| Program | Function |
|---|---|
| Combine YARA | Point it at a directory of YARA files and it will output one combined rule |
| Extract Samples | Point it at a directory of password protected malware files to extract all |
| File Analyzer | Get the hash, entropy, packing, PE info, YARA and VT match status for a file |
| Hash It | Point it to a file and get the MD5, SHA1 and SHA256 hash |
| mStrings | Analyzes files with Sigma rules (YAML), extracts strings, matches ReGex |
| MZMD5 | Recurse a directory, for files with MZ header, create hash list |
| MZcount | Recurse a directory, uses YARA to count MZ, Zip, PDF, other |
| NSRL MD5 Lookup | Query a MD5 hash against NSRL |
| NSRL SHA1 Lookup | Query a SHA1hash against NSRL |
| Strings to YARA | Prompts for metadata and strings (text file) to create a YARA rule |
| Malware Hash Lookup | Query a hash value against VirusTotal & Malware Bazaar* |
| XMZMD5 | Recurse a directory, for files without MZ, Zip or PDF header, create hash list |
*The Malware Hash Lookup requires an api key for Virus Total and Malware Bazaar. If unidentified , MalChela will prompt you to create them the first time you run the malware lookup function.
mal — malware
chela — “crab hand” A chela on a crab is the scientific term for a claw or pincer. It’s a specialized appendage, typically found on the first pair of legs, used for grasping, defense, and manipulating things; just like these programs.
Install Rust - https://rustup.rs/
git clone https://github.com/dwmetz/MalChela.git
cd MalChela
cargo build
cargo run -p malchela
Caveat Emptor: Successfully tested on MacOS on Silicon and Ubuntu. Even though it's Rust (cross-platform), Windows is problematic based on different requirements for YARA64.exe. Works on Windows in WSL! Testers (and contributors) appreciated. Yara, OpenSSL (and their development options) and Clang are the key packages. If you are having issues, many of the functions here are also available via Python and PowerShell scripts here.