- Feb 25, 2017
- 2,503
Just discovered a new malware analysis platform. At least new to me: Malcore
Website: Malcore: Simple File Analysis
Website: Malcore: Simple File Analysis
Malcore: Simple File Analysis
- Thread starter Kongo
- Start date
- Apr 21, 2016
- 3,460
That's great to hear that you've discovered Malcore! It's always exciting to find new tools and platforms that can help simplify the process of reverse engineering and malware analysis. The mission of Malcore to create a universal language for professionals and everyday users is a noble one, as accessibility is key in the field of cybersecurity.
I took a look at the Malcore website, and it seems like they are focused on providing a simple file analysis platform that can streamline the analysis of files and applications. This can be incredibly helpful for both experienced professionals and those who are new to the field, as it can make the process more approachable and efficient.
If you get a chance to try out Malcore, I'd love to hear about your experience with it. Feel free to share any insights or feedback you have after using the platform!
I took a look at the Malcore website, and it seems like they are focused on providing a simple file analysis platform that can streamline the analysis of files and applications. This can be incredibly helpful for both experienced professionals and those who are new to the field, as it can make the process more approachable and efficient.
If you get a chance to try out Malcore, I'd love to hear about your experience with it. Feel free to share any insights or feedback you have after using the platform!
- Apr 9, 2020
- 656
I haven't tried this yet because I did not want to provide my email without seeing what the advantage is over other sandboxes. So I watched the promotion video by Hammond, which is 3 days old, but the things shown in that video do not look good to me.
First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage.
Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here.
The rest of the promotion is doing it a disservice:
First he advertises that the site can be used for free. I do not see any possibility to use this for free on the website. The price listing has no such plan. There is a demo button, but that's not the same as free usage.
Second point raised is private submissions -- all the other automatic analysis systems provide that too, just not for free accounts, which does not seem to exist here.
The rest of the promotion is doing it a disservice:
- There is misaligned text in several places. In a promotion video.
- It claims UPX0 is an "Unknown Section" and listed it as Risk Factor / Suspicious. For reference, UPX is a compressor and standard for many language implementations, e.g. PyInstaller, AutoIt, Go executables. For the same reasons high entropy is also not suspicious at all.
- Another riskfactor mentioned is a Rich Header Anomaly - while the Rich Header is explained correctly, the sandbox assumes an anomaly if the Rich Header is not present, which makes no sense to me. It must be added by Visual Studio compilers, so not being present is actually normal and putting it in yellow warning colors is rather a misrepresentation. Not everyone uses Visual Studio for compilation. Also, this is still the UPX file, of course it has no Rich Header
- The automatic Yara rule creator is promoted as being the best feature here, but the rule that it creates in the video looks for "!This program cannot be run in DOS mode." which is in 98% percent of all PE files.
- Apr 9, 2020
- 656
Oh, I found the Free Plan by now. Not sure why they did not put it besides the others.
- Feb 7, 2023
- 1,737
On a mobile device it is just at the bottom saying “Or continue with Free Plan” and you almost can miss it. I managed to get in for free, will upload malware later.
Last edited by a moderator:
- Feb 7, 2023
- 1,737
I just tested it with one file, MD5 686860d977e6310d41860c16a97f2d4a
app.malcore.io
app.malcore.io
Compared to another free tool:
tria.ge
The file is vbs, just opened a repository and grabbed the first one I saw. Not sure why PE is mentioned in the reports. No detections produced, file type detection parser seems abysmal or not implemented. All in all, not impressed.
Malcore - Simple File Analysis
Simplifying reverse engineering and malware analysis opening the doors for accessibility.
Malcore - Simple File Analysis
Simplifying reverse engineering and malware analysis opening the doors for accessibility.
Compared to another free tool:
xworm | 00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c | Triage
Check this xworm report malware sample 00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c, with a score of 10 out of 10.
Last edited:
- Feb 25, 2017
- 2,503
script analysis only available in the paid versions.I just tested it with one file, MD5 686860d977e6310d41860c16a97f2d4a
The file is vbs, just opened a repository and grabbed the first one I saw. Not sure why PE is mentioned in the reports. No detections produced, file type detection parser seems abysmal or not implemented. All in all, not impressed.
Malcore - Simple File Analysis
Simplifying reverse engineering and malware analysis opening the doors for accessibility.Malcore - Simple File Analysis
Simplifying reverse engineering and malware analysis opening the doors for accessibility.
Compared to another free tool:
xworm | 00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c | Triage
Check this xworm report malware sample 00ecde85fae279e6ab7417b138a21b77d8ee05174388d008f902b0e98370f17c, with a score of 10 out of 10.
- Sep 2, 2021
- 2,309
Test with njRAT Trojan
Malcore : Malcore - Simple File Analysis
Triage : njrat | 559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707[.]exe | Triage
Malcore : Malcore - Simple File Analysis
Triage : njrat | 559d282b0ba15515ba2b906da3d68f60ec4bcb0934d07d7e922f34909a378707[.]exe | Triage
- Feb 7, 2023
- 1,737
It’s identified via a Yara rule and static analysis has provided some info, but it’s all very sparse. No connections analysis, no behavioural report, no Att&CK mapping or anything. Other tools are certainly better.
On mobile devices there is a weird scrolling issue, when I tap and attempt to scroll down, it scrolls to the right instead and the reports are difficult to use.
@blood sorry, who’s Neiki?
Xeno1234
Level 14
- Jun 12, 2023
- 699
Same issue here.
Neiki is someone who’s friends with the person behind “The PC Security Channel”. He had a malware analysis website which took files and uploaded them to various other sites automatically and created a verdict based on that, although it was heavily based on Kaspersky Opentip.
Xeno1234
Level 14
- Jun 12, 2023
- 699
It was actually a pretty good site. It was just that the verdict was basically only based on Kaspersky Opentip, although you could see what other sites said.
- Apr 9, 2020
- 656
It identified njRAT and still assigns a risk value of 35% - roughly the same risk it assigns to any UPX file.
It determines .NET runtime code as Suspicious Assembly
The custom yara rule that was generated has added empty strings
- Feb 7, 2023
- 1,737
Very weird, because under risk breakdown, it displays various indicators, all listed as suspicious.It identified njRAT and still assigns a risk value of 35% - roughly the same risk it assigns to any UPX file.
It determines .NET runtime code as Suspicious Assembly
The custom yara rule that was generated has added empty strings
View attachment 281749
One of them is
Malcore AI File Classification
Malcore attempts to classify each file processed through an AI driven classifier.
malicious
So classification of proven malicious file is displayed in yellow (as if it is suspicious) and in the end, that + lack of signature, weird entropy, padding added in the end, suspicious imports (4 of which form the Yara rule for njRat) and abnormal Rich PE header, form 35% risk level.
The algorithm needs tweaking.
- Jan 6, 2022
- 435
After reading this... No thanks. you saved me alot of time with testing this.
- Jan 6, 2022
- 435
It's probably a scamIt identified njRAT and still assigns a risk value of 35% - roughly the same risk it assigns to any UPX file.
It determines .NET runtime code as Suspicious Assembly
The custom yara rule that was generated has added empty strings
View attachment 281749
- Feb 7, 2023
- 1,737
It’s not a scam but it needs a lot of work as it feels like some unfinished beta. Paid service that only emulates 3 files monthly for free should have higher quality than that.
Other annoyances, apart from the effectiveness include:
-Different scans with different results and individual sharing links instead of one single report.
-Poor UX plagued with issues, specially on mobile.
-Various grammar and spelling mistakes give off an unprofessional vibe.
-Free vs paid difference not clearly outlined, for example, it is not mentioned that script analysis requires subscription so I wasted 1/3 slots with a script.
-Unclear how resistant the emulation is to evasion due to very poor documentation and service is not very well known.
Overall, I don’t see how it can aid the analysis process and is hence, a waste of time.
Similar threads
