Malcat dev

First steps with #malcat? Here is a tutorial video, courtesy of @InvokeReversing : youtu.be/gqESN-etkok?fe…

@HuntYethHounds @rifteyy @SquiblydooBlog @andrewdanis @s1dhy ran xchanger through malcat MCP (using claude). Out of the box, got domains & registry behavior, failed to get the hard-coded XOR key. I had to have claude disassemble the .NET to get that additional info. Then had it create and HTML report. So, semi-automated. 🤷

@struppigel Wait 'til they learn about password-protected zip files.

I don't quite understand why this is a CVE if standard unarchivers fail to unpack these ZIPs. If you corrupt or encrypt any file and need to deploy a custom loader to extract it you have same result. ¯\_(ツ)_/¯ x.com/BleepinCompute…

@RedDrip7 looks like new #MiyaRAT version

#APT #Bitter 3ee66f56461fc046f600230d11ebe731 (MSI) f57975b8bc1169b35ae17b975327195e (EXE) hxxps://99media.com[.]pk/scvz zoemagicbook[.]com

My favorite malware analysis tool has become better. Now Mac support and MCP availability? Amazing.

LIA 🤝 Malcat We are happy to announce that LIA has partnered with Malcat to strengthen payload detections using Kesakode! Malcat also provides a LIA Threat Intelligence plugin for SHA256 lookups and sample downloads! Read more on: insights.loaderinsight.agency/posts/malcat-k…

We're happy to announce that #malcat 0.9.13 is out! You'll find a new Apple-silicon MacOS port, two integrated MCP servers (in-GUI +headless) for automated triage and an improved interface: malcat.fr/blog/0913-is-o…

Added Malcat Lite (@malcat4ever) to REMnux for analyzing binary files using a hex editor, disassembler, and file dissector: malcat.fr

🦾 The next video in the Strings and Imports workshop on YouTube is now live! 👉 youtu.be/iFJW1fcuDrE We explore how malware authors commonly use XOR-encryption to hide strings and the impact it has on basic triage.

@REMnux I let Claude know my intent to create a YARA rule based on the results, and it created one for me. The rule actually didn't work right away, but it gave me plenty to go off of. With malcat, I can also see the bytes in the executable by clicking the rule match 3/5

Quick peek at the upcoming 0.9.3 release. It will also feature a 100% headless MCP server for full and pro users.

#100DaysOfYARA - Day 15 (a little behind) I used @REMnux 's MCP, to extract a payload from an (unknown to me) malware, I'm now tracking as AxolotlLoader. I used the MCP to build a YARA rule based off of the XOR decryption function. Rule at end 1/5

Video 4 in the Strings and Imports course is now live! 🎥 We’re moving past simple extraction to understand the physical structure of the binary. This lesson covers: ✅ Pointers & data: how strings are stored/accessed ✅ Compiler alignment: recognizing padding vs. "noise" ✅ Finding 'Main': Differentiating runtime code from the author's ✅ Triage: How string artifacts dictate your next steps Plus, we're using @malcat4ever to navigate the binary. 🔗 youtu.be/DwLDHV3i2mY

Sometimes, the absence of signature match is also interesting. Here the #Chrysalis sideloaded dll, where we can quickly spot the few interesting functions. Make sure to check "Show UNK" !

@nicbedford thank for the support. You can contact me on discord in ~1 week if you want to beta-test the MacOS version.

@malcat4ever Waiting for this. Have already bought license in anticipation.

A quick update on Malcat's MacOS development (apple silicon): A couple of visual glitches, but the analysis & UI are now functional \o/

@SquiblydooBlog That would make a good plot for a movie.

Does anyone know VirusTotal user "bsforvt727" (pronounced "bs for vt 727")? I feel like we could be friends, if we aren't already. They consistently leave comments and downvote stuff that I then see a day or two later. www[.]virustotal[.]com/gui/user/bsforvt727

@bquintero For this tiny dlder? It's a <1KB ELF binary with a _single_ function. What is weird is that only the BN agent "nailed it", and that the report has hallucinations, smtg seems wrong with their agents at omnia.

Binary Ninja nailed the analysis on Omnia... Full report (and sample) in the reply...

Expel's Aaron Walto shows how Gootloader uses a deliberately malformed ZIP archive to bypass detection. The ZIP is correctly extracted by the default tool built into Windows systems but not by specialized tools like 7zip and WinRAR. expel.com/blog/gootloade…

@IstaPee Soon, I need to figure out packaging first

@malcat4ever where can i download and test it out?

#malcat 0.9.12 is out! Enjoy .pyc and .net stack analysis, py 3.14 support, nuitka / inno 6.7 / .net singlefile bundle parsers and may other improvements: malcat.fr/blog/0912-is-o…