Skip to content

Tools

Loki

Scanner for Simple Indicators of Compromise - GitHub: https://github.com/Neo23x0/Loki - Features - File Name IOC - Yara Rule Check - Hash check - C2 Back Connect Check - Additional features - Regin filesystem check (via --reginfs) - Process anomaly check (based on Sysforensics) - SWF decompressed scan (new since version v0.8) - SAM dump check - DoublePulsar check - tries to detect DoublePulsar backdoor on - port 445/tcp and 3389/tcp - PE-Sieve process check - Signature Base: https://github.com/Neo23x0/signature-base

Spark Core

  • Home: https://www.nextron-systems.com/spark-core/
  • Signature Base: https://github.com/Neo23x0/signature-base

libpeconv

A library to load, manipulate, dump PE files.

  • Github - https://github.com/hasherezade/libpeconv

PE-Sieve

Based on libpeconv. Scans a given process, searching for potentially malicious implants and patches within the process space.

  • Home - https://hshrzd.wordpress.com/pe-sieve/

PE Studio

Malware Initial Assessment

  • Features: https://www.winitor.com/features.html
  • Download: https://www.winitor.com/binaries.html

Other

  • Collecting & Hunting for IOCs with gusto and style: https://github.com/rastrea2r/rastrea2r