Analysis updated 2026-05-18
Quickly triage a suspicious .exe file by running HacksGuard to get a 0-100 risk score and an overview of imported APIs, entropy, and packing indicators.
Load a set of YARA rules from Elastic's protections-artifacts to scan a binary for known malware signatures and packer patterns in the terminal.
Export the full PE analysis as JSON with hacksguard --json for ingestion into a SIEM or SOAR pipeline without displaying the interactive TUI.
Requires Rust and Cargo to compile from source, VirusTotal integration requires a VT_API_KEY environment variable.
HacksGuard is a terminal-based malware analysis tool written in Rust that lets security analysts inspect suspicious Windows executable files without leaving their command line. It runs all its analysis concurrently in multiple threads so the interface stays responsive even while processing large files. When you point HacksGuard at an executable, it produces a risk score from 0 to 100 percent by weighing five heuristic factors: how much of the file appears encrypted or compressed (entropy), whether the file imports functions often associated with malicious behavior, structural anomalies in the file format, suspicious strings, and signs that the file has been packed to hide its contents. The score is displayed as an interactive radar chart in the terminal dashboard. Beyond the overall score, the tool provides several dedicated views. A YARA scanning tab loads local YARA rule files and checks the binary against known threat signatures, packer patterns, and evasion techniques. A PE inspection tab breaks down the file's headers, sections, imported functions grouped by risk level, security features like address space layout randomization, and a digital signature check. An entropy graph shows the distribution of randomness across sections, making it easier to spot encrypted or packed regions visually. A built-in disassembler shows the raw assembly instructions at the file's entry point, and a hex dump viewer lets you inspect raw bytes. The tool also extracts and categorizes strings from the binary, decoding Base64-encoded strings automatically and flagging IP addresses, URLs, and registry keys. A separate check looks for data appended to the end of a binary, a technique some malware installers use to hide a payload. For automated pipelines, a command-line mode outputs the full analysis as JSON instead of displaying the terminal UI, making it usable in SIEM or SOAR integrations. Installation requires Rust and Cargo to compile from source, or via Nixpkgs for NixOS users. The VirusTotal lookup feature requires a separate API key. The project is released under the MIT license.
A terminal UI malware analysis tool for Windows PE files that runs YARA scanning, entropy analysis, deep structure parsing, and heuristic risk scoring in a fast Rust implementation.
Mainly YARA. The stack also includes Rust, YARA, ratatui.
MIT license: use freely for any purpose, including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.