| Program | Function |
|---|---|
| Combine YARA | Point it at a directory of YARA files and it will output one combined rule |
| Extract Samples | Point it at a directory of password protected malware files to extract all |
| File Analyzer | Get the hash, entropy, packing, PE info, YARA and VT match status for a file |
| Hash It | Point it to a file and get the MD5, SHA1 and SHA256 hash |
| Mismatch Miner | Hunts for exes disguised as other formats |
| mStrings | Analyzes files with Sigma rules (YAML), extracts strings, matches ReGex |
| MZMD5 | Recurse a directory, for files with MZ header, create hash list |
| MZcount | Recurse a directory, uses YARA to count MZ, Zip, PDF, other |
| NSRL MD5 Lookup | Query a MD5 hash against NSRL |
| NSRL SHA1 Lookup | Query a SHA1hash against NSRL |
| Strings to YARA | Prompts for metadata and strings (text file) to create a YARA rule |
| Malware Hash Lookup | Query a hash value against VirusTotal & Malware Bazaar* |
| XMZMD5 | Recurse a directory, for files without MZ, Zip or PDF header, create hash list |
*The Malware Hash Lookup requires an api key for Virus Total and Malware Bazaar. If unidentified , MalChela will prompt you to create them the first time you run the malware lookup function.
mal — malware
chela — “crab hand” A chela on a crab is the scientific term for a claw or pincer. It’s a specialized appendage, typically found on the first pair of legs, used for grasping, defense, and manipulating things; just like these programs.
sudo apt install openssl libssl-dev clang yara libyara-dev pkg-config build-essential
Install Rust - https://rustup.rs/
git clone https://github.com/dwmetz/MalChela.git
cd MalChela
cargo build
cargo run -p malchela
Caveat Emptor: Successfully tested on MacOS on Silicon and Ubuntu. Even though it's Rust (cross-platform), Windows is problematic based on different requirements for YARA64.exe. Works on Windows in WSL! Testers (and contributors) appreciated.