min read

Threatray Release v2.0

Published on

May 12, 2025

We are proud to announce Threatray Release v2.0. Dive in below to discover its highlights.

Goodware Identification

In response to many user requests, we have added goodware identification to our analyst platform. The system now identifies runtime code (MSVC, Go, Rust, .NET, Delphi, Lua), a wide range of third-party libraries, Windows executables, LOLBins, and dual-use tools. Like our malware identification capability, goodware identification operates at the function level, providing clear, understandable information to analysts. The depth and precision of goodware identification is unique to our code analysis engine, surpassing more traditional technologies.

This feature dramatically improves the speed of analyzing unknown code in several ways: it identifies renamed tools, detects backdoors in legitimate code, simplifies YARA rule development, and allows reverse engineers to focus on relevant code rather than wading through runtime and library code.

Goodware identification is available through our code intelligence feature in the analyst platform and our IDA Pro plugin, see below for more details.

Code Intelligence on a New Level

To complement our already unique malware classification capabilities, we have substantially enhanced the intelligence we present to analysts about unknown samples and code.

We now show the exact breakdown of code from malware families and goodware found inside a binary — which is sometimes called "code DNA analysis." We have also added capability analysis that statically identifies what unknown code does. All this information is available in both a summary view and at the function level for those who want to dig deeper.

Our code intelligence capabilities provide maximum information directly through the UI, before you even need to open a disassembler.

These capabilities enable quick investigation and triage of unknown samples, help find relationships between malware families and campaigns, and assist with the identification of trojanized executables.

IDA Pro Plugin

For those who need to perform deep analysis in IDA Pro, we're providing all our new capabilities through our IDA Pro plugin to enable intelligence-driven reverse engineering. Additionally, we have two core features that are exclusively available in the plugin.

The first is cluster analysis, which identifies code overlaps between a given set of sample hashes. The second is function-level retro-hunt, enabling analysts to search our vast databases of hundreds of millions of malware and goodware functions. From any function in IDA Pro, analysts can find similar functions with just one click in seconds.

Our IDA Pro plugin enables fast and precise YARA rule development, malware family tracking, code reuse research, and more efficient reverse engineering overall.

Chrome Extension

Our Chrome extension summarizes threat reports, annotates hashes referenced therein with malware family classifications from the Threatray platform. It enables seamless pivoting from threat reports directly to detailed analysis in the Threatray platform.

This capability helps analysts work through threat reports more efficiently by providing instant access to our unique analysis features, allowing them to enrich and process reports more quickly.

Find more information and the web store link here.

Malware Family Tracking and Intelligence Updates

We have expanded our malware detection and classification capabilities, adding 350 new high-quality detection signatures and updating 690 existing ones.

Notable new additions: