{"id":13846196,"url":"https://github.com/CYB3RMX/Qu1cksc0pe","last_synced_at":"2025-07-12T05:32:14.712Z","repository":{"id":37583692,"uuid":"216032884","full_name":"CYB3RMX/Qu1cksc0pe","owner":"CYB3RMX","description":"All-in-One malware analysis tool.","archived":false,"fork":false,"pushed_at":"2024-10-21T07:39:18.000Z","size":112322,"stargazers_count":1283,"open_issues_count":0,"forks_count":180,"subscribers_count":30,"default_branch":"master","last_synced_at":"2024-10-29T18:05:33.592Z","etag":null,"topics":["all-in-one","antivirus","apk","elf","exe","linux","malware","malware-analysis","osx","packer","python3","ransomware","security-tools","static-analysis","strings","suspicious-files","termux","threat-analysis","virustotal","windows"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CYB3RMX.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":"https://bmc.link/cyb3rmx"}},"created_at":"2019-10-18T13:41:28.000Z","updated_at":"2024-10-29T13:42:01.000Z","dependencies_parsed_at":"2023-02-18T23:31:10.246Z","dependency_job_id":"d32acfba-8cf0-4f33-9a18-a3916a018709","html_url":"https://github.com/CYB3RMX/Qu1cksc0pe","commit_stats":{"total_commits":481,"total_committers":14,"mean_commits":"34.357142857142854","dds":"0.23908523908523904","last_synced_commit":"c1f3e4e5c4bf95d5d205d73e74479ba59719fa84"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CYB3RMX%2FQu1cksc0pe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CYB3RMX%2FQu1cksc0pe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CYB3RMX%2FQu1cksc0pe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CYB3RMX%2FQu1cksc0pe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CYB3RMX","download_url":"https://codeload.github.com/CYB3RMX/Qu1cksc0pe/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225664120,"owners_count":17504443,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["all-in-one","antivirus","apk","elf","exe","linux","malware","malware-analysis","osx","packer","python3","ransomware","security-tools","static-analysis","strings","suspicious-files","termux","threat-analysis","virustotal","windows"],"created_at":"2024-08-04T17:04:36.065Z","updated_at":"2025-07-12T05:32:14.699Z","avatar_url":"https://github.com/CYB3RMX.png","language":"YARA","funding_links":["https://bmc.link/cyb3rmx","https://www.buymeacoffee.com/cyb3rmx"],"categories":["windows","YARA","Malware Analysis"],"sub_categories":["Hashing"],"readme":"# Qu1cksc0pe\r\n\u003ca href=\"https://www.buymeacoffee.com/cyb3rmx\"\u003e\u003cimg src=\"https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png\" height=\"40px\"\u003e\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e\r\n\u003cimg src=\"https://img.shields.io/badge/-Linux-black?style=for-the-badge\u0026logo=Linux\u0026logoColor=white\"\u003e \u003cimg src=\"https://img.shields.io/badge/-Python-black?style=for-the-badge\u0026logo=python\u0026logoColor=white\"\u003e \u003cimg src=\"https://img.shields.io/badge/-Terminal-black?style=for-the-badge\u0026logo=GNU%20Bash\u0026logoColor=white\"\u003e \u003cimg src=\"https://img.shields.io/badge/-GPL%203.0-black?style=for-the-badge\u0026Color=white\"\u003e\r\n\u003cp align=\"center\"\u003e\r\n    \u003cimg width=\"400\" src=\"https://user-images.githubusercontent.com/42123683/216772963-0b035e5a-c9db-4a6e-ac32-ebca22921405.png\" alt=\"logo\"\u003e\r\n\u003c/p\u003e\r\n\u003cbr\u003eAll-in-One malware analysis tool for analyze many file types, from Windows binaries to E-Mail files.\u003cbr\u003e\r\n\r\n*You can get*: \r\n- What DLL files are used.\r\n- Functions and APIs.\r\n- Sections and segments.\r\n- URLs, IP addresses and emails.\r\n- Android permissions.\r\n- File extensions and their names.\r\n- Embedded executables/exploits.\r\n\u003cbr\u003e\u003cb\u003eAnd so on...\u003c/b\u003e\u003cbr\u003e\r\n\r\nQu1cksc0pe aims to get even more information about suspicious files and helps user realize what that file is capable of.\r\n\r\n# Qu1cksc0pe Can Analyze Currently\r\n| Files | Analysis Type |\r\n| :--- | :--- |\r\n| Windows Executables (.exe, .dll, .msi, .bin) | Static, Dynamic |\r\n| Linux Executables (.elf, .bin) | Static, Dynamic |\r\n| MacOS Executables (mach-o) | Static |\r\n| Android Files (.apk, .jar, .dex) | Static, Dynamic(for now .apk only) |\r\n| Golang Binaries (Linux) | Static |\r\n| Document Files | Static |\r\n| Archive Files (.zip, .rar, .ace) | Static |\r\n| PCAP Files (.pcap) | Static |\r\n| Powershell Scripts | Static |\r\n| E-Mail Files (.eml) | Static |\r\n\r\n# Usage\r\n```bash\r\npython qu1cksc0pe.py --file suspicious_file --analyze\r\n```\r\n\r\n# Screenshot\r\n![Screenshot](https://github.com/user-attachments/assets/84b72c33-8ca6-48f5-a613-52fca7c596e2)\r\n\r\n# Updates\r\n\u003cb\u003e26/06/2025\u003c/b\u003e\r\n- [X] Improvements on ```Linux Analyzer``` module.\r\n\r\n\u003cb\u003e25/06/2025\u003c/b\u003e\r\n- [X] Improvements on ```Document Analyzer``` module. Qu1cksc0pe can now detect and extract possible Formbook samples from RTF files.\r\n\r\n\u003cb\u003e25/04/2025\u003c/b\u003e\r\n- [X] Improvements on ```Windows Dynamic Analyzer``` module. Qu1cksc0pe can now extract ```E-Mail``` and possible ```Password``` values. (Effective against ```VIPKeylogger``` or similar families!)\r\n\r\n\u003cb\u003e07/04/2025\u003c/b\u003e\r\n- [X] Improvements on ```Windows Dynamic Analyzer``` module.\r\n\r\n\u003cb\u003e27/03/2025\u003c/b\u003e\r\n- [X] Improvements on ```Windows Dynamic Analyzer``` module. Qu1cksc0pe can now extract ```Telegram Bot Token``` and possible ```Telegram Chat ID``` values.\r\n- [X] With the ```Telegram Bot Token``` and ```Telegram Chat ID```, you can infiltrate Telegram bots using \u003ca href=\"https://github.com/0x6rss/matkap\"\u003eMatkap\u003c/a\u003e\r\n\r\n# Available On\r\n\u003cimg width=\"400\" src=\"https://user-images.githubusercontent.com/42123683/189416163-4ffd12ce-dd62-4510-b496-924396ce77c2.png\" alt=\"logo\"\u003e\u003cimg width=\"400\" src=\"https://user-images.githubusercontent.com/42123683/189416193-a709291f-be8f-469c-b649-c6201fa86677.jpeg\" alt=\"logo\"\u003e\r\n\u003cimg width=\"400\" src=\"https://github.com/user-attachments/assets/a555750e-d979-4f0f-9d2c-730662b00915\" alt=\"logo\"\u003e\r\n\u003cimg width=\"400\" src=\"https://github.com/user-attachments/assets/56054b07-0512-42bb-ab97-cecbf845116e\" alt=\"logo\"\u003e\r\n\r\n# Recommended Systems\r\n- [X] Parrot OS\r\n- [X] Kali Linux\r\n- [X] Windows 10 or 11\r\n\r\n\u003cbr\u003e\u003cb\u003e\u003ci\u003eAnd also another Linux distributions like as Kali/Parrot\u003c/i\u003e\u003c/b\u003e\r\n\r\n# Setup and Installation\r\n\u003cbr\u003e\u003cb\u003eNecessary Dependencies\u003c/b\u003e:\r\n- \u003ci\u003ePython ```3.10``` or higher versions.\u003c/i\u003e\r\n- ```VirusTotal API Key``` =\u003e \u003ci\u003ePerforming VirusTotal based analysis.\u003c/i\u003e\r\n- ```Strings``` =\u003e \u003ci\u003eNecessary for static analysis.\u003c/i\u003e\r\n- ```Jadx``` =\u003e \u003ci\u003ePerforming source code and resource analysis.\u003c/i\u003e\r\n- ```PyOneNote``` =\u003e \u003ci\u003eOneNote document analysis.\u003c/i\u003e\r\n- ```Mono``` =\u003e \u003ci\u003ePerforming .Net binary analysis.\u003c/i\u003e\r\n\r\n\u003e [!NOTE]\r\n\u003e If you encounter issues with the Python modules, creating a Python virtual environment (python_venv) should resolve them.\r\n\r\n```bash\r\n# First you need to clone Qu1cksc0pe with this command\r\ngit clone --depth 1 https://github.com/CYB3RMX/Qu1cksc0pe\r\n\r\n# After cloning the repository you must create a python virtual environment (for handling python modules)\r\nvirtualenv -p python3 sc0pe_venv\r\nsource sc0pe_venv/bin/activate\r\n\r\n# You can simply execute the following command it will do everything for you!\r\nbash setup.sh\r\n\r\n# If you want to install Qu1cksc0pe on your system just execute the following commands.\r\npython qu1cksc0pe.py --install\r\n\r\n# To prevent interpreter errors after installation, use dos2unix.\r\ndos2unix /usr/bin/qu1cksc0pe\r\n\r\n# Or you can use Qu1cksc0pe from Docker!\r\ndocker build -t qu1cksc0pe .\r\ndocker run -it --rm -v $(pwd):/data qu1cksc0pe:latest --file /data/suspicious_file --analyze\r\n\r\n# For Windows systems you need to execute the following command (Powershell)\r\n# PS C:\\Users\\user\\Desktop\\Qu1cksc0pe\u003e .\\setup.ps1\r\n```\r\n\r\n# Static Analysis\r\n## Normal analysis\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: You can perform basic analysis and triage against your samples.\u003c/i\u003e\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --analyze```\u003cbr\u003e\r\n![windows_analyze](https://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/bd6945b6-5198-42fb-adff-2118a596bf58)\r\n\r\n## Resource analysis\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: With this feature you can analyze assets of given file. Also you can detect and extract embedded payloads from malware samples such as AgentTesla, Formbook etc.\u003c/i\u003e\r\n\r\n\u003cb\u003eEffective Against\u003c/b\u003e:\r\n- .NET Executables\r\n- Android Files (.apk)\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --resource```\u003cbr\u003e\r\n![resource](https://user-images.githubusercontent.com/42123683/189416431-de08337f-8d46-4c9c-a635-59a5faca28ff.gif)\r\n\r\n## Hash scan\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: You can check if hash value of the given file is in built-in malware hash database. Also you can scan your directories with this feature.\u003c/i\u003e\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --hashscan```\u003cbr\u003e\r\n![hash](https://user-images.githubusercontent.com/42123683/189416516-8268817c-f186-4ee9-971e-adcccfcb45eb.gif)\r\n\r\n## Folder scan\r\n\u003cb\u003eSupported Arguments\u003c/b\u003e:\r\n- ```--hashscan```\r\n- ```--packer```\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --folder FOLDER --hashscan```\u003cbr\u003e\r\n![hashscan_tui](https://user-images.githubusercontent.com/42123683/189416636-494f8d0b-4692-4b81-b133-8bd5eb0f5683.gif)\r\n\r\n## VirusTotal\r\n\u003cb\u003eReport Contents\u003c/b\u003e:\r\n- ```Threat Categories```\r\n- ```Detections```\r\n- ```CrowdSourced IDS Reports```\r\n\r\n\u003cb\u003eUsage for --vtFile\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --vtFile```\u003cbr\u003e\r\n![total](https://user-images.githubusercontent.com/42123683/189416676-06216d52-4882-492d-9ee4-4ff7c04b6358.gif)\r\n\r\n## Document scan\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: This feature can perform deep file inspection against given document files. For example: You can detect and extract possible malicious links or embedded exploits/payloads from your suspicious document file easily!\u003c/i\u003e\r\n\r\n\u003cb\u003eEffective Against\u003c/b\u003e:\r\n- Word Documents (.doc, .docm, .docx)\r\n- Excel Documents (.xls, .xlsm, .xlsx)\r\n- Portable Document Format (.pdf)\r\n- OneNote Documents (.one)\r\n- HTML Documents (.htm, .html)\r\n- Rich Text Format Documents (.rtf)\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_document --docs```\u003cbr\u003e\r\n![docs](https://user-images.githubusercontent.com/42123683/189416778-f7f93d49-7ff0-4eb5-9898-53e63e5833a1.gif)\r\n\r\n### Embedded File/Exploit Extraction\r\n![exploit](https://user-images.githubusercontent.com/42123683/189676461-86565ff2-3a0c-426a-a66b-80a9462489b7.gif)\r\n\r\n## Archive File Scan\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: With this feature you can perform checks for suspicious files against archive files.\u003c/i\u003e\r\n\r\n\u003cb\u003eEffective Against\u003c/b\u003e:\r\n- ZIP\r\n- RAR \r\n- ACE\r\n \r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_archive_file --archive```\r\n![archiveanalysis](https://user-images.githubusercontent.com/42123683/230241452-0d93d2ca-69a2-42d9-aa99-c9c7cfe637bf.gif)\r\n\r\n## File signature analyzer\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: With this feature you can detect and extract embedded executable files(.exe, .elf) from given file. Also you can analyze large files (even 1gb or higher) and extract actual malware samples from them (pumped-file analysis).\u003c/i\u003e\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --sigcheck```\u003cbr\u003e\r\n![sigcheck](https://user-images.githubusercontent.com/42123683/189416864-0e3e3be0-a7bf-4d35-bd9d-403afc38bb96.gif)\r\n\r\n### File Carving\r\n![carving](https://user-images.githubusercontent.com/42123683/189416908-31a06ac7-778a-48bd-a5f7-26708a255340.gif)\r\n\r\n## MITRE ATT\u0026CK Technique Extraction\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: This feature allows you to generate potential MITRE ATT\u0026CK tables based on the import/export table or functions contained within the given file.\u003c/i\u003e\r\n\r\n\u003cb\u003eEffective Against\u003c/b\u003e:\r\n- Windows Executables\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_file --mitre```\u003cbr\u003e\r\n![mitre](https://user-images.githubusercontent.com/42123683/189416941-46e8be6b-2eec-4145-b0b8-b0da78d6611e.gif)\r\n\r\n## Programming language detection\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: You can get programming language information from given file.\u003c/i\u003e\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --file suspicious_executable --lang```\u003cbr\u003e\r\n![langdetect](https://user-images.githubusercontent.com/42123683/228696312-1362cc48-f978-40c9-a0f0-22a216b83f6f.gif)\r\n\r\n## Interactive shell\r\n\u003ci\u003e\u003cb\u003eDescription\u003c/b\u003e: You can use Qu1cksc0pe in command line mode.\u003c/i\u003e\r\n\r\n\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --console```\u003cbr\u003e\r\n![console](https://user-images.githubusercontent.com/42123683/189417009-dec6a91b-228c-4c7e-9579-66c4aa9f4036.gif)\r\n\r\n# Dynamic Analysis\r\n## Android Application Analysis\r\n\u003e [!NOTE]\r\n\u003e You must connect a virtual device or physical device to your computer.\r\n\r\n\u003cbr\u003e\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --watch```\u003cbr\u003e\r\n\r\nhttps://github.com/user-attachments/assets/7b27abb9-f18e-4611-8bdd-cd65106b5cf0\r\n\r\n## Windows Process Analysis\r\n\u003cbr\u003e\u003cb\u003eUsage\u003c/b\u003e: ```python qu1cksc0pe.py --watch```\u003cbr\u003e\r\n\r\nhttps://github.com/CYB3RMX/Qu1cksc0pe/assets/42123683/a2c84b8f-c12c-47ac-96e9-c345aeda1f54\r\n\r\n# References\r\n- \u003ca href=\"https://www.linkedin.com/posts/mehmetalikerimoglu_qu1cksc0pe-all-in-one-static-malware-analysis-activity-6853239604439523328-B9dN/?trk=public_profile_like_view\u0026originalSubdomain=tr\"\u003eThe Cyber Security Hub\u003c/a\u003e\r\n- \u003ca href=\"https://www.kitploit.com/2021/12/top-20-most-popular-hacking-tools-in.html\"\u003eKitploit - Top 20 Most Popular Hacking Tools in 2021\u003c/a\u003e\r\n- \u003ca href=\"https://www.csirt.rnsi.mai.gov.pt/content/infosec-news-20211011\"\u003eCSIRT.MAI\u003c/a\u003e\r\n- \u003ca href=\"https://vulners.com/kitploit/KITPLOIT:8846405132281597137\"\u003eVulners\u003c/a\u003e\r\n- \u003ca href=\"https://www.redpacketsecurity.com/qu1cksc0pe-all-in-one-static-malware-analysis-tool/\"\u003eRedPacket Security\u003c/a\u003e\r\n- \u003ca href=\"https://cert.bournemouth.ac.uk/qu1cksc0pe-all-in-one-static-malware-analysis-tool/\"\u003eBournemouth University - CERT\u003c/a\u003e\r\n- \u003ca href=\"https://github.com/Ignitetechnologies/Mindmap/blob/main/Forensics/Digital%20Forensics%20Tools%20HD.png\"\u003eHacking Articles - Digital Forensics Tools Mindmap\u003c/a\u003e\r\n- \u003ca href=\"https://twitter.com/hack_git/status/1666867995036057602\"\u003eHackGit - Twitter Post\u003c/a\u003e\r\n- \u003ca href=\"https://twitter.com/DailyDarkWeb/status/1668966526358286336\"\u003eDaily Dark Web - Twitter Post\u003c/a\u003e\r\n- \u003ca href=\"https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984\"\u003eSANS ISC - Blog Post\u003c/a\u003e\r\n- \u003ca href=\"https://korben.info/qu1cksc0pe-analyse-logiciels-malveillants.html\"\u003eKorben - Blog Post\u003c/a\u003e\r\n- \u003ca href=\"https://www.heise.de/ratgeber/Malware-Analysetool-Schadpotenzial-von-Daten-mit-Qu1cksc0pe-ermitteln-10001929.html\"\u003eheise online - Blog Post\u003c/a\u003e\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCYB3RMX%2FQu1cksc0pe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCYB3RMX%2FQu1cksc0pe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCYB3RMX%2FQu1cksc0pe/lists"}