Malwoverview.py is a simple tool to perform an initial and quick triage on a directory containing malware samples (not zipped).
This tool aims to :
-
Determining similar executable malware samples (PE/PE+) according to the import table (imphash) and group them by different colors (pay attention to the second column from output). Thus, colors matter!
-
Determining whether executable malware samples are packed or not packed according to the following rules:
2a. Two or more sections with Entropy > 7.0 or < 1.0 ==> Packed. 2b. One one section with Entropy > 7.0 or two sections with SizeOfRawData ==> Likely packed. 2c. None section with Entropy > 7.0 or SizeOfRawData ==> not packed. -
Determining whether the malware samples contain overlay.
-
Determining the .text section entropy.
Malwoverview.py only examines PE/PE+ files, skipping everything else. -
Checking each malware sample against Virus Total.
Category: Triage
Category URL: http://www.dfir.training/component/mtree/forensic-utilities/triage?Itemid=