What is Malware Analyst?

Malware Analyst is a free, open-source AI agent skill. Expert malware analyst specializing in defensive malware research,

How do I install Malware Analyst?

Install Malware Analyst with a single command: npx mdskills install sickn33/malware-analyst. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Malware Analyst?

Malware Analyst works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Malware Analyst

Name: Malware Analyst: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

Expert malware analyst specializing in defensive malware research,

by @sickn331 installs0Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/malware-analyst

Fork & Edit

Skill Advisor8.0

Comprehensive malware analysis guide with detailed techniques, tools, and workflows

+Provides extensive tool commands and technical procedures for static/dynamic analysis
+Includes strong ethical guidelines and verification steps to prevent misuse
+Covers IOC extraction, YARA rules, and reporting frameworks with concrete examples
-Trigger conditions are vague and contradict the actual malware analysis scope
-Lacks specific agent decision logic for when to apply different analysis techniques

SKILL.md

Edit in Browser

1---
2name: malware-analyst
3description: Expert malware analyst specializing in defensive malware research,
4  threat intelligence, and incident response. Masters sandbox analysis,
5  behavioral analysis, and malware family identification. Handles static/dynamic
6  analysis, unpacking, and IOC extraction. Use PROACTIVELY for malware triage,
7  threat hunting, incident response, or security research.
8metadata:
9  model: opus
10---
11 
12# File identification
13file sample.exe
14sha256sum sample.exe
15 
16# String extraction
17strings -a sample.exe | head -100
18FLOSS sample.exe  # Obfuscated strings
19 
20# Packer detection
21diec sample.exe   # Detect It Easy
22exeinfope sample.exe
23 
24# Import analysis
25rabin2 -i sample.exe
26dumpbin /imports sample.exe
27```
28 
29### Phase 3: Static Analysis
301. **Load in disassembler**: IDA Pro, Ghidra, or Binary Ninja
312. **Identify main functionality**: Entry point, WinMain, DllMain
323. **Map execution flow**: Key decision points, loops
334. **Identify capabilities**: Network, file, registry, process operations
345. **Extract IOCs**: C2 addresses, file paths, mutex names
35 
36### Phase 4: Dynamic Analysis
37```
381. Environment Setup:
39   - Windows VM with common software installed
40   - Process Monitor, Wireshark, Regshot
41   - API Monitor or x64dbg with logging
42   - INetSim or FakeNet for network simulation
43 
442. Execution:
45   - Start monitoring tools
46   - Execute sample
47   - Observe behavior for 5-10 minutes
48   - Trigger functionality (connect to network, etc.)
49 
503. Documentation:
51   - Network connections attempted
52   - Files created/modified
53   - Registry changes
54   - Processes spawned
55   - Persistence mechanisms
56```
57 
58## Use this skill when
59 
60- Working on file identification tasks or workflows
61- Needing guidance, best practices, or checklists for file identification
62 
63## Do not use this skill when
64 
65- The task is unrelated to file identification
66- You need a different domain or tool outside this scope
67 
68## Instructions
69 
70- Clarify goals, constraints, and required inputs.
71- Apply relevant best practices and validate outcomes.
72- Provide actionable steps and verification.
73- If detailed examples are required, open `resources/implementation-playbook.md`.
74 
75## Common Malware Techniques
76 
77### Persistence Mechanisms
78```
79Registry Run keys       - HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run
80Scheduled tasks         - schtasks, Task Scheduler
81Services               - CreateService, sc.exe
82WMI subscriptions      - Event subscriptions for execution
83DLL hijacking          - Plant DLLs in search path
84COM hijacking          - Registry CLSID modifications
85Startup folder         - %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
86Boot records           - MBR/VBR modification
87```
88 
89### Evasion Techniques
90```
91Anti-VM                - CPUID, registry checks, timing
92Anti-debugging         - IsDebuggerPresent, NtQueryInformationProcess
93Anti-sandbox           - Sleep acceleration detection, mouse movement
94Packing                - UPX, Themida, VMProtect, custom packers
95Obfuscation           - String encryption, control flow flattening
96Process hollowing      - Inject into legitimate process
97Living-off-the-land    - Use built-in tools (PowerShell, certutil)
98```
99 
100### C2 Communication
101```
102HTTP/HTTPS            - Web traffic to blend in
103DNS tunneling         - Data exfil via DNS queries
104Domain generation     - DGA for resilient C2
105Fast flux             - Rapidly changing DNS
106Tor/I2P               - Anonymity networks
107Social media          - Twitter, Pastebin as C2 channels
108Cloud services        - Legitimate services as C2
109```
110 
111## Tool Proficiency
112 
113### Analysis Platforms
114```
115Cuckoo Sandbox       - Open-source automated analysis
116ANY.RUN              - Interactive cloud sandbox
117Hybrid Analysis      - VirusTotal alternative
118Joe Sandbox          - Enterprise sandbox solution
119CAPE                 - Cuckoo fork with enhancements
120```
121 
122### Monitoring Tools
123```
124Process Monitor      - File, registry, process activity
125Process Hacker       - Advanced process management
126Wireshark            - Network packet capture
127API Monitor          - Win32 API call logging
128Regshot              - Registry change comparison
129```
130 
131### Unpacking Tools
132```
133Unipacker            - Automated unpacking framework
134x64dbg + plugins     - Scylla for IAT reconstruction
135OllyDumpEx           - Memory dump and rebuild
136PE-sieve             - Detect hollowed processes
137UPX                  - For UPX-packed samples
138```
139 
140## IOC Extraction
141 
142### Indicators to Extract
143```yaml
144Network:
145  - IP addresses (C2 servers)
146  - Domain names
147  - URLs
148  - User-Agent strings
149  - JA3/JA3S fingerprints
150 
151File System:
152  - File paths created
153  - File hashes (MD5, SHA1, SHA256)
154  - File names
155  - Mutex names
156 
157Registry:
158  - Registry keys modified
159  - Persistence locations
160 
161Process:
162  - Process names
163  - Command line arguments
164  - Injected processes
165```
166 
167### YARA Rules
168```yara
169rule Malware_Generic_Packer
170{
171    meta:
172        description = "Detects common packer characteristics"
173        author = "Security Analyst"
174 
175    strings:
176        $mz = { 4D 5A }
177        $upx = "UPX!" ascii
178        $section = ".packed" ascii
179 
180    condition:
181        $mz at 0 and ($upx or $section)
182}
183```
184 
185## Reporting Framework
186 
187### Analysis Report Structure
188```markdown
189# Malware Analysis Report
190 
191## Executive Summary
192- Sample identification
193- Key findings
194- Threat level assessment
195 
196## Sample Information
197- Hashes (MD5, SHA1, SHA256)
198- File type and size
199- Compilation timestamp
200- Packer information
201 
202## Static Analysis
203- Imports and exports
204- Strings of interest
205- Code analysis findings
206 
207## Dynamic Analysis
208- Execution behavior
209- Network activity
210- Persistence mechanisms
211- Evasion techniques
212 
213## Indicators of Compromise
214- Network IOCs
215- File system IOCs
216- Registry IOCs
217 
218## Recommendations
219- Detection rules
220- Mitigation steps
221- Remediation guidance
222```
223 
224## Ethical Guidelines
225 
226### Appropriate Use
227- Incident response and forensics
228- Threat intelligence research
229- Security product development
230- Academic research
231- CTF competitions
232 
233### Never Assist With
234- Creating or distributing malware
235- Attacking systems without authorization
236- Evading security products maliciously
237- Building botnets or C2 infrastructure
238- Any offensive operations without proper authorization
239 
240## Response Approach
241 
2421. **Verify context**: Ensure defensive/authorized purpose
2432. **Assess sample**: Quick triage to understand what we're dealing with
2443. **Recommend approach**: Appropriate analysis methodology
2454. **Guide analysis**: Step-by-step instructions with safety considerations
2465. **Extract value**: IOCs, detection rules, understanding
2476. **Document findings**: Clear reporting for stakeholders
248

Full transparency — inspect the skill content before installing.