MalChela v3.1.2
A YARA & Malware Analysis Toolkit written in Rust.
Check out the new MalChela instructional series on YouTube
 |  |
| GUI View | CLI View |
Features:
| Program | Function |
|---|---|
| Combine YARA | Combines all .yara/.yar files in a directory into a single rule file |
| Extract Samples | Recursively extracts password-protected malware archives (ZIP/RAR) using common passwords |
| File Analyzer | Analyzes a file for hashes, entropy, PE structure, fuzzy hashes, YARA matches, NSRL lookup, and VirusTotal status |
| File Miner | Scans a folder for file type mismatches and metadata |
| Hash It | Generates MD5, SHA1, and SHA256 hashes for a single file |
| Hash Check | Checks if a given hash exists in a provided hash set file |
| Malware Hash Lookup | Queries a hash against VirusTotal and MalwareBazaar for threat intelligence |
| mStrings | Extracts strings from a file, applies regex and Sigma rules, maps to MITRE ATT&CK, identifies IOCs, and includes built-in MITRE Technique lookup |
| mzhash | Recursively hashes files with MZ headers using MD5 — ideal for gold build or known-bad corpus generation |
| mzcount | Recursively counts files by format (MZ, ZIP, PDF, etc.) using header/YARA detection |
| nsrlquery | Queries an MD5 hash against the NSRL database to determine if it's known-good |
| strings_to_yara | Prompts for metadata and a string list to generate a YARA rule |
| xmzhash | Recursively hashes files that are not MZ, ZIP, or PDF — ideal for non-Windows malware corpus |
*Malware Hash Lookup requires API keys for VirusTotal and MalwareBazaar. If not configured, MalChela will prompt you to create them the first time you run the malware lookup function.
About:
mal — malware
chela — "crab hand"
A chela on a crab is the scientific term for a claw or pincer. It's a specialized appendage, typically found on the first pair of legs, used for grasping, defense, and manipulating things — just like these programs.
Dependencies:
Linux
sudo apt install openssl libssl-dev clang yara libyara-dev pkg-config build-essential libglib2.0-dev libgtk-3-dev
Mac
brew install openssl yara pkg-config gtk+3 glib
Note: YARA 4.2> required. Before building, point the build to to Homebrew's YARA prefix
export YARA_LIBRARY_PATH=$(brew --prefix yara)/lib
export BINDGEN_EXTRA_CLANG_ARGS="-I$(brew --prefix yara)/include"
Installation & Usage:
Install Rust — https://rustup.rs/
For CLI only installations (WSL, Raspberry Pi, etc.):
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Clone the repository and build:
git clone https://github.com/dwmetz/MalChela.git
cd MalChela
chmod +x release.sh
./release.sh # Builds all programs in release mode (recommended)
Run:
./target/release/malchela
or
./target/release/MalChelaGUI
ℹ️ It is recommended to build and run MalChela in --release mode to ensure GUI and subtools function optimally.
⚠️ Important: MalChela binaries must be invoked from the project root directory. Always use
cd /path/to/MalChela && ./target/release/<binary>rather than calling the binary directly from another path. This is required for correct resolution of API key files (vt-api.txt,mb-api.txt), YARA rules, and Sigma rules — all of which are resolved relative to the project root. API keys are read exclusively from these files; environment variables are not supported.
Case Management (v3.0)
MalChela v3.0 introduces a full-featured case system:
- Track files, tools run, and notes under a unified
case.yaml - Auto-save tool output under
saved_output/cases/<case-name>/ - Integrated tagging, search, and scratchpad with VS Code support
- Seamless case loading and archiving in GUI mode
🤖 AI Integration & MCP Support (v3.1.0)
MalChela v3.1.0 introduces support for AI-assisted malware analysis through the Model Context Protocol (MCP), exposing all 13 MalChela tools to AI agents like Claude. Three deployment paths are supported depending on your environment: