Netwalker Configuration Extraction via Malcat
📰 Medium · Cybersecurity
Extract Netwalker ransomware configuration using Malcat, a tool for automated malware analysis, to quickly identify and automate configuration extraction
Action Steps
- Use Malcat to analyze the Netwalker ransomware sample
- Navigate to the Virtual File System section in Malcat
- Identify the encrypted resource 1337/31337/unk and switch to hexadecimal view
- Extract the configuration using Malcat Scripting
- Automate the extraction process for future samples
Who Needs to Know This
Security researchers and malware analysts can benefit from using Malcat to extract Netwalker ransomware configuration, streamlining their analysis process and improving incident response
Key Insight
💡 Malcat can be used to quickly extract Netwalker ransomware configuration, saving time and effort in malware analysis
Share This
Extract Netwalker ransomware config with Malcat!
Key Takeaways
Extract Netwalker ransomware configuration using Malcat, a tool for automated malware analysis, to quickly identify and automate configuration extraction
Full Article
Title: Netwalker Configuration Extraction via Malcat
URL Source: https://medium.com/@stefancicos21/netwalker-configuration-extraction-via-malcat-b7cf3917cce5?source=rss------cybersecurity-5
Published Time: 2026-04-16T19:51:01Z
Markdown Content:
# Netwalker Configuration Extraction via Malcat | by Stefan Cicos | Apr, 2026 | Medium
[Sitemap](https://medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

# Netwalker Configuration Extraction via Malcat
[](https://medium.com/@stefancicos21?source=post_page---byline--b7cf3917cce5---------------------------------------)
[Stefan Cicos](https://medium.com/@stefancicos21?source=post_page---byline--b7cf3917cce5---------------------------------------)
Follow
3 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2Fb7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&user=Stefan+Cicos&userId=3ad4f9638c1c&source=---header_actions--b7cf3917cce5---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2Fb7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=---header_actions--b7cf3917cce5---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3Db7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=---header_actions--b7cf3917cce5---------------------post_audio_button------------------)
Share
## Introduction
NetWalker ransomware is a well known ransomware family that emerged around 2019.
For today I did not want to reverse every feature of this sample but to exemplify how one can use [Malcat](https://malcat.fr/) to find the configuration quickly and to automate it’s extraction using Malcat Scripting.
Sample hash: 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8
## Manual Configuration Extraction
In the Virtual File System section of Malcat we can find a resource 1337/31337/unk that looks like encrypted data in the Preview section.
Press enter or click to view image in full size

Double clicking the resource opens it up for analysis. We then switch to the hexadecimal view. First 4 bytes are the little endian representation of a DWORD value which represents t
URL Source: https://medium.com/@stefancicos21/netwalker-configuration-extraction-via-malcat-b7cf3917cce5?source=rss------cybersecurity-5
Published Time: 2026-04-16T19:51:01Z
Markdown Content:
# Netwalker Configuration Extraction via Malcat | by Stefan Cicos | Apr, 2026 | Medium
[Sitemap](https://medium.com/sitemap/sitemap.xml)
[Open in app](https://play.google.com/store/apps/details?id=com.medium.reader&referrer=utm_source%3DmobileNavBar&source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)
[](https://medium.com/?source=post_page---top_nav_layout_nav-----------------------------------------)
Get app
[Write](https://medium.com/m/signin?operation=register&redirect=https%3A%2F%2Fmedium.com%2Fnew-story&source=---top_nav_layout_nav-----------------------new_post_topnav------------------)
[Search](https://medium.com/search?source=post_page---top_nav_layout_nav-----------------------------------------)
Sign up
[Sign in](https://medium.com/m/signin?operation=login&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=post_page---top_nav_layout_nav-----------------------global_nav------------------)

# Netwalker Configuration Extraction via Malcat
[](https://medium.com/@stefancicos21?source=post_page---byline--b7cf3917cce5---------------------------------------)
[Stefan Cicos](https://medium.com/@stefancicos21?source=post_page---byline--b7cf3917cce5---------------------------------------)
Follow
3 min read
·
1 hour ago
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fp%2Fb7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&user=Stefan+Cicos&userId=3ad4f9638c1c&source=---header_actions--b7cf3917cce5---------------------clap_footer------------------)
[](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fbookmark%2Fp%2Fb7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=---header_actions--b7cf3917cce5---------------------bookmark_footer------------------)
[Listen](https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2Fplans%3Fdimension%3Dpost_audio_button%26postId%3Db7cf3917cce5&operation=register&redirect=https%3A%2F%2Fmedium.com%2F%40stefancicos21%2Fnetwalker-configuration-extraction-via-malcat-b7cf3917cce5&source=---header_actions--b7cf3917cce5---------------------post_audio_button------------------)
Share
## Introduction
NetWalker ransomware is a well known ransomware family that emerged around 2019.
For today I did not want to reverse every feature of this sample but to exemplify how one can use [Malcat](https://malcat.fr/) to find the configuration quickly and to automate it’s extraction using Malcat Scripting.
Sample hash: 2520b15068fa108c947db179377c6b462f2c4f47037168bf8c69fcb668cb11a8
## Manual Configuration Extraction
In the Virtual File System section of Malcat we can find a resource 1337/31337/unk that looks like encrypted data in the Preview section.
Press enter or click to view image in full size

Double clicking the resource opens it up for analysis. We then switch to the hexadecimal view. First 4 bytes are the little endian representation of a DWORD value which represents t
DeepCamp AI