Security Researcher Icon Tool — Malware & Forensic Icon Extractor

Security Researcher Icon Tool by Univik extracts embedded icon resources from suspicious EXE, DLL and SYS files for malware analysis and digital forensics, entirely offline, no cloud, no sample execution.

Download: Univik ICON Extractor Tool

Threat actors embed deceptive icons into malware to impersonate legitimate software. A banking trojan may carry a trusted PDF reader icon. An infostealer may spoof a popular browser. Extracting and inspecting embedded PE icon resources is a fast triage step that reveals impersonation intent before dynamic analysis begins.

Static PE Icon Extraction: Reads icon resources directly from disk — no execution, no sandbox, no risk.

RT_ICON and RT_GROUP_ICON Parsing: Covers all resolution layers from 16x16 up to 256x256.

Impersonation Detection: Export icons and run perceptual hash comparisons against known legitimate software.

Batch Processing: Extract icons from thousands of binaries in one pass with filename provenance intact.

Air-Gap Compatible: No internet required. Designed for isolated labs and forensic workstations.

No Admin Rights Required: Runs in user space on hardened analyst accounts.

Malware triage, phishing kit analysis, threat actor attribution, OSINT brand abuse reporting, incident response, disk image forensics, malware dataset labelling and red team payload validation.

This tool traverses the PE .rsrc resource directory, identifies RT_ICON (0x03) and RT_GROUP_ICON (0x0E) entries, reads GRPICONDIR headers and reconstructs valid ICO files from raw frame data. The original binary is never modified.

Supported Input: EXE, DLL, SYS, CPL, OCX, MUI, ICL, SCR

Output: ICO (multi-layer) and BMP (flat, single resolution)

OS: Windows 10 / Windows 11 (64-bit)

Runtime: .NET Framework 4.8 or higher

Version: 6.3 (Latest)

Univik builds specialist Windows forensics and file analysis tools since 2013.

Portfolio: univik.com

Support and licensing: https://univik.com/contact-us.html