#Malcat tip:

#Kesakode can be useful even when facing unknown/packed samples. Check "Show UNK" and focus on unique code and strings.

Here a simple downloader:

#Malcat tip #10: analysing backdoored clean software can be hard.
A quick win is to pivot around known constants, thanks to Malcat's 400k+ constants DB (here a #Tropidoor dlder):

Updated #kesakode to 1.0.38:

Malware signatures:
* New malware entries: 20 new families
* 564116 new unique functions
* 197608 new unique strings
* 27 new unique constant fingerprints

Does someone know this #malware, since this is definitely NOT latrodectus. Looks like some Discord-backed infostealer:
bazaar.abuse.ch/sample/85f8c...

You can now check your strings in #malcat against an online library of #Malpedia FLOSSed strings. Just copy this plugin:

github.com/malpedia/mal...

then how do you quickly confirm the AI assertion without input/output testing? It may be a sha256 variant. You know well malware authors like to modify standard algorithms.
If it's just saying "it looks like sha256", it's also very quick to say without AI:

Malcat tip #9: So you have found this nice #malware hash in a report, but no sample?

"File>Download from hash" will retrieve the hash for you from:

● Triage
● MalwareBazaar
● VirusShare
● MWDB
● FileScanIO

NB: some of these sources require (free) API keys.

In the next version of #malcat, we will include an _offline_ smaller #kesakode database which will only contain conflict-free malware signatures.

This will be fast and run with every analysis. You can always get the full deal (clean + lib) afterwards with an online query.

You'll soon be able to export #Malcat views to files:
● Summary report as HTML+ SVG
● Proximity & call graph views as SVG or PNG
● Struct/hex/disasm views as HTML
● Strings, symbols, intel, kesakode and other views as CSV