About MultCheck:
MultCheck is a powerful malware analysis tool that researchers can use directly to test for malicious intent and check if the target file has been flagged by one or more anti-virus engines.
MultCheck is easy to use and is able to test multiple antivirus engines. In addition to that, the tool not only allows us to expand or customize the development according to the actual needs, but also to add a custom anti-virus engine to it.
Tool Requirements:
Golang
Supported scanners
Windows Defender(winDef)
Tool download & configure
Source code installation
Since the tool is based on Go, we first need to install and configure the latest version of Go on our local device.
Next, researchers can directly use the following command to clone the source code of the project to the local computer:
git clone https://github.com/MultSec/MultCheck.git
Then switch to the root directory of the project and run the go build command to complete the code construction of the tool project:
cd MultCheck/src
## 64-bit
$ GOOS=windows GOARCH=amd64 go build -o ../bin/multcheck_x64.exe main.go
## 32-bit
$ GOOS=windows GOARCH=386 go build -o ../bin/multcheck_x32.exe main.go
Release version installation
In addition, researchers can also directly visit the project's [] to download the pre-compiled MultCheck corresponding to the system architecture.
Tool configuration
The configuration file for the custom scanner is a JSON file with the following data structure:
{
"name": "AV name",
"cmd": "Scan Program (with full PATH) for scanning the target file.",
"args": "Scan arguments, use {{file}} as the file name to be scanned.",
"out": "A string present in positive detection but not in negative"
}
Tool use
MultCheck supports receiving an object file as a parameter input:
./multcheck <target_file>
We can specify the use of different built-in scanners using the -scanner parameter:
./multcheck -scanner <scanner_name> <target_file>
We can add a custom scanner by creating a profile, and then pass the path of the profile to MultCheck via the -scanner parameter:
./multcheck -scanner <path_to_config_file> <target_file>
Example of running the tool
PS C:\Users\pengrey\Downloads> .\multcheck.exe -scanner .\windef.json C:\Users\pengrey\Downloads\mimikatz.exe
[>] Result: Malicious content found at offset: 00000121
00000000 d1 27 71 71 a9 b6 71 52 69 63 68 70 a9 b6 71 00 |.'qq..qRichp..q.|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 |...............P|
00000020 45 00 00 64 86 06 00 63 39 5a 5e 00 00 00 00 00 |E..d...c9Z^.....|
00000030 00 00 00 f0 00 22 00 0b 02 09 00 00 2c 0c 00 00 |....."......,...|
PS C:\Users\pengrey\Downloads> .\multcheck.exe -scanner .\windef.json C:\Users\pengrey\Downloads\Rubeus.exe
[>] Result: Malicious content found at offset: 00048e3d
00000000 65 74 5f 61 64 64 69 74 69 6f 6e 61 6c 5f 74 69 |et_additional_ti|
00000010 63 6b 65 74 73 00 67 65 74 5f 74 69 63 6b 65 74 |ckets.get_ticket|
00000020 73 00 73 65 74 5f 74 69 63 6b 65 74 73 00 53 79 |s.set_tickets.Sy|
00000030 73 74 65 6d 2e 4e 65 74 2e 53 6f 63 6b 65 74 73 |stem.Net.Sockets|
PS C:\Users\pengrey\Downloads> .\multcheck.exe -scanner .\windef.json C:\Users\pengrey\Downloads\multcheck.exe
[>] Result: Payload not detected.
PS C:\Users\pengrey\Downloads>
Screenshot of the tool running
Demo of tool usage
Demo Video: https://private-user-images.githubusercontent.com/55480558/307415831-b3105f45-a2d2-42e2-b938-5388f0dc000a.mp4?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MDk3O
License Agreement
The development and release of this project is under an open source license.
Project address
MultCheck:https://github.com/MultSec/MultCheck