Overview
Figure 9: MalChela GUI
Figure 10: MalChela CLI
MalChela Core Tools
These built-in programs provide fast, flexible functionality for forensics and malware triage.
| Program | Function |
|---|---|
| Combine YARA | Point it at a directory of YARA files and it will output one combined rule |
| Extract Samples | Point it at a directory of password protected malware files to extract all |
| File Analyzer | Get the hash, entropy, packing, PE info, YARA and VT match status for a file |
| File Miner | Scans a folder for file type mismatches and metadata, and provides suggested tools |
| Hash Check | Check a hash against a .txt or .tsv lookup table |
| Hash It | Point it to a file and get the MD5, SHA1 and SHA256 hash |
| mStrings | Analyzes files with Sigma rules (YAML), extracts strings, matches ReGex |
| MZHash | Recurse a directory, for files with MZ header, create hash list and lookup table |
| MZcount | Recurse a directory, uses YARA to count MZ, Zip, PDF, other |
| NSRL Query | Query a MD5 or SHA1 hash against NSRL |
| Strings to YARA | Prompts for metadata and strings (text file) to create a YARA rule |
| Malware Hash Lookup | Query a hash value against VirusTotal & Malware Bazaar* |
| XMZHash | Recurse a directory, for files without MZ, Zip or PDF header, create hash list and lookup table |
*The Malware Hash Lookup requires an API key for VirusTotal and Malware Bazaar. If unidentified, MalChela will prompt you to create them the first time you run the malware lookup function.