Static analysis workflow
Triage → strings → PE analysis → YARA → network IOC extraction
Triage tool that identifies file format, packer, compiler, signer, and embedded artifacts at a glance. First-pass: drop the sample on DIE before opening a disassembler.
GUI + CLI. Cross-platform. Auto-loads YARA/Diec signatures for richer detection.
FLARE's capability-detection tool — applies a rule set to identify what a binary CAN do (network, persistence, anti-analysis) without running it. Great triage layer between strings and full RE.
capa sample.exe outputs ATT&CK-mapped capabilities. Pair with capa-explorer for IDA/Ghidra integration.
FireEye-Mandiant FLARE Obfuscated String Solver — deobfuscates stack strings, encoded strings, and shellcode. Catches strings that plain `strings` misses.
floss sample.exe. Slower than strings but recovers strings constructed at runtime.
file malware.exesha256sum malware.exe && md5sum malware.exesha256sum malware.exe | cut -d" " -f1 | xargs -I{} curl -s "https://virustotal.com/api/v3/files/{}" -H "x-apikey: $VT_KEY"exiftool malware.exe # compilation timestamp, linker version, original filename- →File type mismatch (extension vs magic bytes)
- →Hash matches known malware families on VT
- →Compilation timestamp (0 or future = wiped)
- →Original filename in version info
- →Linker version (old linker = old sample or fake timestamp)
Never execute on analysis machine. Hash first, check VT before doing any work — known sample saves hours.