When you reverse engineer code as part of an incident response team, you want to quickly get information about what kind of threat you’re dealing with.
A while back we released Intezer Analyze plugins both for IDA Pro and Ghidra to help you zero in on a file’s malicious and unique code. Now it is Radare’s turn. Radare2 (r2) is an open-source tool chain for reverse engineering and forensics. With the release of the community plugin r2analyze, r2 users can now supercharge their reversing session with code genomics from Intezer to attribute the malware family or threat actor.
The Radare Plugin for Reverse Engineering
How to get started:
- Make sure you have an Intezer Analyze community account, or a paid team account. (If not, register here.)
- Submit the file to Intezer Analyze.
- Install the plugin via pip:
pip install r2analyze
. - Add your API key as an environment variable named INTEZER_API_KEY.
- Open the file in r2 and perform an initial analysis (aaa).
- Run the plugin as a r2pipe command (
#!pipe r2analyze
).
Here is an example using a ScarCruft sample (7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94). The result from Intezer Analyze is shown below.

If you open the sample and run the plugin, you can see below that four items in the flag space called gene have been created.

If selecting only that flag space and listing all the flags, you can see that four functions have been identified as unique to ScarCruft.

If Radare2 is your preferred framework for reverse-engineering and analyzing binaries, now you can use this Intezer Analyze plugin to save time and get additional insights for your incident response team.
Intezer automates the malware analysis process to quickly identify and classify malware families. Analyze malware and unknown files for free at analyze.intezer.com