All-in-One malware analysis tool for analyze Windows, Linux, OSX binaries, Document files, APK files and Archive files.
You can get:
- What DLL files are used.
- Functions and APIs.
- Sections and segments.
- URLs, IP addresses and emails.
- Android permissions.
- File extensions and their names.
And so on...
Qu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.
Files | Analysis Type |
---|---|
Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |
Linux Executables (.elf, .bin) | Static, Dynamic |
MacOS Executables (mach-o) | Static |
Android Files (.apk, .jar) | Static, Dynamic(for now .apk only) |
Golang Binaries (Linux) | Static |
Document Files | Static |
Archive Files (.zip, .rar, .ace) | Static |
PCAP Files (.pcap) | Static |
Powershell Scripts | Static |
python3 qu1cksc0pe.py --file suspicious_file --analyze
10/07/2023
-
SignatureAnalyzer
module is improved. Now you can perform detection and extraction of embedded ELF executables! -
WindowsAnalyzer
module is now also perform embedded PE file detection!
new_updates.mp4
08/07/2023
-
WindowsAnalyzer
module is improved. - Bug fixes and performance tweaks.
07/07/2023
- Improvements on
Dockerfile
-
WindowsAnalyzer
andResourceAnalyzer
modules now have better detection capabilites! - Added new Yara rule to detect
RustyStealer
samples!
- Parrot OS
- Kali Linux
And similar Linux distributions...
Necessary Dependencies:
VirusTotal API Key
=> Performing VirusTotal based analysis.Strings
=> Necessary for static analysis.PyExifTool
=> Metadata extraction.Jadx
=> Performing source code and resource analysis.PyOneNote
=> OneNote document analysis.Mono
=> Performing .Net binary analysis.
# You can simply execute the following command it will do everything for you!
bash setup.sh
# If you want to install Qu1cksc0pe on your system just execute the following commands.
bash setup.sh
sudo python3 qu1cksc0pe.py --install
# Or you can use Qu1cksc0pe from Docker!
docker build qu1cksc0pe .
docker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --file suspicious_file --analyze
Usage: python3 qu1cksc0pe.py --file suspicious_file --resource
Usage: python3 qu1cksc0pe.py --file suspicious_file --hashscan
Supported Arguments:
--hashscan
--packer
Usage: python3 qu1cksc0pe.py --folder FOLDER --hashscan
Report Contents:
Threat Categories
Detections
CrowdSourced IDS Reports
Usage for --vtFile: python3 qu1cksc0pe.py --file suspicious_file --vtFile
Usage: python3 qu1cksc0pe.py --file suspicious_document --docs
Usage: python3 qu1cksc0pe.py --file suspicious_archive_file --archive
Usage: python3 qu1cksc0pe.py --file suspicious_file --sigcheck
Usage: python3 qu1cksc0pe.py --file suspicious_file --mitre
Usage: python3 qu1cksc0pe.py --file suspicious_executable --lang
Usage: python3 qu1cksc0pe.py --console
Alert
You must connect a virtual device or physical device to your computer.
Usage: python3 qu1cksc0pe.py --runtime
Alert
Binary emulator is not recommended for .NET analysis.
Usage: python3 qu1cksc0pe.py --file suspicious_file --watch
- The Cyber Security Hub
- Kitploit - Top 20 Most Popular Hacking Tools in 2021
- CSIRT.MAI
- Vulners
- RedPacket Security
- Bournemouth University - CERT
- Hacking Articles - Digital Forensics Tools Mindmap
- HackGit - Twitter Post
- Daily Dark Web - Twitter Post
- SANS ISC - Blog Post
For most of FRIDA scripts: https://github.com/Ch0pin/
Another scripts: https://codeshare.frida.re/browse