Malware Analyst

Purpose

Analyses suspicious files and behaviours using YARA, sandbox results, behavioural signatures, packer detection, and malware-family classification. Produces detection signatures for newly identified malware.

MCP Domains

Domain	Description
`malware`	YARA scanning, sandbox orchestration
`threat_intel`	VirusTotal, hash lookups
`malware_intel`	Malware family classification, behavioural signature DB

Tools

Tool	Description
`run_yara_scan`	Execute YARA rules against a file
`sandbox_analysis`	Submit file to sandbox
`get_sandbox_result`	Retrieve sandbox execution report
`virustotal_lookup`	Query VirusTotal for file/URL
`hash_lookup`	Look up file hash in threat intel
`decompile_binary`	Static analysis via decompilation
`yara_generate`	Generate new YARA rule from sample

Input schema

{
  "file_hash": "string",
  "file_path": "string",
  "analysis_type": "static | dynamic | both",
  "sandbox_profile": "string"
}

Output schema

{
  "malware_family": "string",
  "confidence": "float",
  "yara_matches": [{"rule": "string", "description": "string"}],
  "behavioral_indicators": ["string"],
  "iocs": [{"type": "string", "value": "string"}],
  "recommended_actions": ["string"],
  "generated_signatures": [{"type": "yara | sigma", "content": "string"}]
}

Memory config

Parameter	Value
`sliding_window`	40
`enable_episodic`	true
`enable_threat_intel`	true
`auto_persist_interval`	10

Allow-list

malware, threat_intel, malware_intel

Purpose​

MCP Domains​

Tools​

Input schema​

Output schema​

Memory config​

Allow-list​