New release: 0.9.2
Malcat version 0.9.2 is out! You can now easily apply chained transformation on data, open and deobfuscate script files and analyse CHM files. The user interface also got improved with many quality of life improvements.
New release: 0.9.1
Malcat version 0.9.1 is out! Enjoy a new sphinx-based documentation, a proper startup screen, improved .one and .cab support and better O.S integration.
New release: 0.9.0
Malcat version 0.9.0 is out! You can now open multiple files in parallel, scan for FLIRT signatures, analyse onenote files and enjoy quick bookmarks handling, in addition to the usual bug fixing and various QOL improvements
New release: 0.8.5
New version 0.8.5 is out! Enjoy the new "big file" mode, an improved disassembly view, advanced Yara integration and VHD + FAT filesystem support, as well as many other improvements.
LNK forensic and config extraction of a cobalt strike beacon
Windows shortcut files can contain valuable data. We will see how to extract the most information out of a .lnk downloader and will manually extract the configuration file of the final cobalt strike beacon using malcat
New release: 0.8.4
New version 0.8.4 is out! Enjoy support for ubuntu 22.04 / python 3.10! We've also improved the analysis of LNK and NSIS files, added more than 400000 API hashes in our constant database and malcat can now identify and parse Cobalt strike configuration files.
New release: 0.8.2
New version 0.8.2 is out! Enjoy blazing fast stack strings detection for x86/x64, CD/DVD file system browsing, Py2Exe scripts disassembly and lzma streams detection.
Reversing a NSIS dropper using quick and dirty shellcode emulation
We will statically unpack and emulate a malicious NSIS installer running multiple shellcodes, up to the final Lokibot password stealer and its configuration.
New release: 0.8.0
New version 0.8.0 is out! New RTTI analysis, VTGrep integration, improved python + Golang disassembly, color themes and advanced selection.
Cutting corners against a Dridex downloader
When one faces obfuscated code, it is sometimes more efficient to focus on the data instead. By using Malcat's different views and analyses (and a bit of guessing as well), we will show how to statically unpack an excel downloader and the following obfuscated native dropper without (much) reverse engineering.
New release: 0.7.88
New version 0.7.88 is out! Added MSI installer decompiler, improved scripting documentation and added Joe Sandbox threat intelligence lookup.
Exploit, steganography and Delphi: unpacking DBatLoader
We will unroll a maldoc spam exploiting CVE-2018-0798 leading to a multi-staged Delphi dropper abusing steganography and cloud services to conceal its payload
Statically unpacking a simple .NET dropper
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.