A Blog about malware and file formats

All articles for author: malcat team
New release: 0.8.2
New release: 0.8.2

New version 0.8.2 is out! Enjoy blazing fast stack strings detection for x86/x64, CD/DVD file system browsing, Py2Exe scripts disassembly and lzma streams detection.

Read more →

Reversing a NSIS dropper using quick and dirty shellcode emulation
Reversing a NSIS dropper using quick and dirty shellcode emulation

We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.

Read more →

logo
New release: 0.8.0

New version 0.8.0 is out! New RTTI analysis, VTGrep integration, improved python + Golang disassembly, color themes and advanced selection.

Read more →

Cutting corners against a Dridex downloader
Cutting corners against a Dridex downloader

When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.

Read more →

logo
New release: 0.7.88

New version 0.7.88 is out! Added MSI installer decompiler, improved scripting documentation and added Joe Sandbox threat intelligence lookup.

Read more →

Exploit, steganography and Delphi: unpacking DBatLoader
Exploit, steganography and Delphi: unpacking DBatLoader

We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload

Read more →

Statically unpacking a simple .NET dropper
Statically unpacking a simple .NET dropper

Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.

Read more →