Deep Dive into a Dumped Malware without a PE Header


This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.

Fortiguard Incident Response Team discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the “fullout” file, size 33GB) were successfully acquired.

Read more…
Source: Fortinet


Sign up for our Newsletter
The latest news and insights delivered right to your inbox.


Related:

  • Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module

    May 28, 2020

    First discovered in 2016, TrickBot is an information stealer that provides backdoor access sometimes used by criminal groups to distribute other malware. TrickBot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC). TrickBot currently uses three modules for propagation. As early as April ...

  • FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG

    April 2, 2020

    As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of which our users are often unaware. In this blog post, ...