Malcat tip: fast unpacking of RTF payloads
In this short tutorial, we will see how to extract binary payloads from RTF documents using Malcat. We will then proceed to emulate a shellcode for CVE-2017-11882 and extract the download link.
Read more →
Writing a Qakbot 5.0 config extractor with Malcat
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.
Read more →
Shrinking a PYC file to its minimum
In this tutorial, we will see how to use Malcat editing capabilities to reduce the size of a python bytecode file (.pyc) to its minimum. This article is the write-up for our Binary Golf Grand Prix 4 entry.
Read more →
Statically unpacking a simple .NET dropper
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.
Read more →