Tag: Rust

MalChela v2.1 Released: Smoother Workflows, Easier Tool Integration

DFIR, Forensics, Malware, Rust


🧰 A Toolkit That Grows With You

Version 2.1 of MalChela, the modular digital forensics and malware analysis launcher, is now available. This release focuses on flexibility and simplicity — especially when integrating third-party tools and refining workflows between CLI and GUI.

Whether you’re testing suspicious files, generating YARA rules, or examining malware indicators from different sources, the updated interface helps you move fluidly from one tool to another — without losing your place or rewriting commands.


🔄 Run, Re-run, Refine

One of the most helpful improvements in 2.1 is the ability to quickly rerun tools with updated arguments. There’s no need to backtrack or manually rebuild command lines. Just update the Arguments field in the GUI, click Run, and MalChela will handle the rest.

If you’re pivoting between tools like mstrings, pdf-parser, or capa, the consistent interface lets you switch input, adjust flags, and review results in one console — no clutter, no confusion.


🔌 Integration Made Easy

You can now seamlessly add external tools — including Python scripts, native binaries, or custom Rust programs — using just the tools.yaml configuration file. Each tool can define:

  • Input type (file, folder, or hash)
  • Command structure
  • Where input should appear in the argument list
  • Whether it’s a script, binary, or cargo-built tool

The GUI reads these definitions and builds a dynamic interface to support them, removing the guesswork of launching external programs.


💾 One Report to Rule Them All

In past versions, you might have seen multiple output files for a single run — especially when running scripts that already saved their own logs. That’s no longer the case.

With 2.1, all tools now produce a single unified report when run through the GUI. Even scripts that don’t natively generate output will have their results captured and saved by MalChela, giving you clean, consistent documentation for every tool.


🐚 CLI Power, GUI Convenience

MalChela still supports CLI-based workflows (cargo run -p toolname) and a menu-driven terminal launcher. But the GUI now offers a refined experience for analysts who want more visibility, easier input selection, and better organization of results — without losing the precision of command-line control.


🚀 Try It Out

MalChela is open-source and free to use. You can:

🎥 A Video Tour

If you haven’t seen it yet, be sure to check out the YouTube video where I walk through some of the different functions in MalChela in the new GUI, stepping through basic static analysis to yara rule writing – all in minutes.

🙏 Thank You

A huge thank you to the community of forensic analysts and developers who continue to test, refine, and inspire this project. If you have feedback, feature ideas, or tools you’d like to see integrated — reach out, submit a PR, or just let me know what’s working.

Mining for Mismatches: Detecting Executables Disguised as Image Files

DFIR, hashing, Malware, Rust, yara

Malware authors often use file masquerading—disguising malicious executables as seemingly harmless files—to bypass both user scrutiny and automated defenses. A classic example is an executable file with an image extension, such as `.png`, that actually contains a Windows PE binary. To help address this challenge, the Mismatch Miner utility, written in Rust and part of the MalChela malware analysis toolkit, introduces a practical approach for uncovering these deceptive files using YARA rules.

Why File Masquerading Matters

File extension spoofing remains a simple yet effective evasion tactic. Users and some security tools may trust files based on their extensions, ignoring the underlying content. Attackers exploit this by renaming executables with extensions like `.jpg` or `.png`, hoping to slip past defenses. While this technique is not new, it continues to be relevant due to its effectiveness and the limitations of extension-based filtering.

That said, this method should be seen as one component of a broader detection strategy. While it is effective for catching executables disguised as images or documents, it does not address more sophisticated evasion tactics, such as fileless malware or executables embedded within other file formats. Additionally, some legitimate software may use unconventional file extensions, so results should be reviewed with context in mind.

Mismatch Miner: Approach and Implementation

Mismatch Miner is designed to scan a directory for files with extensions that are commonly abused for masquerading, including popular image formats. For each candidate file, it leverages YARA—a widely used pattern-matching tool in malware analysis—to check for the presence of the “MZ” header, which marks the start of Windows executable files. If a file’s extension suggests it is an image, but its header indicates it is an executable, the tool flags the file and reports its name, full path, and SHA256 hash, to support further investigation.

Mismatch Miner screenshot

Mismatch Miner offers a practical solution for identifying a common malware evasion technique: executables disguised as benign files. By combining Rust’s performance with YARA’s pattern-matching, it provides security analysts with a reliable tool for uncovering hidden threats. While not a panacea, header-based mismatch detection is a useful addition to any malware analysis workflow, helping to close a gap that attackers continue to exploit.

Mismatch Miner is bundled with MalChela, the YARA & Malware Analysis toolkit. If you’ve already installed it, a ‘git pull’ from your workspace directory should get you the new feature.

https://github.com/dwmetz/MalChela

MalChela Updates: New Features and Enhancements

DFIR, Forensics, hashing, Malware, Rust, SIgma, Triage, yara

It’s been just over a week since MalChela was initially released and already here have been a number of updates.

mStrings

In the previous post, I walked through the new mStrings function. I think this is one of my favorites so far. It extracts strings from a file and uses Sigma rules defined in YAML against the strings to evaluate threats and align results to the MITRE ATT&CK framework.

For fun I pointed it at an old WannaCry sample . I had a proud papa moment at the positive network IOC detection.

Check for Updates

Next came a function to automatically check the GitHub repo for updates and encourage a git pull to grab the latest… because apparently I can’t stop myself and this project will just keep growing, as my sleep keeps dwindling. Personally I found it ironic that you have to update in order to get the update telling you that updates are available… but it will work for all future updates as they come. So go ahead and update why don’t you.

Screenshot of MalChela indicating an update is available via git.

New File Analyzer module

Most recently a File Analyzer module has been added. Give it the path to your suspect file and it will return back:

  • SHA-256 Hash
  • Entropy (<7.5=high)
  • A RegEx detection for packing (mileage may vary)
  • PE Header info if it’s a PE
  • File Metadata
  • Yara Matches (any rules in yara_rules folder in workspace)
  • If there’s a positive match for the hash on VirusTotal (leverages the same key as previously in MalChela with the Virus Total / Malware Bazaar lookup)

Lastly, you’re given the option of whether or not you want to run strings on the file, or return to the main menu.

I really like the idea of using this as a possible first step in static analysis. Run this first and opt for strings. Things look interesting there, throw it into mStrings. Positive match on VirusTotal – use the malware hash lookup and get a more detailed analysis. Use the results from mStrings to craft a YARA rule and add it to your repo for future detections.

mStrings: A Practical Approach to Malware String Analysis

DFIR, Forensics, hashing, Malware, Rust, SIgma, Triage, yara

String analysis is a cornerstone of malware investigation, revealing embedded commands, URLs, and other artifacts that can expose a threat’s intent. mStrings, a Rust-based tool, simplifies this process by scanning files, extracting meaningful strings, and structuring results for efficient analysis.

At its core, mStrings is more than a simple string extraction tool. It integrates regex-based detection rules to identify key indicators, offering a refined approach to analyzing malware artifacts. In addition to console output it also presents data in a structured JSON format, allowing for seamless integration into other security workflows.

screenshot from mStrings

In addition to specialized string searching, mStrings detections associate results with MITRE ATT&CK. When malware indicators map to known MITRE ATT&CK techniques, analysts can quickly understand the intent and behavior of a threat. Instead of just seeing a suspicious string, they can recognize that it corresponds to credential dumping, command-and-control, or privilege escalation, enabling faster triage and response.

Optimized for Practical Investigation

Security professionals often need to cross-reference findings in a hex editor. mStrings accounts for this by capturing detailed string locations in hex, allowing for immediate context when reviewing suspicious files. This level of granularity is particularly valuable when analyzing packed or obfuscated malware, where offsets can provide crucial insights.

mStrings showing hex location for identified string

After the scan, reviewing the complete strings dump is just as easy with an option to open the results directly in VS Code.

mStrings prompt to review saved strings

Technology That Powers It

Built in Rust, mStrings leverages its robust ecosystem to enhance performance and reliability. Sigma-based detection rules allow for flexible and easily modifiable patterns, giving analysts control over what indicators to track. The tool’s structured approach ensures that results are not just extracted but meaningfully categorized for deeper analysis.

A Tool That Grows with You

mStrings is extensible, enabling you to customize detections. Not satisfied with the existing detection rules? You can easily write your own in Sigma. Future improvements will refine regex patterns, enhance Windows compatibility, and introduce new features to improve investigative workflows. Designed with usability in mind, mStrings serves as a practical companion for analysts who need clear, structured, and insightful data extraction.

MStrings is one of many malware analysis utilities included in MalChela. Download from Github and let me know what you think. If you’ve already installed Malchela, git pull will download the latest updates.

https://github.com/dwmetz/MalChela

Try this out for a workflow. Use Hash It (3) and give it the file path for a malware file. Use the hash from Hash It and check it against VirusTotal an Malware Bazaar with the Malware Hash Lookup (10). Then jump into mStrings (4), give it the same file path again, and start pulling out the interesting strings. Once you have what you think is a good number of indicators, run Strings to YARA (9) and generate a fully formatted YARA rule for use in any of your security tools.