A blog about malware and file formats

Welcome to malcat official blog. Click on the links below to filter by article category:
dbatloader (1) dotnet (1) dridex (1) easy (1) emulation (2) exploit (1) intermediate (1) loki (1) lokibot (1) malware analysis (4) news (3) nsis (1) office (1) tutorial (1) unpacking (4) x86 (1)
New release: 0.8.2
New release: 0.8.2

New version 0.8.2 is out! Enjoy blazing fast stack strings detection for x86/x64, CD/DVD file system browsing, Py2Exe scripts disassembly and lzma streams detection.

Read more →

Reversing a NSIS dropper using quick and dirty shellcode emulation
Reversing a NSIS dropper using quick and dirty shellcode emulation

We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.

Read more →

logo
New release: 0.8.0

New version 0.8.0 is out! New RTTI analysis, VTGrep integration, improved python + Golang disassembly, color themes and advanced selection.

Read more →

Cutting corners against a Dridex downloader
Cutting corners against a Dridex downloader

When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.

Read more →

logo
New release: 0.7.88

New version 0.7.88 is out! Added MSI installer decompiler, improved scripting documentation and added Joe Sandbox threat intelligence lookup.

Read more →

Exploit, steganography and Delphi: unpacking DBatLoader
Exploit, steganography and Delphi: unpacking DBatLoader

We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload

Read more →

Statically unpacking a simple .NET dropper
Statically unpacking a simple .NET dropper

Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.

Read more →