Malware Module¶

Static analysis tools for safe malware investigation without execution.

Overview¶

The malware module provides:

Advanced string extraction and categorization
PE (Portable Executable) header analysis
YARA rule scanning
Common obfuscation decoding
Online scanner submission
IOC extraction from binaries
Fuzzy hash comparison

Commands¶

Command	Description
`strings`	Extract and categorize strings
`pe`	PE header analysis
`yara`	YARA rule scanning
`deobfuscate`	Decode obfuscated content
`submit`	Submit to online scanners
`ioc`	Extract IOCs from file
`compare`	Fuzzy hash comparison

`bsot malware strings`¶

Extract and analyze strings from binary files with categorization.

Usage¶

bsot malware strings <file> [OPTIONS]

Options¶

Option	Type	Default	Description
`--min-length`, `-m`	int	`4`	Minimum string length
`--encoding`, `-e`	choice	`both`	`ascii`, `unicode`, or `both`
`--category`, `-c`	string	-	Categories: urls,ips,paths,registry,apis,emails,crypto,base64
`--json`	flag	`false`	JSON output
`--raw`	flag	`false`	Raw output (one per line)

Examples¶

# Basic string extraction
bsot malware strings suspicious.exe

# Only URLs and IPs
bsot malware strings suspicious.exe --category urls,ips

# Longer strings
bsot malware strings suspicious.exe --min-length 8

# JSON output for automation
bsot malware strings suspicious.exe --json

Sample Output

🔍 Analyzing strings in suspicious.exe...

Found 2,847 strings (156 interesting)

── 📌 Suspicious API Calls (23) ──────────────────────────
   VirtualAlloc
   VirtualProtect
   CreateRemoteThread
   WriteProcessMemory
   ...

── 🌐 URLs (5) ───────────────────────────────────────────
   http://evil.com/callback
   https://c2server.xyz/beacon
   ...

── 🖥️  IP Addresses (2) ──────────────────────────────────
   192.168.1.100
   45.33.32.156

── 📁 File Paths (8) ─────────────────────────────────────
   C:\Windows\System32\cmd.exe
   %APPDATA%\malware.exe
   ...

── 🔑 Registry Keys (3) ──────────────────────────────────
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   ...

`bsot malware pe`¶

Analyze PE (Portable Executable) files for Windows binaries.

Usage¶

bsot malware pe <file> [OPTIONS]

Options¶

Option	Type	Default	Description
`--sections`	flag	`false`	Show detailed section info
`--imports`	flag	`false`	Show all imports
`--exports`	flag	`false`	Show exports
`--resources`	flag	`false`	Show resources
`--json`	flag	`false`	JSON output

Examples¶

# Basic PE analysis
bsot malware pe suspicious.exe

# With section details
bsot malware pe suspicious.exe --sections

# With all imports
bsot malware pe suspicious.exe --imports

# JSON output
bsot malware pe suspicious.exe --json

Sample Output

══════════════════════════════════════════════════════════
  PE Analysis: suspicious.exe
══════════════════════════════════════════════════════════

┌─────────────────────────────────────────────┐
│ File Type:     PE32 executable              │
│ Architecture:  x86 (32-bit)                 │
│ Subsystem:     Windows GUI                  │
│ Compiled:      2025-01-10 14:32:15          │
│ Entry Point:   0x00401000                   │
│ Packer:        UPX 3.96 ⚠️                   │
│ Imphash:       a1b2c3d4e5f6...              │
└─────────────────────────────────────────────┘

  ⚠️  Timestamp anomaly: Future date detected

── 📦 Sections (4) ───────────────────────────────────────
   Name       VSize      RSize      Entropy    Flags
   ──────────────────────────────────────────────────
   .text      0x5000     0x4800     7.89 ⚠️    RX
   .rdata     0x2000     0x1c00     5.23       R
   .data      0x1000     0x800      4.12       RW
   .rsrc      0x3000     0x2a00     7.45 ⚠️    R

── 📥 Suspicious Imports (12) ────────────────────────────
   VirtualAlloc
   VirtualProtect
   CreateRemoteThread
   WriteProcessMemory
   ...

── ⚠️  Anomalies Detected ────────────────────────────────
   • Section .text has high entropy (packed/encrypted)
   • UPX packer detected
   • Suspicious imports indicate code injection capability

`bsot malware yara`¶

Scan files against YARA rules.

Usage¶

bsot malware yara <file> [OPTIONS]

Options¶

Option	Type	Default	Description
`--rules`, `-r`	PATH	-	Custom YARA rules file or directory
`--json`	flag	`false`	JSON output

Examples¶

# Scan with built-in rules
bsot malware yara suspicious.exe

# Scan with custom rules
bsot malware yara suspicious.exe --rules ~/yara-rules/

# Scan a directory
bsot malware yara ./samples/

`bsot malware deobfuscate`¶

Decode common obfuscation techniques.

Usage¶

bsot malware deobfuscate [input] [OPTIONS]

Options¶

Option	Type	Default	Description
`--file`, `-f`	PATH	-	File to deobfuscate
`--stdin`	flag	`false`	Read from stdin
`--type`, `-t`	choice	auto	Force type: base64, powershell, vba-chr, js-escape, hex, xor, rot13, rot47, reverse
`--json`	flag	`false`	JSON output

Supported Obfuscation Types¶

Base64 — Single and nested encoding
PowerShell — -EncodedCommand payloads
VBA Chr() — Character concatenation
JavaScript — unescape/decodeURI
Hex — Hex-encoded strings
XOR — Single-byte XOR (brute force)
ROT13/ROT47 — Rotation ciphers

Examples¶

# Auto-detect and decode
bsot malware deobfuscate "SABlAGwAbABvAA=="

# Decode PowerShell encoded command
bsot malware deobfuscate encoded.ps1 --type powershell

# From stdin
echo "aHR0cDovL2V2aWwuY29t" | bsot malware deobfuscate --stdin

`bsot malware submit`¶

Submit files to online malware scanners.

Usage¶

bsot malware submit <file> [OPTIONS]

Options¶

Option	Type	Default	Description
`--service`, `-s`	choice	`all`	Service: virustotal, hybrid_analysis, malwarebazaar, all
`--no-upload`	flag	`false`	Hash lookup only, don't upload
`--json`	flag	`false`	JSON output

Examples¶

# Submit to all services
bsot malware submit suspicious.exe

# VirusTotal only
bsot malware submit suspicious.exe --service virustotal

# Check hash without uploading
bsot malware submit suspicious.exe --no-upload

`bsot malware ioc`¶

Extract IOCs from a file.

Usage¶

bsot malware ioc <file> [OPTIONS]

Options¶

Option	Type	Default	Description
`--format`, `-f`	choice	`table`	Output: table, json, csv, stix
`--include-private`	flag	`false`	Include private IPs and safe domains
`--enrich`	flag	`false`	Cross-reference with threat intel
`--output`, `-o`	PATH	-	Write output to file

Examples¶

# Extract IOCs
bsot malware ioc suspicious.exe

# Export as STIX
bsot malware ioc suspicious.exe --format stix -o iocs.stix.json

# Export as CSV
bsot malware ioc suspicious.exe --format csv -o iocs.csv

`bsot malware compare`¶

Compare files using fuzzy hashing to detect variants.

Usage¶

bsot malware compare <file1> [file2] [OPTIONS]

Options¶

Option	Type	Default	Description
`--against`, `-a`	PATH	-	Compare against directory
`--min-similarity`	int	`50`	Minimum similarity percentage
`--json`	flag	`false`	JSON output

Comparison Methods¶

SHA256 — Exact match detection
ssdeep — Context-triggered piecewise hashing
TLSH — Trend Micro Locality Sensitive Hash
imphash — PE import hash

Examples¶

# Compare two files
bsot malware compare sample1.exe sample2.exe

# Compare against a directory of samples
bsot malware compare sample.exe --against ./samples/

# Set minimum similarity threshold
bsot malware compare sample.exe --against ./samples/ --min-similarity 70

bsot file entropy — Check file entropy
bsot file identify — Identify file type
bsot intel enrich — Enrich extracted IOCs

Malware Module¶

Overview¶

Commands¶

bsot malware strings¶

Usage¶

Options¶

Examples¶

bsot malware pe¶

Usage¶

Options¶

Examples¶

bsot malware yara¶

Usage¶

Options¶

Examples¶

bsot malware deobfuscate¶

Usage¶

Options¶

Supported Obfuscation Types¶

Examples¶

bsot malware submit¶

Usage¶

Options¶

Examples¶

bsot malware ioc¶

Usage¶

Options¶

Examples¶

bsot malware compare¶

Usage¶

Options¶

Comparison Methods¶

Examples¶

Related Commands¶

`bsot malware strings`¶

`bsot malware pe`¶

`bsot malware yara`¶

`bsot malware deobfuscate`¶

`bsot malware submit`¶

`bsot malware ioc`¶

`bsot malware compare`¶