 |  |
| PWA View | CLI View |
Features:
| Program | Function |
|---|
| Combine YARA | Combines all .yara/.yar files in a directory into a single rule file |
| Extract Samples | Recursively extracts password-protected malware archives (ZIP/RAR) using common passwords |
| File Analyzer | Analyzes a file for hashes, entropy, PE structure, fuzzy hashes, YARA matches, NSRL lookup, and VirusTotal status |
| File Miner | Scans a folder for file type mismatches and metadata |
| Hash It | Generates MD5, SHA1, and SHA256 hashes for a single file |
| Hash Check | Checks if a given hash exists in a provided hash set file |
| Threat Intel Query | Multi-source hash and URL lookup. Hash sources: VirusTotal, MalwareBazaar, OTX, Hybrid Analysis, FileScan.IO, Malshare, MetaDefender, ObjectiveSee. URL sources: VirusTotal, urlscan.io, Google Safe Browsing. GUI adds file-to-hash and QR code decode → URL lookup. |
| mStrings | Extracts strings from a file, applies regex and Sigma rules, maps to MITRE ATT&CK, identifies IOCs, and includes built-in MITRE Technique lookup |
| mzhash | Recursively hashes files with MZ headers using MD5 — ideal for gold build or known-bad corpus generation |
| mzcount | Recursively counts files by format (MZ, ZIP, PDF, etc.) using header/YARA detection |
| nsrlquery | Queries an MD5 hash against the NSRL database to determine if it's known-good |
| strings_to_yara | Prompts for metadata and a string list to generate a YARA rule |
| xmzhash | Recursively hashes files that are not MZ, ZIP, or PDF — ideal for non-Windows malware corpus |
Threat Intel Query supports optional API keys for VirusTotal, MalwareBazaar, OTX, and additional sources. Sources without configured keys are skipped automatically.
About:
mal — malware
chela — "crab hand"
A chela on a crab is the scientific term for a claw or pincer. It's a specialized appendage, typically found on the first pair of legs, used for grasping, defense, and manipulating things — just like these programs.
Dependencies:
Linux
sudo apt install openssl libssl-dev clang yara libyara-dev libjansson-dev pkg-config build-essential libglib2.0-dev libgtk-3-dev
Mac
brew install openssl yara pkg-config gtk+3 glib
Note: YARA 4.2> required.
Before building, point the build to to Homebrew's YARA prefix
export YARA_LIBRARY_PATH=$(brew --prefix yara)/lib
export BINDGEN_EXTRA_CLANG_ARGS="-I$(brew --prefix yara)/include"
Installation & Usage:
Install Rust — https://rustup.rs/
For CLI only installations (WSL, Raspberry Pi, etc.):
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Clone the repository and build:
git clone https://github.com/dwmetz/MalChela.git
cd MalChela
chmod +x release.sh
./release.sh # Builds all programs in release mode (recommended)
If you cloned MalChela before 17-Apr-2026, you may see a diverging branches error when pulling. Run git fetch origin && git reset --hard origin/main to resync. This was a one-time history rewrite to remove a large file.
Run:
PWA (recommended):
On first run, execute the setup script after building the binaries:
cd server
./setup-server.sh
Then start the server:
./start-server.sh
The PWA will be accessible from any browser on the local network.
CLI:
./target/release/malchela
The CLI is retained for scripting and automation use cases.
ℹ️ It is recommended to build and run MalChela in --release mode to ensure GUI and subtools function optimally.
⚠️ Important: MalChela binaries must be invoked from the project root directory. Always use cd /path/to/MalChela && ./target/release/<binary> rather than calling the binary directly from another path. This is required for correct resolution of API key files (vt-api.txt, mb-api.txt), YARA rules, and Sigma rules — all of which are resolved relative to the project root. API keys are read exclusively from these files; environment variables are not supported.
Case Management
