Usage
Getting Started
Before runnning MalChela for the first time, you need to build the release binaries. There is a script provided in the workspace root.
Building the Releases
chmod +x release.sh
./release.sh
Execution
MalChela supports three main workflows:
Direct Tool Execution (CLI)
./target/release/toolname [input] [flags]
MalChela CLI Launcher Menu
./target/release/malchela
MalChela Web Interface
python server/malchela_server.py
Then open your browser to http://localhost:8675.
CLI Usage Notes
- Tools that accept paths (files or folders) should be run from the
target/releasedirectory after building withrelease.sh:bash ./target/release/fileanalyzer /path/to/file -o
Most tools now support a --case <name> argument to redirect saved output to a specific case folder under saved_output/cases/. Cases must be initiated with either a file or folder as the input. Hash-only workflows can be added to an existing case but cannot start one.
Note: Some tools (e.g., mstrings, fileanalyzer) require the -o flag to trigger output saving—even when --case is specified. Others (like strings_to_yara or mzcount) save automatically when a case is provided. Refer to the Tool Behavior Reference below for details.
Output Formats
All tools that support saving reports use the following scheme:
saved_output/<tool>/report_<timestamp>.<ext>
To save output, use:
-o -t # text
-o -j # json
-o -m # markdown
-oenables saving (CLI output is not saved by default)
If a --case argument is supplied, the report will be saved to:
saved_output/cases/<case_name>/<tool>/report_<timestamp>.<ext>
Example:
cargo run -p mstrings — path/to/file — -o -j
- If
-ois used without a format (-t,-j, or-m), an error will be shown
Web Interface Notes
Web Interface Features Summary
- Categorized tool list with input type detection (file, folder, hash)
- Arguments textbox and dynamic path browser
- Console output with ANSI coloring
- Status bar displays CLI-equivalent command
- Alphabetical sorting of tools within categories
- Tool descriptions shown alongside tool names
Web Interface Walkthrough
Layout
- Top Bar: Title and Toolkit Menu
- Left Panel: Tool categories and selections
- Center Panel: Dynamic tool input options
- Console Panel: Output display
Running Tools
- Select a tool
- Fill in input fields
- Configure options (save report, format, etc.)
- Click Run
Save Report
- Formats:
- .txt Analyst-readable summary
- .json Machine-parsable, structured output
- .md Shareable in tickets, wikis, etc.
- Location: saved_output/
/report_ . (only one file is generated per run)
Notebook
- An integrated notepad for recording strings, indicators or notes
- Supports saving as text, markdown and YAML formats
- Integrated “Open in VS Code” button for saved notes
- Any line starting with
hash:is ignored when using the Notebook as a source for String_to_Yara to generate YARA rules
Tool Behavior Reference
| Tool | Input Type | Supports -o |
Prompts if Missing | Notes |
|---|---|---|---|---|
| combine_yara | folder | ❌ | ✅ | Combines multiple YARA rules |
| extract_samples | file | ❌ | ✅ | Extracts archive contents |
| fileanalyzer | file | ✅ | ✅ | Uses YARA + heuristics |
| hashit | file | ✅ | ✅ | Generates hashes |
| hashcheck | hash and lookup file | ❌ | ✅ | Checks files against known hashes |
| fileminer | folder | ✅ | ✅ | Identifies mismatches |
| mstrings | file | ✅ | ✅ | Maps strings to MITRE |
| mzhash | folder | ✅ | ✅ | Hashes files with MZ header |
| nsrlquery | file | ✅ | ✅ | Queries CIRCL |
| strings_to_yara | text file and metadata | Case Only | ✅ | Saves to case folder if --case is provided |
| mzcount | folder | ❌ | ✅ | Will save to case folder if --case is provided |
| xmzhash | folder | ✅ | ✅ | Hashes files without known headers |