Malcat#Malcat 0.9.14 is out!
This is a maintenance build, with some bonuses:
● AccessDB parsing
● RAR unpacking
● UPX (static) unpacking
● Improved __noreturn detection
● ... and as usual, up-to-date signature, constants and Kesakode DBs.
Happy reversing!
SquiblydooFUD CastleLoader signed "INFOTECK SOLUTIONS PRIVATE LIMITED"
The 40MB exe makes it hard for detection engines to see the 1 important line of python it will execute. Short #malcat investigation though.
62a6e64a7233f4a756d01c54840ff703a620a416929d57eebc0bdac3b9ed2019
1/3
We're happy to announce that #malcat 0.9.13 is out!
You'll find a new Apple-silicon MacOS port, two integrated MCP servers (in-GUI +headless) for automated triage and an improved interface:
https://malcat.fr/blog/0913-is-out-macos-port-mcp-server-and-dark-mode
#malcat 0.9.12 is out!
Enjoy .pyc and .net stack analysis, py 3.14 support, nuitka / inno 6.7 / .net singlefile bundle parsers and may other improvements:
https://malcat.fr/blog/0912-is-out-python-314-pyc-and-net-stack-analysis/
0.9.12 is out: Python 3.14, PYC and .NET stack analysis
Malcat version 0.9.12 is out! This time we have focused on python and dotnet disassembly, with a new stack analysis that should improve their disassembly listing readability. We have also added support for python 3.14 and packed a large number of minor improvements.
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
The malware is an NSIS installer. With #malcat, we can click into the NSIS Installer's compressed object to expand it and see its contents. These contents are compressed, which is what makes a YARA rule practically impossible.
Video showing expanding the NSIS contents
3/7
Running the rule against a file will only tell me that it matched, but not what matched, so I load it into #malcat.
Malcat comes with a lot of YARA rules already but there is a user directory too which allows you to add your own and ensure they persist across updates.
4/10
With #malcat, or other tools, a reverse engineer can investigate those function blocks to understand what they are any why they are unique. For me, I can use this rule for hunting across an environment if desired.
https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day10.yara
5/5
This scripts are deceptive as they contain 10,000 empty lines. BTW #malcat loads scripts like these better than most text editors.
If I get the chance, I may revise it to see how to find ones without the matching text or if you have ideas, hmu.
https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day9.yara
3/3
