by bwall

bwall /bamfdetect

Identifies and extracts information from bots and other malware

134 Stars 26 Forks Last release: about 5 years ago (v1.6.12) MIT License 66 Commits 14 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


Identifies and extracts information from bots and other malware. Information is returned in a readable json format. bamfdetect works by reading files into RAM, applying any applicable preprocessors, then applying Yara signatures from modules to determine which module it matches. After a match is located, the module can then extract the configuration from the file.

Currently, only a preprocess for UPX files is supported. This preprocessor writes the file data to a temporary file, then calls upx -d on the temporary file, and rereads the data from that temporary file.

Currently Supported Malware

  • Abaddon
  • Alina
  • Andromeda
  • Backoff
  • BlackShades
  • BlackWorm
  • Bozok
  • CyberGate
  • Cythosia
  • DarkComet
  • Dendroid
  • Dexter
  • DiamondFox
  • Easter JackPOS
  • Elise
  • Evora
  • Genome
  • GlassRAT
  • Herpesnet
  • JackPOS
  • Maazben
  • MadnessPro
  • Nanocore
  • njRat
  • pBot
  • PoisonIvy
  • Pony
  • ProjectHook
  • Solar
  • VertexNet
  • vSkimmer
  • XtremeRAT

Module Development

Until I have time to write a guide for writing modules, please use existing modules as a means of writing your own.


[email protected]:~$ bamfdetect -h
usage: bamfdetect [-h] [-v] [-d] [-r] [-l] [-m MODULE] [-t THREADS]
                  [path [path ...]]

Identifies and extracts information from bots

positional arguments:
  path                  Paths to files or directories to scan

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  -d, --detect          Only detect files
  -r, --recursive       Scan paths recursively
  -l, --list            List available modules
  -m MODULE, --module MODULE
                        Modules to use, if not definedall modules are used
  -t THREADS, --threads THREADS
                        Number of threads to use

bamfdetect v1.6.15 by Brian Wallace (@botnet_hunter)


  • pefile (python module)
  • yara (python module)
  • rarfile
  • upx (binary)
  • pycrypto
  • pbkdf2


PE files will be checked if they are UPX compressed before being scanned. If they are, they will be written to a temporary file, then decompressed with the UPX utility. Yara rules and extraction will then be applied to the resulting data.

This project has been moved from

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.