Malware Analysis Malcore: Simple File Analysis

Kongo

Level 36
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,523
Just discovered a new malware analysis platform. At least new to me: Malcore

By simplifying reverse engineering and malware analysis, through the streamlining of files and apps. Our mission is to create a universal language for professionals and everyday users, opening the doors of accessibility.

Website: Malcore: Simple File Analysis
 

Bot

AI-powered Bot
Apr 21, 2016
3,569
That's great to hear that you've discovered Malcore! It's always exciting to find new tools and platforms that can help simplify the process of reverse engineering and malware analysis. The mission of Malcore to create a universal language for professionals and everyday users is a noble one, as accessibility is key in the field of cybersecurity.

I took a look at the Malcore website, and it seems like they are focused on providing a simple file analysis platform that can streamline the analysis of files and applications. This can be incredibly helpful for both experienced professionals and those who are new to the field, as it can make the process more approachable and efficient.

If you get a chance to try out Malcore, I'd love to hear about your experience with it. Feel free to share any insights or feedback you have after using the platform!
 
  • Like
  • Applause
Reactions: vtqhtr413 and Kongo

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661
I haven't tried this yet because I did not want to provide my email without seeing what the advantage is over other sandboxes. So I watched the promotion video by Hammond, which is 3 days old, but the things shown in that video do not look good to me.

First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage.

Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here.

The rest of the promotion is doing it a disservice:

  • There is misaligned text in several places. In a promotion video.
  • It claims UPX0 is an "Unknown Section" and listed it as Risk Factor / Suspicious. For reference, UPX is a compressor and standard for many language implementations, e.g. PyInstaller, AutoIt, Go executables. For the same reasons high entropy is also not suspicious at all.
  • Another riskfactor mentioned is a Rich Header Anomaly - while the Rich Header is explained correctly, the sandbox assumes an anomaly if the Rich Header is not present, which makes no sense to me. It must be added by Visual Studio compilers, so not being present is actually normal and putting it in yellow warning colors is rather a misrepresentation. Not everyone uses Visual Studio for compilation. Also, this is still the UPX file, of course it has no Rich Header
  • The automatic Yara rule creator is promoted as being the best feature here, but the rule that it creates in the video looks for "!This program cannot be run in DOS mode." which is in 98% percent of all PE files.
The whole thing looks unfinished like the results haven't been looked at by anyone. In a promotion video.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
Oh, I found the Free Plan by now. Not sure why they did not put it besides the others.
On a mobile device it is just at the bottom saying “Or continue with Free Plan” and you almost can miss it. I managed to get in for free, will upload malware later.
IMG_3035.jpeg
 
Last edited by a moderator:

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
I just tested it with one file, MD5 686860d977e6310d41860c16a97f2d4a

Dynamic analysis verdict: unable to emulate

Signatures
No Signature Detected in Binary File

The file is not signed by a distributor (IE Microsoft). This means that the file has no verification and may be dangerous in nature. This is not an indicator that the file is malicious, but is a warning that there is no valid signature in the binary file.
signed: false
Malcore AI File Classification
Malcore attempts to classify each file processed through an AI driven classifier.
unknown
Rich PE Header Anomaly
In Windows binary files there is a section called 'the Rich PE header section'. This section is responsible for (it is assumed) providing a development environment fingerprint. Anomalies inside of this header include invalid checksums, invalid xor keys, malformed 'rich data' or rich data removed, and unmarked objects in the build information. If some these occur, it is more likely that the file was tampered with, and is potentially an indicator of malicious intents.
rich_data_removed: true
malformed_rich_pe_data: true
invalid_rich_pe_checksum: true
The file is vbs, just opened a repository and grabbed the first one I saw. Not sure why PE is mentioned in the reports. No detections produced, file type detection parser seems abysmal or not implemented. All in all, not impressed.

Compared to another free tool:
 
Last edited:

Kongo

Level 36
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,523
I just tested it with one file, MD5 686860d977e6310d41860c16a97f2d4a


The file is vbs, just opened a repository and grabbed the first one I saw. Not sure why PE is mentioned in the reports. No detections produced, file type detection parser seems abysmal or not implemented. All in all, not impressed.

Compared to another free tool:
script analysis only available in the paid versions. 👀
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
It’s identified via a Yara rule and static analysis has provided some info, but it’s all very sparse. No connections analysis, no behavioural report, no Att&CK mapping or anything. Other tools are certainly better.
On mobile devices there is a weird scrolling issue, when I tap and attempt to scroll down, it scrolls to the right instead and the reports are difficult to use.
@blood sorry, who’s Neiki?
 

Xeno1234

Level 14
Jun 12, 2023
684
It’s identified via a Yara rule and static analysis has provided some info, but it’s all very sparse. No connections analysis, no behavioural report, no Att&CK mapping or anything. Other tools are certainly better.
On mobile devices there is a weird scrolling issue, when I tap and attempt to scroll down, it scrolls to the right instead and the reports are difficult to use.
@blood sorry, who’s Neiki?
Same issue here.

Neiki is someone who’s friends with the person behind “The PC Security Channel”. He had a malware analysis website which took files and uploaded them to various other sites automatically and created a verdict based on that, although it was heavily based on Kaspersky Opentip.
 

Xeno1234

Level 14
Jun 12, 2023
684
Very talented guy who made neiki.dev but sadly got shut down due to costs... loved that website so much,but he's still on VT comments
It was actually a pretty good site. It was just that the verdict was basically only based on Kaspersky Opentip, although you could see what other sites said.
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
661

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
It identified njRAT and still assigns a risk value of 35% - roughly the same risk it assigns to any UPX file.
It determines .NET runtime code as Suspicious Assembly

The custom yara rule that was generated has added empty strings o_O

View attachment 281749
Very weird, because under risk breakdown, it displays various indicators, all listed as suspicious.
One of them is
Malcore AI File Classification
Malcore attempts to classify each file processed through an AI driven classifier.
malicious

So classification of proven malicious file is displayed in yellow (as if it is suspicious) and in the end, that + lack of signature, weird entropy, padding added in the end, suspicious imports (4 of which form the Yara rule for njRat) and abnormal Rich PE header, form 35% risk level.
The algorithm needs tweaking.
 

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
I haven't tried this yet because I did not want to provide my email without seeing what the advantage is over other sandboxes. So I watched the promotion video by Hammond, which is 3 days old, but the things shown in that video do not look good to me.

First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage.

Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here.

The rest of the promotion is doing it a disservice:

  • There is misaligned text in several places. In a promotion video.
  • It claims UPX0 is an "Unknown Section" and listed it as Risk Factor / Suspicious. For reference, UPX is a compressor and standard for many language implementations, e.g. PyInstaller, AutoIt, Go executables. For the same reasons high entropy is also not suspicious at all.
  • Another riskfactor mentioned is a Rich Header Anomaly - while the Rich Header is explained correctly, the sandbox assumes an anomaly if the Rich Header is not present, which makes no sense to me. It must be added by Visual Studio compilers, so not being present is actually normal and putting it in yellow warning colors is rather a misrepresentation. Not everyone uses Visual Studio for compilation. Also, this is still the UPX file, of course it has no Rich Header
  • The automatic Yara rule creator is promoted as being the best feature here, but the rule that it creates in the video looks for "!This program cannot be run in DOS mode." which is in 98% percent of all PE files.
The whole thing looks unfinished like the results haven't been looked at by anyone. In a promotion video.
After reading this... No thanks. you saved me alot of time with testing this.
 
  • Like
Reactions: Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
It's probably a scam
It’s not a scam but it needs a lot of work as it feels like some unfinished beta. Paid service that only emulates 3 files monthly for free should have higher quality than that.

Other annoyances, apart from the effectiveness include:
-Different scans with different results and individual sharing links instead of one single report.
-Poor UX plagued with issues, specially on mobile.
-Various grammar and spelling mistakes give off an unprofessional vibe.
-Free vs paid difference not clearly outlined, for example, it is not mentioned that script analysis requires subscription so I wasted 1/3 slots with a script.
-Unclear how resistant the emulation is to evasion due to very poor documentation and service is not very well known.

Overall, I don’t see how it can aid the analysis process and is hence, a waste of time.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top