A blog about malware and file formats

Welcome to malcat official blog. Click on the links below to filter by article category:
config extraction (1) dbatloader (1) dotnet (1) dridex (1) emulation (3) exploit (1) file format (2) loki (1) lokibot (1) malware analysis (5) MSI (1) news (12) nsis (1) office (1) python (1) qakbot (1) qbot (1) rtf (1) scripting (1) tutorial (4) unpacking (4) x86 (1)
Malcat tip: fast unpacking of RTF payloads

Malcat tip: fast unpacking of RTF payloads

Sat 10 August 2024
In this short tutorial, we will see how to extract binary payloads from RTF documents using Malcat. We will then proceed to emulate a shellcode for CVE-2017-11882 and extract the download link.
Read more →
0.9.6 is out: Kesakode malware identification!

0.9.6 is out: Kesakode malware identification!

Sun 26 May 2024
Malcat version 0.9.6 is out! We have launched our brand-new online hash lookup service: Kesakode. You'll be able to identify (unpacked) malware, see similarities between malware families, write better Yara rules and speed up your reverse engineering game!
Read more →
Writing a Qakbot 5.0 config extractor with Malcat

Writing a Qakbot 5.0 config extractor with Malcat

Fri 16 February 2024
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.
Read more →
0.9.5 is out: InnoSetup, new GUI dialogs, threat intel and more

0.9.5 is out: InnoSetup, new GUI dialogs, threat intel and more

Sun 04 February 2024
Malcat version 0.9.5 is out! We have added support for InnoSetup installers, added binaries for Debian 12 build, made several UI improvements and expanded the threat intelligence providers
Read more →
Shrinking a PYC file to its minimum

Shrinking a PYC file to its minimum

Sun 07 January 2024
In this tutorial, we will see how to use Malcat editing capabilities to reduce the size of a python bytecode file (.pyc) to its minimum. This article is the write-up for our Binary Golf Grand Prix 4 entry.
Read more →
0.9.4 is out: Ubuntu 23 support, python 3.11 and magic masking

0.9.4 is out: Ubuntu 23 support, python 3.11 and magic masking

Wed 08 November 2023
Malcat version 0.9.4 is out! We have added support for Ubuntu 23, a python 3.11 disassembler, magic masking selection for more robust code signatures and many QOL improvements
Read more →
0.9.3 is out: python, python, python (and firmwares)

0.9.3 is out: python, python, python (and firmwares)

Sun 08 October 2023
Malcat version 0.9.3 is out! Enjoy headless python scripting, extended python bindings, improved rust support, 3 new firmwares parsers and many QOL improvements
Read more →
New release: 0.9.2

New release: 0.9.2

Wed 12 July 2023
Malcat version 0.9.2 is out! You can now easily apply chained transformation on data, open and deobfuscate script files and analyse CHM files. The user interface also got improved with many quality of life improvements.
Read more →
New release: 0.9.1

New release: 0.9.1

Sun 14 May 2023
Malcat version 0.9.1 is out! Enjoy a new sphinx-based documentation, a proper startup screen, improved .one and .cab support and better O.S integration.
Read more →
New release: 0.9.0

New release: 0.9.0

Mon 23 January 2023
Malcat version 0.9.0 is out! You can now open multiple files in parallel, scan for FLIRT signatures, analyse onenote files and enjoy quick bookmarks handling, in addition to the usual bug fixing and various QOL improvements
Read more →
New release: 0.8.5

New release: 0.8.5

Mon 03 October 2022
New version 0.8.5 is out! Enjoy the new "big file" mode, an improved disassembly view, advanced Yara integration and VHD + FAT filesystem support, as well as many other improvements.
Read more →
New release: 0.8.4

New release: 0.8.4

Mon 18 July 2022
New version 0.8.4 is out! Enjoy support for ubuntu 22.04 / python 3.10! We've also improved the analysis of LNK and NSIS files, added more than 400000 API hashes in our constant database and malcat can now identify and parse Cobalt strike configuration files.
Read more →
New release: 0.8.2

New release: 0.8.2

Sun 08 May 2022
New version 0.8.2 is out! Enjoy blazing fast stack strings detection for x86/x64, CD/DVD file system browsing, Py2Exe scripts disassembly and lzma streams detection.
Read more →
Reversing a NSIS dropper using quick and dirty shellcode emulation

Reversing a NSIS dropper using quick and dirty shellcode emulation

Sun 17 April 2022
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
Read more →
New release: 0.8.0

New release: 0.8.0

Tue 22 March 2022
New version 0.8.0 is out! New RTTI analysis, VTGrep integration, improved python + Golang disassembly, color themes and advanced selection.
Read more →
Cutting corners against a Dridex downloader

Cutting corners against a Dridex downloader

Sun 13 March 2022
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.
Read more →
New release: 0.7.88

New release: 0.7.88

Fri 18 February 2022
New version 0.7.88 is out! Added MSI installer decompiler, improved scripting documentation and added Joe Sandbox threat intelligence lookup.
Read more →
Exploit, steganography and Delphi: unpacking DBatLoader

Exploit, steganography and Delphi: unpacking DBatLoader

Tue 07 December 2021
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload
Read more →
Statically unpacking a simple .NET dropper

Statically unpacking a simple .NET dropper

Mon 16 August 2021
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.
Read more →