maltrieve
Note: Ensure you exercise care and utilize proper tradecraft when executing this tool. This includes using multiple VPNs, proxies, and other anonymizing tools such as Tor when fetching malware. However, if you are investigating malware specifically targeted at your organization, it may be best to avoid alerting the threat by downloading the malware from your real IP. There should be adequate planning before execution.
Spin up a Docker container (docker run) using the remnux/maltrieve image, mapping the host /tmp (or wherever your suspicious file resides) to the Docker /tmp (/tmp:/tmp), drop directly into a terminal (-it, bash), and delete Docker after use (--rm). To be clear, when mapping host directories into Docker containers its /host:/container:
docker run --rm -it -v /tmp:/tmp remnux/maltrieve bash
Once the Docker is up, you will need to tweak the maltrieve.cfgto meet your needs (e.g. setting a Viper or Cuckoo instance):
From within the Docker maltrieve can be executed by typing python maltrieve:
Change directory to ~/maltrieve/archive for downloaded files:
