Management
      • REMnux Installer
      • State Files Without the REMnux Installer
      • Debian Packages
      • Website and Docs
    • License
  • Tips and More
    • REMnux Configuration Tips
    • REMnux Tool Tips
    • Malware Analysis Training
    • REMnux Website
  • Get Involved
    • Ask and Answer Questions
    • Write About the Tools
    • Add or Update Tools
      • Contribute a Salt State File
      • Contribute a Debian Package
      • Contribute a Dockerfile
    • Implement Enhancements
Powered by GitBook
On this page
  • Automater
  • dissect
  • time-decode
  • malwoverview
  • Viper
  • ioc_parser
  • ipwhois
  • VirusTotal API
  • ioc_writer
  • shodan
  • PyPDNS
  • pdnstool
  • DeXRAY
  • virustotal-submit
  • virustotal-search
  • Scalpel
  • nsrllookup
  • Yara
  1. Discover the Tools

Gather and Analyze Data

Discover the Tools

Automater

Gather OSINT data about IPs, domains, and hashes.

Website: http://www.tekdefense.com/automater/ Author: 1aN0rmus: https://twitter.com/TekDefense License: MIT License: https://github.com/1aN0rmus/TekDefense-Automater/blob/master/LICENSE Notes: Automater.py State File: remnux.tools.automater

dissect

Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.

Website: https://github.com/fox-it/dissect Author: Dissect Team: dissect@fox-it.com License: GNU Affero General Public License v3: https://github.com/fox-it/dissect/blob/main/LICENSE Notes: acquire, target-fs, rdump, rgeoip, target-query, target-shell, target-dump, target-info, target-reg, target-dd, target-mount State File: remnux.python3-packages.dissect

time-decode

Decode and encode date and timestamps.

Website: https://github.com/digitalsleuth/time_decode Author: Corey Forman License: MIT License: https://github.com/digitalsleuth/time_decode/blob/master/LICENSE State File: remnux.python3-packages.time-decode

malwoverview

Query public repositories of malware data (e.g., VirusTotal, HybridAnalysis).

Website: https://github.com/alexandreborges/malwoverview Author: Alexandre Borges License: GNU General Public License v3: https://github.com/alexandreborges/malwoverview/blob/master/LICENSE Notes: malwoverview, add API keys to ~/.malwapi.conf State File: remnux.python3-packages.malwoverview

Viper

Organize and query a collection of malware samples. (Temporarily excluded from the distro.)

Website: https://github.com/viper-framework/viper Author: Claudio Guarnieri: https://nex.sx License: BSD 3-Clause License: https://github.com/viper-framework/viper/blob/master/LICENSE Notes: Viper is temporarily excluded from the REMnux distro due to dependency issues. Instead, use the remnux/viper Docker image: https://docs.remnux.org/run-tools-in-containers/remnux-containers#viper-binary-analysis-and-management-framework State File: remnux.python3-packages.viper-framework

ioc_parser

Extract IOCs from security report PDFs.

Website: https://github.com/buffer/ioc_parser Author: Armin Buescher License: MIT License: https://github.com/buffer/ioc_parser/blob/master/LICENSE.txt State File: remnux.python3-packages.ioc-parser

ipwhois

Retrieve and parse whois data for IP addresses.

Website: https://github.com/secynic/ipwhois Author: Philip Hane License: BSD 2-Clause "Simplified" License: https://github.com/secynic/ipwhois/blob/master/LICENSE.txt Notes: ipwhois_cli.py, ipwhois_utils_cli.py State File: remnux.python3-packages.ipwhois

VirusTotal API

Query and interact with VirusTotal using a command-line interface.

Website: https://github.com/doomedraven/VirusTotalApi Author: doomedraven License: MIT License: https://github.com/doomedraven/VirusTotalApi/blob/master/LICENSE.md Notes: vt State File: remnux.python3-packages.virustotal-api

ioc_writer

Python library that allows for basic creation and editing of OpenIOC objects.

Website: https://github.com/mandiant/ioc_writer Author: William Gibb License: Apache License 2.0: https://github.com/mandiant/ioc_writer/blob/master/LICENSE State File: remnux.python-packages.ioc-writer

shodan

Query Shodan, a search engine for internet-connected devices.

Website: https://github.com/achillean/shodan-python/ Author: John Matherly License: Custom, free license: https://github.com/achillean/shodan-python/blob/master/LICENSE State File: remnux.python-packages.shodan

PyPDNS

Python library to query passive DNS services that follow the Passive DNS - Common Output Format

Website: https://github.com/CIRCL/PyPDNS Author: Raphael Vinot, Alexandre Dulaunoy, CIRCL - Computer Incident Response Center Luxembourg License: Free, custom license: https://github.com/CIRCL/PyPDNS/blob/master/LICENSE State File: remnux.python-packages.pypdns

pdnstool

Query passive DNS databases for DNS data.

Website: https://github.com/chrislee35/passivedns-client Author: Chris Lee License: MIT License: https://github.com/chrislee35/passivedns-client/blob/master/LICENSE.txt State File: remnux.rubygems.pdnstool

DeXRAY

Extract and decode data from antivirus quarantine files.

Website: http://www.hexacorn.com/blog/category/software-releases/dexray/ Author: Hexacorn License: Free; copyright by Hexacorn.com: http://hexacorn.com/d/DeXRAY.pl Notes: dexray State File: remnux.scripts.dexray

virustotal-submit

Submit files to VirusTotal.

Website: https://blog.didierstevens.com/programs/virustotal-tools/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: virustotal-submit.py State File: remnux.scripts.virustotal-submit

virustotal-search

Search VirusTotal for file hashes.

Website: https://blog.didierstevens.com/programs/virustotal-tools/ Author: Didier Stevens: https://twitter.com/DidierStevens License: Public Domain Notes: virustotal-search.py State File: remnux.scripts.virustotal-search

Scalpel

Carve contents out of binary files, such as partitions.

Website: https://github.com/sleuthkit/scalpel Author: Golden G. Richard III, Vassil Roussev License: Apache License 2.0: https://github.com/sleuthkit/scalpel/blob/master/LICENSE-2.0.txt State File: remnux.packages.scalpel

nsrllookup

Look up MD5 file hashes in the NIST National Software Reference Library (NSRL).

Website: https://github.com/rjhansen/nsrllookup Author: Robert J. Hansen: https://twitter.com/robertjhansen License: ISC License: https://github.com/rjhansen/nsrllookup/blob/master/LICENSE State File: remnux.packages.nsrllookup

Yara

Identify and classify malware samples using Yara rules.

Website: https://virustotal.github.io/yara/ Author: https://github.com/VirusTotal/yara/blob/master/AUTHORS License: BSD 3-Clause "New" or "Revised" License: https://github.com/VirusTotal/yara/blob/master/COPYING Notes: yara State File: remnux.packages.yara

PreviousEmail MessagesNextView or Edit Files

Last updated 11 months ago