This tool takes a PE file (e.g. *.exe) and checks if the Import Address Table (IAT) contains a suspicious function that is usually used in malware. The process is done by checking if the function name is present at https://malapi.io/ . If so, the tool returns the description of the function and what it is used for.
git clone https://github.com/oh-az/MalFinder.git
cd MalFinder
dependencies can be installed using the requirements file:
sudo pip3 install -r requirements.txt
python3 MalFinder.py malware.exe
python3 MalFinder.py mal_library.dll
these new features are add by oh-az
- Detect the use of Direct Syscalls by disassembling the binary and looking into it.
- Display information about the binary.
- Calculate each section's entropy to detect potential obfuscation/packing
- Calculate each section's virtual and raw size to detect the potential of packing.
-
Extract all IPs from the binary.
-
Calculate the MD5 hash and sends it to VirusTotal, then it prints out how many vendors have flagged this binary.
- X: J0e_Binary
- X: ohAz
Current version is 1.2