Tag: NSRL

MalChela 2.2 “REMnux” Release

DFIR, Forensics, Malware, Rust

MalChela’s 2.2 update is packed with practical and platform-friendly improvements. It includes native support for REMnux, better tool settings, and deeper integrations with analysis tools like YARA-X, Tshark, Volatility3, and the newly improved fileanalyzer module.

🦀 REMnux Edition: Built-In Support, Zero Tweaks

When the GUI loads a REMnux-specific tools.yaml profile, it enters REMnux mode.

Screenshot of yaml configuration applying REMnux mode

Native binaries and Python scripts like capa, oledump.py, olevba, and FLOSS are loaded into the MalChela tools menu, allowing you to mix and match operations with the embedded MalChela utilities and the full REMnux tool stack. No manual configuration needed—just launch and go. MalChela currently supports the following REMnux programs right out of the box:

Tool Name Description
binwalkFirmware analysis and extraction tool
capaIdentifies capabilities in executable files
radare2Advanced reverse engineering framework
Volatility 3Memory forensics framework for RAM analysis
exiftoolExtracts metadata from images, documents, and more
TSharkTerminal-based network packet analyzer (Wireshark CLI)
mraptorDetects malicious macros in Office documents
oledumpParses OLE files and embedded streams
oleidIdentifies features in OLE files that may indicate threats
olevbaExtracts and analyzes VBA macros from Office files
rtfobjExtracts embedded objects from RTF documents
zipdumpInspects contents of ZIP files, including suspicious payloads
pdf-parserAnalyzes structure and contents of suspicious PDFs
FLOSSReveals obfuscated and decoded strings in binaries
clamscanOn-demand virus scanner using ClamAV engine
stringsExtracts printable strings from binary files
YARA-XNext-generation high-performance YARA rule scanner

If you only need a subset of tools you can easily save and restore that a custom profile.

TShark Panel with Built-In Reference

Tshark and the integrated field reference

A new TShark integration exposes features including:

  • A filter builder panel
  • Commonly used fields reference
  • Tooltip hints for each example (e.g., `ip.addr == 192.168.1.1` shows “Any traffic to or from 192.168.1.1”)
  • One-click copy support

This helps analysts build and understand filters quickly—even if TShark isn’t something they use every day. Using the syntax builder in MalChela you can use the exact commands directly in Tshark or Wireshark.

YARA-X Support (Install Guide Included)

YARA-X module in MalChela

Support for YARA-X (via the `yr` binary) is now built in. YARA-X is not bundled with REMnux by default, but install instructions are included in the User Guide for both macOS and Linux users.

Once installed, MalChela allows for rule-based scanning from the GUI,and with YARA-X, it’s faster than ever.

fileanalyzer: Fuzzy Hashing, PE Metadata, and More

Updated FileAnalyzer Module

MalChela’s fileanalyzer tool has also been updated to include:

  • Fuzzy hashing support via `ssdeep`
  • BLAKE3 hashing for fast, secure fingerprints
  • Expanded PE analysis, including:
  • Import and Export Table parsing (list of imported and exported functions)
  • Compilation Timestamp (for detection of suspicious or forged build times)
  • Section Characteristics (flags like IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, etc., for detecting anomalous sections)

These improvements provide deeper insight into executable structure, helping analysts detect anomalies such as packers, suspicious timestamps, or unexpected imports/exports. Useful for everything from sample triage to correlation, fileanalyzer now digs deeper—without slowing down.

Memory Forensics Gets a Boost: Volatility 3 Now Supported

With the 2.2 release, MalChela introduces support for Volatility 3, the modern Python-based memory forensics framework. Whether you’re running MalChela in REMnux or on a customized macOS or Linux setup, you can now access the full power of Volatility directly from the MalChela GUI.

Volatility 3 in MalChela

There’s an intuitive plugin selector that dynamically adjusts available arguments based on your chosen plugin,. You can search, sort, and browse available plugins, and even toggle output options like –dump-dir with ease.

Like Tshark, there is an added plugin reference panel with searchable descriptions and argument overviews — a real time-saver when navigating Volatility’s deep and often complex toolset.

Volatility Plugin Reference

Smarter Tool Configuration via YAML

The tool configuration system continues to evolve:

  • Tools now declare their input type (file, folder, or hash)
  • The GUI dynamically adjusts the interface to match
  • Alternate profiles (like REMnux setups) can be managed simply by swapping `tools.yaml` files via the GUI
  • Easily backup or restore your custom setups
  • Restore the default toolset to get back to basics

This structure helps keep things clean—whether you’re testing, teaching, or deploying in a lab environment.

Embedded Documentation Access

The GUI now includes a link to the full MalChela User Guide in PDF. You can also access the documentation online.

From tool usage and CLI flags to configuration tips and install steps, it’s all just a click away—especially useful in offline environments or when onboarding new analysts. I’ll be honest, this is likely the most comprehensive user guide I’ve ever written.

Whether you’re reviewing binaries, building hash sets, or exploring network captures—MalChela 2.2 is designed bring together the tools you need, and make it easier to interoperate between them.

The new REMnux mode makes it even easier to get up and running with dozens of third party integrations.

Have an idea for a feature or application you’d like to see supported — reach out to me.

GitHub: REMnux Release

MalChela User Guide: Online, PDF, Web

Shop: T-shirts, hats, stickers, and more

MalChela – A YARA and Malware Analysis Toolkit written in Rust

DFIR, Forensics, hashing, Malware, Rust, yara

Saturday was for Python. Sunday was for Rust.

After my success with the Python + YARA + Hashing, I decided to take things to the next level. Over the past few years I’ve created a number of Python and PowerShell scripts related to YARA and Malware Analysis. What if I combined them into a single utility? While we’re at it, let’s rewrite them all from scratch in Rust. Boy, do I know how to let loose on the weekends.

MalChela

MalChela combines (currently 10) programs in one Rust workspace, that can be invoked using a launcher.

MalChela screenshot

Features:

Combine YARAPoint it at a directory of YARA files and it will output one combined rule
Extract SamplesPoint it at a directory of password protected malware files to extract all
Hash ItPoint it to a file and get the MD5, SHA1 and SHA256 hash
MZMD5Recurse a directory, for files with MZ header, create hash list
MZcountRecurse a directory, uses YARA to count MZ, Zip, PDF, other 
NSRL MD5 LookupQuery a MD5 hash against NSRL
NSRL SHA1 LookupQuery a SHA1hash against NSRL 
Strings to YARAPrompts for metadata and strings (text file) to create a YARA rule
Malware Hash LookupQuery a hash value against VirusTotal & Malware Bazaar*
XMZMD5Recurse a directory, for files without MZ, Zip or PDF header, create hash list

*The Malware Hash Lookup requires an api key for Virus Total and Malware Bazaar.  If unidentified , MalChela will prompt you to create them the first time you run the malware lookup function.

What’s with the Name?

mal — malware

chela — “crab hand”

A chela on a crab is the scientific term for a claw or pincer. It’s a specialized appendage, typically found on the first pair of legs, used for grasping, defense, and manipulating things;  just like these programs.

Sounds Awesome – How do I install it?

Install Rust – https://rustup.rs/

then

git clone https://github.com/dwmetz/MalChela.git
cd MalChela
cargo build

Run

cargo run -p malchela

Feedback

I’d love to get your feedback on this. Please download it and give it a try. I’m open to suggestions for adding additional capabilities.

https://github.com/dwmetz/MalChela

NSRL Query from the Command Line

DFIR, PowerShell, Python

In digital forensics, we’re frequently trying to separate the signal from the noise. When examining operating systems – including mobile, it can be helpful to know what files came with the operating system. By filtering those out we can concentrate on what’s new on the device as we start looking for activity.

The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.

https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl

Recently I came across a site that, among other capabilities, has the option of doing an NSRL lookup using curl from the command line.

Me being Mr. PowerShell I wanted to see what the syntax would be to do the same lookup with PowerShell. So where did I turn? No, not to Jeffrey Snover. I went to ChatGPT. I’d heard quite about how services like these, while not trustworthy for anything of historical accuracy, are pretty good at translating code.

The original syntax:

curl -X 'GET' \
  'https://hashlookup.circl.lu/lookup/sha1/09510d698f3202cac1bb101e1f3472d3fa399128' \
  -H 'accept: application/json'

Sure enough it returned functional code to do the same operation in PowerShell. What I really appreciated though is the detailed information beneath that explains the parallel functions between the two, and what the different values represent. I could see myself using ‘explain this code to me’ in the future.

PowerShell NSLR Query Syntax:

Invoke-RestMethod -Uri 'https://hashlookup.circl.lu/lookup/sha1/3f64c98f22da277a07cab248c44c56eedb796a81' -Headers @{accept='application/json'} -Method GET

I also asked it to convert the curl command to Python which it handled equally well, and once again the same level of explanation of what’s going on beneath the code.

Python NSRL Query Syntax:

import requests
response = requests.get('https://hashlookup.circl.lu/lookup/sha1/09510d698f3202cac1bb101e1f3472d3fa399128', headers={'accept': 'application/json'})
print(response.json())

Curl script & output

Python script & output

PowerShell script & output

Of the three, I prefer the output of the PowerShell command as the output is the most readable. In the screenshot above, four queries were run. For the first two there wasn’t a matching hash detected, so we can’t confirm whether those were included with the operating system. For the second two queries, which happen to be for executable names that are frequently misused by bad actors, we see that the hashes queried do match the published NSRL.