A professional-grade malware reverse engineering platform built for SOC analysts, incident responders, and malware researchers. Drop any suspicious binary and get a full automated static analysis in seconds.
RAPTOR is a self-contained malware reverse engineering platform that automates the most time-consuming parts of static binary analysis. Built on independent analysis modules, it gives SOC analysts an instant actionable verdict β risk score, MITRE ATT&CK TTPs, IOC export, family config decryption, and a full interactive dashboard β without touching a debugger or disassembler.
No cloud. No subscriptions. No sample uploads to third parties. Everything runs locally on your machine.
| Module | What It Does |
|---|---|
| Magic Detector | Identifies file type from magic bytes β never trusts extensions |
| Entropy Scanner | Shannon entropy + high-entropy region map β pinpoints packed/encrypted sections |
| PE Parser | Full PE structure, 60+ suspicious API import flags, imphash, ssdeep fuzzy hash |
| Rich Header Parser | Extracts hidden compiler/linker fingerprint β compiler version, build tool, rich_hash pivot |
| PE Overlay Detector | Finds data appended after last PE section β dropper/SFX payload detection |
| ELF Parser | Full ELF binary analysis for Linux and IoT malware |
| .NET Analyzer | dnfile-based heap extraction β user strings, type names, suspicious methods, IOCs |
| Packer ID | Byte-signature detection for UPX, Themida, VMProtect, MPRESS, 20+ packers |
| Auto Unpacker | Detects UPX and auto-runs upx -d β re-analyzes unpacked binary automatically |
| Language Detector | Identifies compiler/language β .NET, Go, Rust, Nim, AutoIT, VB6, Python, and more |
| XOR Engine | Brute-forces all XOR variants β single-byte, multi-byte, rolling, known-plaintext, known malware key table |
| RC4 Engine | KSA pattern detection + short key brute-force |
| AES Hunter | S-box pattern detection, key candidate extraction, CBC/ECB decryption |
| Cipher Engine | ChaCha20, Salsa20, DES, 3DES, Blowfish |
| Blob Pipeline | Multi-layer decode β extracts blobs, tries all ciphers, recurses, YARA-scans decoded payloads |
| Key Recovery | Hex/base64/UTF-16 key extraction, RC4 KSA reverse, AES S-box detection, PBKDF2 derivation |
| String Hunter | ASCII + Unicode extraction including XOR-recovered and .NET heap strings |
| String Categorizer | Classifies every string β network, filesystem, crypto, commands, persistence, credentials, C2 indicators, mutexes |
| IOC Extractor | IPs, domains, URLs, registry keys, mutexes, file paths, crypto wallets, named pipes |
| Script Deobfuscator | PowerShell, VBScript, JavaScript, Batch β multi-pass deobfuscation + IOC extraction |
| Anti-Analysis Detector | Anti-debug, anti-VM, anti-sandbox, timing checks, evasion technique detection |
| Family Config Extractor | Decrypts full malware configs β AsyncRAT, njRAT, Remcos, AgentTesla, Cobalt Strike, and more |
| YARA Engine | 25+ bundled rules covering ransomware, RATs, stealers, C2 frameworks |
| Risk Engine | Unified risk score 0β100, MITRE ATT&CK mapping (60+ TTPs) |
| VirusTotal | Hash pre-check at startup (fast), full lookup at completion |
- Risk Score 0β100 β unified score from all detection signals
- MITRE ATT&CK Mapping β automatic TTP tagging from detected behaviors (60+ mappings)
- IOC Export β CSV, STIX2, and full JSON for SIEM/MISP ingestion
- Family Config Decryption β AsyncRAT AES-256-CBC + PBKDF2, Remcos RC4, Cobalt Strike beacon XOR, and more
- Scan History β persistent analysis log across sessions
- Drag & drop file upload β any format
- Real-time progress streaming via Server-Sent Events
- Triage mode (
?triage=1) β skips blob pipeline for a fast 5β15 second result - 14 interactive result tabs: Overview, VirusTotal, YARA, API Imports, IOCs, MITRE ATT&CK, Anti-Analysis, Language, .NET, Config, Decrypt, Entropy, Strings, Risk Breakdown
- CyberChef-style Decoder Workbench for manual decryption
- Dark terminal aesthetic built for extended analysis sessions
- Python 3.10+
- Windows, Linux, or macOS
# Clone the repo
git clone https://github.com/YOUR_USERNAME/raptor.git
cd raptor
# Install dependencies
pip install -r requirements.txt
# Windows only β replace python-magic with:
pip install python-magic-bin# Ubuntu/Debian
sudo apt install upx-ucl
# macOS
brew install upx
# Windows
choco install upx# Linux/macOS
export VT_API_KEY=your_key_here
# Windows
set VT_API_KEY=your_key_here# Launch the web UI
python app.py
# Open your browser
http://localhost:5000# Analyze a single file
python main.py --file sample.exe
# Batch analyze a folder
python main.py --dir ./samples/
# Output JSON to stdout
python main.py --file sample.exe --jsonDon't have a sample? Generate safe synthetic test files that exercise every module:
python tests/create_test_samples.py
# Then run against them
python main.py --dir samples/test/This creates synthetic files including XOR-encoded payloads, high-entropy blobs, layered encoding, and a fake PE with embedded IOCs β zero actual malware.
raptor/
βββ app.py β Flask web server + main analysis pipeline
βββ main.py β CLI entry point
βββ requirements.txt
β
βββ core/ β Analysis engine modules
β βββ aes_hunter.py β AES S-box detection + key extraction
β βββ binary_scanner.py β DWORD IP scan, resource string extraction
β βββ blob_pipeline.py β Multi-layer blob decode pipeline (v7.0+)
β βββ cipher_engine.py β ChaCha20/Salsa20/DES/Blowfish + format detection
β βββ decoder_engine.py β AES-CBC/ECB/CTR/GCM, RC4, base64, zlib
β βββ dotnet_parser.py β dnfile-based .NET assembly analysis
β βββ elf_parser.py β ELF binary parsing (Linux/IoT)
β βββ entropy_scanner.py β Shannon entropy + high-entropy region finder
β βββ family_extractor.py β Malware family config extractors
β βββ ioc_extractor.py β IOC aggregation and deduplication
β βββ key_recovery.py β Key candidate extraction + PBKDF2 derivation
β βββ language_detector.py β Compiler/language fingerprinting
β βββ magic_detector.py β File type identification
β βββ pe_parser.py β PE header, imports, sections, hashes
β βββ ps_deobfuscator.py β PowerShell/VBS/JS/BAT deobfuscation
β βββ rc4_engine.py β RC4 KSA detection + brute-force
β βββ risk_engine.py β Risk scoring + MITRE ATT&CK mapping
β βββ script_analyzer.py β Script-specific IOC and pattern analysis
β βββ string_categorizer.py β String classification into IOC buckets (v9.0)
β βββ string_hunter.py β ASCII/Unicode string extraction
β βββ unpacker.py β UPX auto-unpack + PE overlay + Rich header (v9.0)
β βββ virustotal.py β VT hash lookup
β βββ xor_engine.py β XOR brute-force + known malware key table
β
βββ detectors/ β Specialized detection modules
β βββ anti_analysis_detector.py β Anti-debug/VM/sandbox detection
β βββ packer_id.py β Packer signature identification
β βββ yara_engine.py β YARA rule engine (25+ bundled rules)
β
βββ output/
β βββ reporter.py β JSON/CSV/STIX report generation
β
βββ web/
β βββ index.html β Full SOC dashboard (single-file SPA)
β
βββ tests/
β βββ create_test_samples.py β Synthetic test sample generator
β
βββ samples/
βββ test/ β Generated test samples go here
RAPTOR ships with 25+ production YARA rules covering:
| Category | Families |
|---|---|
| Ransomware | WannaCry, Ryuk, Conti, LockBit, Generic |
| RATs | njRAT, AsyncRAT, DarkComet, QuasarRAT |
| Stealers | RedLine, Vidar, Generic Browser Stealer |
| Loaders | Emotet, GuLoader |
| C2 Frameworks | Cobalt Strike Beacon, Metasploit/Meterpreter |
| Credential Tools | Mimikatz |
| Web Shells | PHP Generic, PowerShell Backdoor |
| Packers | UPX, Base64 Dropper |
| Keyloggers | Generic Hook-Based |
Drop your own .yar files into the yara_rules/ directory β they're automatically loaded.
RAPTOR decrypts full malware configurations β not just detection, but actual C2 addresses, ports, encryption keys, mutex names, and install paths:
| Family | Extraction Method | What You Get |
|---|---|---|
| AsyncRAT / DCRat | AES-256-CBC + PBKDF2-SHA1 (50,000 iter) | C2 host, port, mutex, AES key, salt, install path, anti flag, version, group |
| njRAT (Bladabindi) | Plaintext / Base64 | C2, port, campaign ID, mutex, install name |
| AgentTesla | String pattern analysis | SMTP credentials, FTP credentials, C2 panel URL |
| Remcos | RC4-encrypted config block | C2, port, mutex, keylogger path, screenshot interval |
| Cobalt Strike | Beacon config (XOR 0x69 + base64) | C2, malleable profile, sleep time, jitter, named pipe |
| NanoCore | Plaintext config + plugin list | C2, port, build GUID, plugin names |
| QuasarRAT | AES-encrypted config | C2, port, certificate, mutex, install dir |
| Formbook | String pattern analysis | C2 domains, decoy URLs |
RAPTOR uses a weighted multi-signal scoring engine:
| Signal | Max Points |
|---|---|
| YARA CRITICAL match | +40 |
| YARA HIGH match | +25 |
| Suspicious API (HIGH) | +12 each |
| Threat indicators | +5β25 |
| Crypto wallet detected | +20 |
| Anti-analysis techniques | +2β12 |
| High entropy (packed) | +10 |
| Extension mismatch | +10 |
| Packer detected | +8 |
| Score | Verdict |
|---|---|
| 75β100 | π΄ MALICIOUS |
| 50β74 | π LIKELY MALICIOUS |
| 25β49 | π‘ SUSPICIOUS |
| 0β24 | π’ LOW RISK |
| Format | Use Case |
|---|---|
| CSV | SIEM ingestion, spreadsheet analysis |
| STIX2 | Threat intel sharing (MISP, ISACs, government feeds) |
| JSON | Full raw report, API integrations |
Never run malware samples on a production machine.
Recommended workflow:
1. Disable Windows Defender for your samples folder (Exclusions)
OR work inside an isolated VM (VirtualBox / VMware)
2. Download samples from trusted repos only:
- MalwareBazaar (bazaar.abuse.ch) β password: "infected"
- theZoo (github.com/ytisf/theZoo) β password: "infected"
3. Extract with 7-Zip using the password
7z e sample.zip -pinfected -o./extracted/
4. Drop the extracted binary into RAPTOR
β All analysis is static β nothing executes
5. Share only the report output, never the binary
- New:
core/unpacker.pyβ UPX auto-unpack, PE overlay detection, Rich header parsing - New:
core/string_categorizer.pyβ classifies strings into network / filesystem / crypto / commands / persistence / credentials / C2 / mutex buckets - New: Known malware XOR key table β AsyncRAT, NanoCore, QuasarRAT, Remcos, njRAT, Lokibot, Emotet and more tried before brute-force
- New: Parallel engine execution β entropy, XOR, RC4, AES, YARA, binary scanner run concurrently
- New: VirusTotal hash-first check β VT queried at 6% progress before any heavy analysis
- New: Triage mode (
?triage=1) β skips blob pipeline for 5β15 second fast results - New: YARA scanning of decoded blob pipeline payloads
- New: ssdeep fuzzy hash + imphash added to all PE reports
- Fixed: AsyncRAT config decryption β PBKDF2 password, IV source, and AES padding all corrected
- Fixed: Blob pipeline hang β
generate_derived_keyscombinatorial explosion (PBKDF2Γ10000 on hundreds of strings) - Fixed: Blob pipeline threading β replaced broken
multiprocessing.Poolwith wall-clock budgeted threads
- Multi-layer blob decode pipeline (
core/blob_pipeline.py) core/cipher_engine.pyβ ChaCha20, Salsa20, DES, Blowfish, custom cipher supportcore/key_recovery.pyβ comprehensive key extraction and PBKDF2 derivationcore/ps_deobfuscator.pyβ PowerShell/VBS/JS/BAT deobfuscation- Flask web UI with SSE live progress streaming
- CyberChef-style Decoder Workbench
- VirusTotal integration
- Script deobfuscation hooks
- Core 8-module CLI pipeline
- Web UI, risk scoring, MITRE ATT&CK mapping, IOC export
- RC4 + AES decryption engines
- Family config extractors (initial set)
- Rich console output + scan history
- Core analysis pipeline (PE, entropy, strings, XOR, IOCs, YARA)
- Web UI + SOC dashboard
- RC4 + AES + multi-cipher decryption engines
- VirusTotal integration
- Multi-layer blob pipeline
- Family config extraction + decryption (AsyncRAT, Remcos, njRAT, AgentTesla, CobaltStrike...)
- .NET assembly analysis
- ELF / Linux malware support
- Auto UPX unpacking
- Script deobfuscation (PS1, VBS, JS, BAT)
- Dynamic sandbox integration (Cuckoo / Cape)
- Document analyzer (PDF, Office macros)
- Team dashboard + case management
- Docker deployment
Pull requests welcome. If you have YARA rules, detection signatures, or new analysis modules β open a PR.
- Fork the repo
- Create a feature branch (
git checkout -b feature/new-module) - Commit your changes
- Open a pull request
RAPTOR is built exclusively for defensive security purposes β malware analysis, incident response, threat hunting, and security research. Do not use it to assist in the creation, deployment, or obfuscation of malicious software. The authors accept no liability for misuse.
MIT License β free to use, modify, and distribute with attribution.
- pefile β PE parsing
- yara-python β YARA rule engine
- capstone β disassembly engine
- dnfile β .NET assembly parsing
- pycryptodome β cryptography engine
- Flask β web server
- Rich β terminal output
RAPTOR Β· Reverse Analysis Platform for Threat Operations & Response
Built for defenders. Runs locally.