Tag: API

MalChela 3.2: More Cowbell? More Intel!

DFIR, Mac, Malware, open-source, Rust, yara

One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations.  A short while back, the author of mlget, xorhex,  reached out and suggested I add more malware retrieval sources to FOSSOR, one of my earlier tools for pulling down samples from threat intel repositories.  It was a generous nudge, and it landed at exactly the right moment.

FOSSOR started as a simple script.  It did one job — grab malware samples from a handful of sources — and it did it well enough.  When I wrote it, I already knew it was a candidate for eventual MalChela integration, but “eventually” had stayed firmly in the future tense.  The message from xorhex gave me the push to actually sit down and do it properly.

The result is tiquery — and it’s become a new centerpiece to MalChela 3.2.

The Pattern I Keep Repeating (Deliberately)

If you’ve followed this blog or the MalChela project for a while, you might notice a recurring arc in how my tools tend to develop.  It goes something like this:

  • Step one:  write a focused script that solves a specific problem.
  • Step two:  that script evolves into a standalone tool as the scope grows.
  • Step three:  the tool finds its permanent home inside MalChela, where it benefits from the broader ecosystem — case management, the GUI, the MCP server integration, the portable workspace.
  • Step four:  When there’s overlap between tools, follow the KISS principle.

FOSSOR was in step one.  The conversation with xorhex accelerated the jump to step three.  What emerged was something more ambitious than just a source expansion — it’s a unified threat intelligence query engine, built from the ground up.

If you’re new to MalChela, it’s a Rust-based malware analysis toolkit built for DFIR practitioners — static analysis, string extraction, YARA rule generation, threat intel lookups, network analysis, and now a unified case management layer tying it all together.  Free, open-source, and built to run anywhere.

Introducing tiquery

tiquery is now the single threat intel tool in MalChela, replacing the retired malhash.  The core idea is straightforward: submit a hash, query multiple sources in parallel, get a clean color-coded summary back.  No waiting for one source to finish before the next one starts.  No manually juggling browser tabs or API wrappers.

Out of the box, tiquery works with eight confirmed sources:

  • VirusTotal
  • MalwareBazaar
  • AlienVault OTX
  • MetaDefender Cloud
  • Hybrid Analysis
  • FileScan.IO
  • Malshare
  • ObjectiveSee (no API key required — queries a locally-cached macOS malware catalogue)

Sources are tiered — free sources and registration-required sources are distinguished in the interface.  If you haven’t configured an API key for a given source, tiquery skips it gracefully rather than throwing an error. This means you can run it easily with whatever keys you have available.

The ObjectiveSee integration deserves a special mention.  It queries the objective-see.org/malware.html catalogue for macOS-specific threats using a locally-cached copy that refreshes every 24 hours, with a stale-cache fallback for offline use.  For anyone doing Mac forensics, this is a meaningful addition — a free, no-key-required check specifically against known macOS malware families.

Tiquery, like FOSSOR, supports batch lookups as well — point it to a .csv or .txt file of hashes and they’ll all be checked in parallel. You can also download samples directly, with MalwareBazaar supported in this release and additional sources on the way – (your vote matters).

What It Looks Like in Practice

The screenshots below show tiquery running in both the CLI and GUI.  In both cases, for any of the matching sources you get a basic classification (malware family, tags, detections,) and direct links to threat intelligence documents about the samples. It’s the perfect jumping off point when you want to leverage community research.

The CLI output is clean and tabular — source abbreviation, status (color-coded FOUND/NOT FOUND), family and tag information, detection count, and a direct reference URL.  Everything you need to make a quick triage decision, no scrolling through API response JSON required. You can run tiquery CLI as a stand-alone, or from within the MalChela CLI menu.

In the GUI, the experience is layered a bit more richly.  You can toggle individual sources on or off, switch between single-hash and bulk lookup modes, download the sample directly from MalwareBazaar, and export results to CSV — all from one interface.  The macOS ObjectiveSee source displays its cache age inline so you always know how fresh the data is.

Both outputs feed into MalChela’s case management system.  Check “Save to Case” in the GUI, and tiquery creates a valid case.json automatically — no separate case creation step needed.

Extended Case Management Across the Toolkit

Speaking of case management — 3.2 extends “Save to Case” support across the full GUI.  File Analyzer, File Miner, and mStrings, all now include the checkbox.  This closes out the last gaps in the case workflow.  Whatever tool you’re using for a given task, if you want to preserve the output in a named case, it’s one click. You no longer have to start with the New Case workflow, however it is recommended if that’s the direction you’re going from the start.

The Strings to YARA tool also gains a companion “Save to YARA Library” checkbox.  Check it, and the generated rule gets copied directly into the project’s yara_rules/ directory alongside being saved to the case. This will automatically make the rule available when you run fileanalyzer on subsequent files.  It’s a small workflow improvement, but one that eliminates a manual copy step I was taking every time anyway. I also added a quick formatter so the special character most often in need of escaping “\” gets handled automatically when the rule is generated.

A Note on malhash

malhash is retired in 3.2.  If you’ve been using it in scripts or workflows, tiquery is its direct replacement — it does everything malhash did and then some.  This is a breaking change in the sense that the binary is gone, but functionally tiquery is a superset, not a lateral move.

malhash served its purpose well.  RIP. tiquery is where that purpose lives now.

Get It

MalChela 3.2 is available now on GitHub.  The full release notes are in the repo. 

Thanks to xorhex for the nudge.  Sometimes the best features start with someone saying “have you thought about…”

Streamline Malware Hash Search with FOSSOR

DFIR, Forensics, hashing, Malware, Python

We’ve all encountered this scenario: you’re reading a threat report from CISA or Microsoft and come across hashes related to a malware infection. You start copying these hashes and head to one of your favorite virus repositories to check if there’s a source available for download so you can analyze the malware yourself. Unfortunately, you don’t find a match. So, you move on to another site and repeat the process. This can be time-consuming and prone to errors.

FOSSOR (Federated Open-Source Sample Search & Object Retriever) is a script designed to help you search for malware hashes across multiple threat intelligence sources. Simply run FOSSOR and provide it with a single hash or a text file of hashes (.txt or .csv). It will instantly display which sources have information about the hash, and you can even download samples if needed.

Setup

FOSSOR loads API keys from text files in the same directory as the script. Create one file per source containing only the key:

SourceKey fileWhere to get a key
MalwareBazaarmb-api.txtabuse.ch Auth Portal
VirusTotalvt-api.txtVirusTotal API
AlienVault OTXotx-api.txtOTX Account Settings

Sources with missing key files are automatically skipped. You only need the sources you have access to.

fossor/
  fossor.py
  mb-api.txt      # your MalwareBazaar key
  vt-api.txt      # your VirusTotal key
  otx-api.txt     # your OTX key
  samples/        # created automatically by --download

Usage

Look up hashes from a file

python3 fossor.py hashes.txt

The input file should have one hash per line. Lines starting with # are treated as comments and ignored. Works with .txt.csv, or any text file — BOM and stray whitespace are handled automatically.

Look up a single hash

python3 fossor.py d0a2035c0431796c138a26d1c9a75142b613c5417dc96a9200723870d0b3a687

Export results to CSV

python3 fossor.py hashes.txt --csv results.csv

Download available samples

python3 fossor.py hashes.txt --download

Downloads are saved to ./samples/ as password-protected zips. The password is always infected.

Warning: Downloaded samples are live malware. Handle with appropriate caution — use a VM or isolated analysis environment. Consider excluding the samples/ directory from antivirus real-time scanning and Spotlight indexing.

Disable specific sources

python3 fossor.py hashes.txt --no-vt           # skip VirusTotal
python3 fossor.py hashes.txt --no-mb --no-otx  # only query VirusTotal

Combine options

python3 fossor.py hashes.txt --csv results.csv --download --no-vt

Example Output

[*] MalwareBazaar: key loaded
[*] VirusTotal: key loaded
[*] OTX: key loaded
[*] Querying 9 hashes (SHA256) across: MalwareBazaar, VirusTotal, OTX
[1/9] 9d867ddb54f37592fa0b... (SHA256)
  MalwareBazaar:    NOT FOUND
  VirusTotal:       HIT - trojan.fzdtv/fkmsvcr | ZIP | 22/76
  OTX:              HIT - Infostealers without borders... | FileHash-SHA256 | 3 pulses
[2/9] d0a2035c0431796c138a... (SHA256)
  MalwareBazaar:    HIT - RedLineStealer | exe
  VirusTotal:       HIT - trojan.laplasclipper/steal | Win32 EXE | 40/75
  OTX:              HIT - InfoStealers - Jan 2025 | FileHash-SHA256 | 1 pulses
============================================================
Summary: 9 hashes queried across 3 sources
  MalwareBazaar:    1/9 found
  VirusTotal:       6/9 found
  OTX:              5/9 found
  Unique hashes with at least one hit: 7/9
Results Matrix:
  Hash               Malwar     VT    OTX
  ------------------ ------ ------ ------
  9d867ddb54f37592fa      -    HIT    HIT
  08a1f4566657a07688      -    HIT      -
  5970d564b5b2f5a472      -    HIT    HIT
  d0a2035c0431796c13    HIT    HIT    HIT
  59855f0ec42546ce2b      -      -      -
  a5b19195f61925ede7      -    HIT    HIT
  e7237b233fc6fda614      -    HIT      -
  59347a8b1841d33afd      -      -    HIT
  e965eb96df16eac926      -      -      -
============================================================

Rate Limits

SourceLimitFOSSOR default
MalwareBazaarNone documentedNo delay
VirusTotal (free)4 requests/min15s between requests
AlienVault OTX10,000 requests/hrNo delay

Download

You can download FOSSOR for free on GitHub: https://github.com/dwmetz/FOSSOR/

Mal-Hash Updates

DFIR, Malware, PowerShell

Mal-Hash.ps1

  • The script takes the input of a file, calculates the hashes (MD5, SHA1, SHA256), and then submits the SHA256 hash to Virus Total* for analysis.
  • The script will also run Strings against the sample.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, strings, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

VTHashSub.ps1

  • The script takes a hash value as input and submits the hash to Virus Total* for analysis.
  • The script will check Malware Bazaar to see if a sample matching the hash is available.
  • The hashes, Virus Total and Malware Bazaar results are both displayed on screen and saved to a text report.
  • Timestamp of the analysis is recorded in UTC.

Mal-Hash.ps1 and VTHashSub.ps1 will operate (via PowerShell) on Windows, Mac & Linux.

* Virus Total API key expected in vt-api.txt.

Latest updates:

  • n of x vendors detected
  • VT permalink
  • Malware Bazaar results

Both scripts available on my GitHub page:

https://github.com/dwmetz/Mal-Hash