Practical Malware Analysis Starter Kit

Package last updated: 2016-05-14

This package contains most of the software referenced in Practical Malware Analysis. Some of the links have broken over time, some companies have folded or been bought. I’ve done what I can to compile it all in one place for my own convenience and I figured I’d share it. It contains:

  • MD5DEEP 4.4 and related tools (sha1deep, hashdeep, whirlpooldeep, etc) and 64-bit equivalents.
  • WinMD5Free v1.20
  • PEiD v0.95 with KANAL plugin
  • Strings v2.52
  • upx 3.91
  • PEview v0.9.9
  • Resource Hacker v4.2.5
  • PEBrowse Professional v10.1.4
  • PEBrowse64 Professional v6.3.1
  • PE Explorer 1.99 R6 (Trial)
  • Process Monitor (procmon) v3.2
  • Process Explorer (procexp) v16.10
  • Regshot v1.9.0
  • ApateDNS v1.0
  • Netcat (nc) 1.11 and 64-bit build
  • Wireshark v2.0.3
  • FakeNet 1.0c (INetSim alternative for Windows)
  • Combined Volume Set of Intel® 64 and IA-32 Architectures Software Developer’s Manuals
  • IDA Pro Free v5.0 with FindCrypt plugin, IDA Entropy Plugin
  • Autoruns v13.51 and autorunsc
  • OllyDbg v1.10 and v2.01d
  • OllyDump Plugin
  • WinDbg x86 and x64 v6.11.1.404
  • Immunity Debugger (ImmDbg) v1.85
  • SoftICE 4.05 for w98 and NT/XP (SEE FOOTER)
  • SoftIceNT 4.2.7 (from 2.7 Driver Studio build) for XP (SEE FOOTER)
  • OSR Driver Loader v3.0
  • Poison Ivy RAT 2.3.2 (Password is “malware” with no quotes, if the exe is eaten by your AV)
  • pwdump6 (as PwDump.exe)
  • pwdump7
  • Pass-The-Hash Toolkit v1.4
  • Metasploit Framework v4.11.7
  • PyCrypto (Requires Python 2.7)
  • Snort
  • ScoopyNG v1.0
  • Mandiant Red Curtain 1.0
  • ASPack 2.39 (Trial)
  • PETite v2.4
  • WinUPack v0.39 Final
  • Themida (Trial)
  • shellcode_launcher.exe (Gone from
  • Bochs 2.6.8
  • Burp Suite 1.7.03
  • CaptureBAT 2.0.0-5574
  • Cuckoo 2.0-RC1 (Requires Python)
  • CFF Explorer (As Explorer Suite 4)
  • WinHex
  • Import REConstructor (ImpREC) 1.7e
  • LordPE 1.41 Deluxe
  • Malcode Analyst Pack
  • Memoryze 3.0
  • OfficeMalScanner 0.5
  • Zynamics BinDiff 4.20 (Key provided by Zynamics)
  • and (Requires Python, obviously)
  • Sandboxie v5.10
  • Buster Sandbox Analyzer v1.88 Update 4
  • TCPView v3.05
  • The Sleuth Kit 4.2.0 for Windows
  • VERA v0.3
  • Volatility 2.5
  • Yara v1.7.1 x86 and x64

Docs and Licenses when given are in their own folders. I recommend you add the “Portable Binaries” folder to your Windows PATH.

WARNING: This is not a toy. There are malicious code samples provided in the labs. Poison Ivy is real C2 malware. Use extreme caution with this software.

COPYRIGHT: I do not claim copyright to any of the software packaged. All software provided was freely available online, and included in one place for your convenience.

PASSWORD: The password to open the zip is “malware” with no quotes. You will likely need to make exceptions in your AV for the folder you place and extract this package.

REGARDING SOFTICE: The provided build of SoftICE is a pirated scene release from 2000. I would consider it abandonware, as it has changed hands from NuMega to Compuware and again to Micro Focus, who has not released or updated the software. It has not received an update nor been available for purchase in ten years. If you are uncomfortable having this software, simply delete SoftICE427installnt.exe, SI405w9x.exe, and the SoftICE 4.05 NT and XP folder from Setup Binaries. It was exceedingly difficult to find the Windows XP version so I have included it for posterity.

REGARDING LORDPE: LordPE looks like a pirated scene release but was actually created as a scene tool.

Download: zip or torrent.