Volatility3
Found 2 related articles
Back to Tags- 2025-03-23
Volatility3 Analysis of STRELASTEALER via Rundll32 Proxy Execution
Detailed forensic analysis of a Windows memory dump using Volatility3 to investigate a compromise at a financial institution. The analysis identifies a hidden malicious PowerShell process (powershell.exe -windowstyle hidden) abusing WebDAV to execute a second-stage payload (3435.dll) via rundll32.exe. This activity aligns with MITRE ATT&CK sub-technique T1218.011. The investigation determines the attacker's C2 IP (45.9.74.32), the compromised user ('Elon'), and correlates the C2 infrastructure with the STRELASTEALER malware family.
- 2024-12-05
Volatility3 Analysis of a Credential Stealer Trojan
Detailed forensic analysis of a Windows memory dump compromised by the Amadey Trojan. This investigation utilizes Volatility3 to identify the main malicious process (lssass.exe), determine its location on the filesystem (Temp folder), confirm its nature via VirusTotal, track its C2C network connections (41.75.84.12), and discover persistence mechanisms (Scheduled Tasks and DLL payload execution via rundll32.exe).