Skip to main content

Malware Config Extraction

Project description


Malconf is a python3 library that can be used to staticly analyse specific malware families and extract the Configuration data that can be used by Incident Responders during an incident.

As a library it can also be installed in to automated malware analysis pipelines.


Build Status



There are some pre-reqs that are included in the pip setup and the requirements.txt

  • pefile
  • pbkdf2
  • javaobj-py3
  • pycrypto
  • androguard

For all the decoders you will need yara and yara-python. For dealing with .NET malware you will need to install yara-python with dotnet support

yara-python with dotnet support
git clone --recursive
python3 build --enable-magic --enable-dotnet
sudo python3 install

Install from pip

pip3 install --upgrade malwareconfig

Install from repo

git clone
cd RATDecoders
pip3 install -r requirements.txt
python3 install

Current Rats

Here is a list of the currently supported RATS:

  • LostDoor
  • Xtreme
  • AAR
  • AdWind
  • Adzok
  • AlienSpy
  • Alina
  • Arcom
  • BlackNix
  • BlackShades
  • BlueBanana
  • Bozok
  • ClientMesh
  • CyberGate
  • DarkComet
  • DarkRAT
  • HawkEye
  • Hrat / hworm / WSH
  • Jbifrost
  • JRat
  • LuminosityLink
  • LuxNet
  • NanoCore
  • NetWire
  • njRat
  • Plasma
  • Remcos
  • Saefko
  • Sakula
  • SpyNote / Mobihook

Upcoming RATS

  • Still migrating old ones!


Using the supplied command line tool malconf you can pass in a single file or a directory with the -r flag and it will attempt to automagically detect the family and extract any config.

You can also use the -o option to write results out to a file.


malconf -l This will list all the supported rats

malconf /path/to/sample This will automagically detect the family and run the decoder

⇒  malconf tests/samples/alienspy 

 __  __       _  ____             __ 
|  \/  | __ _| |/ ___|___  _ __  / _|
| |\/| |/ _` | | |   / _ \| '_ \| |_ 
| |  | | (_| | | |__| (_) | | | |  _|
|_|  |_|\__,_|_|\____\___/|_| |_|_| 

Malware Configuration Parser by @kevthehermit

[+] Loading File: tests/samples/alienspy
  [-] Found: AlienSpy
  [-] Running Decoder
  [-] Config Output

{'ConfigKey': 'fzGUoTaQH3SUW7E82IKQK2J2J2IISIS',
 'NAME': 'ok',
 'Version': 'B',
 'connetion_time': '0',
 'desktop': 'true',
 'dns': '',
 'extensionname': 'qQJ',
 'folder': 'java',
 'instalar': 'true',


If you pip install you can also use it is a library.

from malwareconfig import fileparser
from malwareconfig.modules import __decoders__, __preprocessors__

# Open and parse the file
sample_path = '/path/to/sample.exe'
file_info = fileparser.FileParser(file_path=sample_path)

# Check for a valid decoder and then parse
if file_info.malware_name in __decoders__:
    module = __decoders__[file_info.malware_name]['obj']()
    conf = module.config


Full credit where credit is due. for the initial xtreme Rat Writeup -

Fireye for their Poison Ivy and Xtreme rat WriteUps (Even though they ignored my tweets :-) ) -

Shawn Denbow and Jesse Herts for their paper here - Saved me a lot of time

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

malwareconfig-1.0.4.tar.gz (41.1 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page