One self-contained .exe for Windows malware triage โ PE static analysis + live threat-intel enrichment. No Python, no installers, zero dependencies.
No flags to memorize. horus <thing> auto-detects what you gave it and runs the right analysis.
MD5, SHA-1 and SHA-256 computed via Windows BCrypt/CNG โ plus a Mandiant-compatible imphash for family pivoting.
PE32 / PE32+ headers, sections and imports โ every offset and length bounds-checked, so malformed samples are safe to feed it.
Per-section Shannon entropy flags packed/encrypted regions and known packers (UPX, Themida, VMProtectโฆ).
~110 Windows APIs mapped to the capabilities they imply โ injection, keylogging, persistence, evasion โ and the dangerous combinations.
VirusTotal v3 + AbuseIPDB v2 over Windows WinHTTP, fanned out in parallel. Extensible IntelSource interface.
--json for SIEM/automation; exit code 1 when a target is suspicious or malicious, so it drops straight into pipelines.
Common dual-use APIs (LoadLibrary, CreateProcess) are shown but don't move the score alone. Only rare primitives and dangerous combinations do.
Nothing concerning found.
Suspicious imports, no strong signals.
Multiple concerning capabilities or combos.
Strong evidence of malicious intent.
Download horus.exe from the Releases page.\horus.exe suspicious.exe$env:VT_API_KEY = "โฆ" ; $env:ABUSEIPDB_API_KEY = "โฆ"horus 185.220.101.5 --json | jq .verdict