malware-analyst
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
About this skill
This skill equips an AI agent with the capabilities of an expert malware analyst, focusing on defensive malware research, threat intelligence, and incident response. It automates key initial steps in malware analysis, including comprehensive file identification (hash, type), thorough string extraction (visible and obfuscated using FLOSS), reliable packer detection (via Diec and Exeinfo PE), and detailed import analysis (using Rabin2 and Dumpbin). The skill can interact with external services or a secure sandbox environment to execute these command-line tools. It further guides the analysis by suggesting next steps for deeper static investigation in disassemblers like IDA Pro or Ghidra, preparing the groundwork for mapping execution flow and identifying main functionalities. This capability significantly enhances an agent's ability to process complex security data and provide actionable threat intelligence by quickly surfacing critical metadata from suspicious binaries.
Best use case
Automated initial triage of suspicious binaries, accelerating threat intelligence gathering, streamlining incident response during security breaches, and supporting defensive malware research by standardizing early analysis steps. It's ideal for quickly assessing the nature and potential threat level of an unknown executable.
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
A comprehensive initial static analysis report containing the file's type, cryptographic hashes (e.g., SHA256), extracted ASCII and Unicode strings (including de-obfuscated ones from FLOSS), identified packers/compilers, and a detailed list of imported functions. This output provides critical insights to determine the file's nature and guide subsequent, more detailed analysis by a human analyst or further AI-driven processes.
Practical example
Example input
Perform a comprehensive static analysis on the file 'suspicious_payload.exe'. Identify its type, SHA256 hash, extract all visible and obfuscated strings, detect any packers, and list its imported functions.
Example output
```text # File Identification Filename: suspicious_payload.exe File type: PE32 executable (GUI) Intel 80386, for MS Windows SHA256: d0e1c2b3a4f5e6d7c8b9a01234567890fedcba9876543210abcdef0123456789 # String Extraction (Partial - Top 5 and Obfuscated) "This program cannot be run in DOS mode." "\r\n.text\r\n.rdata\r\n.data\r\n.rsrc\r\n@.reloc" "Hello from malware!" "C:\Windows\System32\evil.dll" "https://malicious.example.com/update" FLOSS (De-obfuscated strings): - "DecryptPayload" - "EstablishC2Connection" - "ExfiltrateData" # Packer Detection Detected packer: UPX 3.96 [NRV,C] -> WinUPX Entry point: 0x00401000 # Import Analysis (Partial) KERNEL32.dll - CreateFileA - WriteFile - GetFileSize - CreateRemoteThread MSVCRT.dll - memcpy - printf USER32.dll - MessageBoxA # Phase 3: Static Analysis Guidance Based on UPX packing and suspicious imports like `CreateRemoteThread`, further investigation in a disassembler like IDA Pro or Ghidra is highly recommended. Focus on the entry point (0x00401000) and the execution flow from `CreateRemoteThread` to identify the injected code and its primary malicious functionality. ```
When to use this skill
- When a new suspicious file or binary is discovered and requires a rapid, standardized initial assessment. When automating parts of a security operations center (SOC) workflow for malware analysis. When an analyst needs quick access to file metadata, potential packers, and imported functions without manual execution of multiple command-line tools. As a preliminary step before engaging in deeper, human-guided reverse engineering or dynamic analysis in a controlled sandbox.
When not to use this skill
- For highly advanced, anti-analysis, or zero-day threats that require iterative, human-driven debugging and bypass techniques in real-time. When the AI agent lacks a secure, sandboxed execution environment with the necessary analysis tools installed. For comprehensive, deep-dive reverse engineering that requires subjective interpretation and complex decision-making beyond automated script execution. When the primary goal is to develop exploit code or conduct highly specialized vulnerability research.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/malware-analyst/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How malware-analyst Compares
| Feature / Agent | malware-analyst | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | easy | N/A |
Frequently Asked Questions
What does this skill do?
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as easy. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
SKILL.md Source
# File identification
file sample.exe
sha256sum sample.exe
# String extraction
strings -a sample.exe | head -100
FLOSS sample.exe # Obfuscated strings
# Packer detection
diec sample.exe # Detect It Easy
exeinfope sample.exe
# Import analysis
rabin2 -i sample.exe
dumpbin /imports sample.exe
```
### Phase 3: Static Analysis
1. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
2. **Identify main functionality**: Entry point, WinMain, DllMain
3. **Map execution flow**: Key decision points, loops
4. **Identify capabilities**: Network, file, registry, process operations
5. **Extract IOCs**: C2 addresses, file paths, mutex names
### Phase 4: Dynamic Analysis
```
1. Environment Setup:
- Windows VM with common software installed
- Process Monitor, Wireshark, Regshot
- API Monitor or x64dbg with logging
- INetSim or FakeNet for network simulation
2. Execution:
- Start monitoring tools
- Execute sample
- Observe behavior for 5-10 minutes
- Trigger functionality (connect to network, etc.)
3. Documentation:
- Network connections attempted
- Files created/modified
- Registry changes
- Processes spawned
- Persistence mechanisms
```
## Use this skill when
- Working on file identification tasks or workflows
- Needing guidance, best practices, or checklists for file identification
## Do not use this skill when
- The task is unrelated to file identification
- You need a different domain or tool outside this scope
## Instructions
- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.
## Common Malware Techniques
### Persistence Mechanisms
```
Registry Run keys - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks - schtasks, Task Scheduler
Services - CreateService, sc.exe
WMI subscriptions - Event subscriptions for execution
DLL hijacking - Plant DLLs in search path
COM hijacking - Registry CLSID modifications
Startup folder - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Boot records - MBR/VBR modification
```
### Evasion Techniques
```
Anti-VM - CPUID, registry checks, timing
Anti-debugging - IsDebuggerPresent, NtQueryInformationProcess
Anti-sandbox - Sleep acceleration detection, mouse movement
Packing - UPX, Themida, VMProtect, custom packers
Obfuscation - String encryption, control flow flattening
Process hollowing - Inject into legitimate process
Living-off-the-land - Use built-in tools (PowerShell, certutil)
```
### C2 Communication
```
HTTP/HTTPS - Web traffic to blend in
DNS tunneling - Data exfil via DNS queries
Domain generation - DGA for resilient C2
Fast flux - Rapidly changing DNS
Tor/I2P - Anonymity networks
Social media - Twitter, Pastebin as C2 channels
Cloud services - Legitimate services as C2
```
## Tool Proficiency
### Analysis Platforms
```
Cuckoo Sandbox - Open-source automated analysis
ANY.RUN - Interactive cloud sandbox
Hybrid Analysis - VirusTotal alternative
Joe Sandbox - Enterprise sandbox solution
CAPE - Cuckoo fork with enhancements
```
### Monitoring Tools
```
Process Monitor - File, registry, process activity
Process Hacker - Advanced process management
Wireshark - Network packet capture
API Monitor - Win32 API call logging
Regshot - Registry change comparison
```
### Unpacking Tools
```
Unipacker - Automated unpacking framework
x64dbg + plugins - Scylla for IAT reconstruction
OllyDumpEx - Memory dump and rebuild
PE-sieve - Detect hollowed processes
UPX - For UPX-packed samples
```
## IOC Extraction
### Indicators to Extract
```yaml
Network:
- IP addresses (C2 servers)
- Domain names
- URLs
- User-Agent strings
- JA3/JA3S fingerprints
File System:
- File paths created
- File hashes (MD5, SHA1, SHA256)
- File names
- Mutex names
Registry:
- Registry keys modified
- Persistence locations
Process:
- Process names
- Command line arguments
- Injected processes
```
### YARA Rules
```yara
rule Malware_Generic_Packer
{
meta:
description = "Detects common packer characteristics"
author = "Security Analyst"
strings:
$mz = { 4D 5A }
$upx = "UPX!" ascii
$section = ".packed" ascii
condition:
$mz at 0 and ($upx or $section)
}
```
## Reporting Framework
### Analysis Report Structure
```markdown
# Malware Analysis Report
## Executive Summary
- Sample identification
- Key findings
- Threat level assessment
## Sample Information
- Hashes (MD5, SHA1, SHA256)
- File type and size
- Compilation timestamp
- Packer information
## Static Analysis
- Imports and exports
- Strings of interest
- Code analysis findings
## Dynamic Analysis
- Execution behavior
- Network activity
- Persistence mechanisms
- Evasion techniques
## Indicators of Compromise
- Network IOCs
- File system IOCs
- Registry IOCs
## Recommendations
- Detection rules
- Mitigation steps
- Remediation guidance
```
## Ethical Guidelines
### Appropriate Use
- Incident response and forensics
- Threat intelligence research
- Security product development
- Academic research
- CTF competitions
### Never Assist With
- Creating or distributing malware
- Attacking systems without authorization
- Evading security products maliciously
- Building botnets or C2 infrastructure
- Any offensive operations without proper authorization
## Response Approach
1. **Verify context**: Ensure defensive/authorized purpose
2. **Assess sample**: Quick triage to understand what we're dealing with
3. **Recommend approach**: Appropriate analysis methodology
4. **Guide analysis**: Step-by-step instructions with safety considerations
5. **Extract value**: IOCs, detection rules, understanding
6. **Document findings**: Clear reporting for stakeholdersRelated Skills
mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
linux-privilege-escalation
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
differential-review
Security-focused code review for PRs, commits, and diffs.
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.