Deep Dive into a Dumped Malware without a PE Header


This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.

Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired.

Read more…
Source: Fortinet


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • New APT34 Malware Targets The Middle East

    February 2, 2023

    On December 2022, Trend Micro researchers identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) that was dropped and executed on multiple machines. The investigation led them to link this attack to advanced persistent threat (APT) group APT34, and the main goal is to steal users’ credentials. Even in case of a password reset ...

  • Prilex modification now targeting contactless credit card transactions

    January 31, 2023

    Prilex is a singular threat actor that has evolved from ATM-focused malware into unique modular PoS malware – actually, the most advanced PoS threat Kaspersky have seen so far, as described in a previous article. Forget about those old memory scrapers seen in PoS attacks. Prilex goes beyond these, and it has evolved very differently. This ...

  • Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls

    January 7, 2023

    Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets. The six packages were discovered ...

  • Navigating the Vast Ocean of Sandbox Evasions

    December 27, 2022

    When malware authors go to great lengths to avoid behaving maliciously if they detect they’re running in a sandbox, sometimes the best answer for security defenders is to write their own sandbox that can’t easily be detected. There are a lot of sandboxing approaches out there with pros and cons to each. Unit 42 researchers ...

  • BlueNoroff introduces new methods bypassing MoTW

    December 27, 2022

    BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. Kaspersky researchers have published technical details of how this notorious group steals cryptocurrency before. Kaspersky continue to track the group’s activities and this October they observed the adoption of new malware strains in its arsenal. The group usually takes advantage ...

  • Microsoft research uncovers new Zerobot capabilities

    December 21, 2022

    Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow. Recent trends have shown that operators are redeploying malware for a variety of ...