Deep Dive into a Dumped Malware without a PE Header
Fortinet, Thursday, May 29th, 2025
This analysis is part of an incident investigation led by the FortiGuard Incident Response Team.
We discovered malware that had been running on a compromised machine for several weeks. The threat actor had executed a batch of scripts and PowerShell to run the malware in a Windows process. Although obtaining the original malware executable was difficult, a memory dump of the running malware process and a full memory dump of the compromised machine (the 'fullout' file, size 33GB) were successfully acquired.