{
	"id": "7c5a6a9e-13e8-4dc6-a7c6-abf53a6a0d89",
	"created_at": "2026-04-06T00:06:37.339117Z",
	"updated_at": "2026-04-10T13:11:52.449941Z",
	"deleted_at": null,
	"sha1_hash": "22b369cdbf078b436544e6426a2a706ecc698f80",
	"title": "Cridex Analysis using Volatility - by Andre' DiMino - samples and memory analysis resources",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 403180,
	"plain_text": "Cridex Analysis using Volatility - by Andre' DiMino - samples and\r\nmemory analysis resources\r\nArchived: 2026-04-05 23:38:03 UTC\r\nAndre' DiMino posted an excellent analysis of Cridex banking malware using Volatility\r\non sempersecurus.blogspot.com and if you wish to repeat his steps or interested in this malware, I am posting the\r\ncorresponding samples. Cridex is a complex financial trojan and is being distributed via spam messages (carrying\r\nexe files in zipped attachments) and Blackhole Exploit kit.\r\nThe messages have various themes - from UPS, Fedex, USPS to Groupon deals and \"HP-scan\" and other lures.\r\nSome message screenshots and corresponding malware are posted below.\r\nIf you are interested in memory analysis, please see the resource section of this post (links to the tools: Volatility,\r\nMandiant Redline, memory dumps and other memory analysis done by Andre' and other researchers)\r\nDownload\r\n Download  all files listed below (email me if you need the password)\r\nAnalysis Preview\r\nExerpt:  Read the full version at sempersecurus.blogspot.com - Cridex Analysis using Volatility\r\nUsing the Volatility 'plist' command, we can see a list of the running processes. However it's instructive\r\nto use this in conjunction with the 'psscan' command in order to see those processes that have\r\nterminated, are unlinked, or hidden.  In this case, no discrepancies between the two commands jump out\r\nat me, but I do notice a couple of things.   First, I see a process, reader_sl.exe, PID1640 start exactly at\r\nthe same time as its parent process, explorer.exe, PID1484.  I see that the parent process ID\r\nfor explorer.exe is 1464, which is not listed in either 'pslist' or 'psscan'.  reader_sl.exe is a supposedly a\r\nsafe process, associated with Adobe Speed Launcher, but the launch chain for this seems odd, so I'll\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 1 of 10\n\nkeep note of this for now. Next, I see a secondwuauclt.exe process start about 15 seconds after the first.\r\n This isn't a major flag, but just something to note.\r\npslist command\r\npsscan command\r\nThe next useful Volatility command that I use for malware analysis is the 'connections' and\r\nthe 'connscan'commands. Again, running both of these will allow you to see variances, as 'connscan'\r\nwill show artifacts from previous connections.\r\nFile information\r\nCridex file analyzed by Andre DiMino \r\nFile: readme.exe\r\nSize: 112096\r\nMD5:  734AADD62D0662256A65510271D40048\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 2 of 10\n\nOther cridex samples:\r\nFile: about.exe\r\nSize: 160768\r\nMD5:  C497B4D6DFADD4609918282CF91C6F4E\r\nFile: HP_Scan_N989397452.exe\r\nSize: 80896\r\nMD5:  E187763C92E2ACC6BB1C804309EBB381\r\nFile: Booking_Confirmation_08012012.exe\r\nSize: 98304\r\nMD5:  213D5022047029071AFD372302E07DD8\r\nFile: UPS_Label_N8882342.exe\r\nSize: 145408\r\nMD5:  43CD850FCDADE4330A5BEA6F16EE971C\r\nResources\r\nMemory Analysis links and dumps ( in no particular order)\r\nVolatility (Free. Linux)\r\nSharing of Forensically Interesting Objects by Andre' DiMino\r\nAndre' DiMino Using \"volatility\" to study the CVE-2011-0611 Adobe Flash 0-day\r\nZeus Analysis in Volatility 2.0 by malwarereversing\r\nAbstract Memory Analysis: Zeus Encryption Keys MNIN Security Blog Coding, Reversing, Exploiting \r\nCarberp Analysis via Volatility by Evilcry - Giuseppe Bonfa\r\nVolatility 2.0: Timeliner, RegistryAPI, evtlogs and more by JL\r\ntoolsmith: Memory Analysis with DumpIt and Volatility\r\nShmooCon 2012: Android Mind Reading: Memory Acquisition and Analysis with DMD and Volatility \r\nMandiant Redline\r\n (Free. Windows.  It is am easy to use new tool with a clean nice user interface, powerful features\r\nand integration with IOC - Indicators of Compromise tool )\r\nAnalyze Memory of an infected system with Mandiant's Redline by Lenny Zeltser\r\nMandiant Using Redline \u0026 OpenIOC to Build Effective Indicators\r\nSANS blog. Live Memory Forensic Analysis\r\nA few public memory dumps are here http://code.google.com/p/volatility/wiki/PublicMemoryImages\r\nCridex distribution\r\nEmail examples\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 3 of 10\n\nSome of the possible subjects\r\nGroupon dicount gifts\r\nUPS Tracking Number H9942472682 \r\nUnited Postal Service Tracking Number H5642970529\r\nFedex Tracking Number\r\nUPS Your Package H8522250271\r\nYour Package US168933\r\nHP-Officejet 10167\r\nHP Scan 5601\r\nAutomatic scans\r\nSHA256: 046a7fac35a29f66e37193a2048f6a324754df131bad07c21f87fc814d7763f5\r\nSHA1: 67e9c32c97b47e058aeee928c4cdc28773883b90\r\nMD5: 734aadd62d0662256a65510271d40048\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 4 of 10\n\nFile size: 109.5 KB ( 112096 bytes )\r\nFile name: 734aadd62d0662256a65510271d40048\r\nFile type: Win32 EXE\r\nDetection ratio: 36 / 42\r\nAnalysis date:  2012-06-26 15:00:58 UTC ( 1 month, 1 week ago )\r\n01\r\nMore details\r\nAntivirus Result Update\r\nAhnLab-V3 Win-Trojan/Dapato.112096 20120626\r\nAntiVir Worm/Cridex.E.5 20120626\r\nAntiy-AVL Trojan/Win32.Dapato.gen 20120626\r\nAvast Win32:Dropper-gen [Drp] 20120626\r\nAVG PSW.Generic9.CMJF 20120625\r\nBitDefender Trojan.Generic.KDV.647871 20120626\r\nClamAV - 20120626\r\nCommtouch W32/Zbot.DQ3.gen!Eldorado 20120626\r\nComodo UnclassifiedMalware 20120626\r\nDrWeb Trojan.DownLoader6.17427 20120626\r\nEmsisoft Worm.Win32.Cridex!IK 20120626\r\neSafe Win32.PWS.Zbot.Xs 20120624\r\nF-Prot W32/Zbot.DQ3.gen!Eldorado 20120626\r\nF-Secure Trojan.Generic.KDV.647871 20120626\r\nFortinet W32/Dapato.BHXH!tr 20120626\r\nGData Trojan.Generic.KDV.647871 20120626\r\nIkarus Worm.Win32.Cridex 20120626\r\nJiangmin TrojanDropper.Dapato.ize 20120626\r\nK7AntiVirus Spyware 20120625\r\nKaspersky Trojan-Dropper.Win32.Dapato.bhxh 20120626\r\nMcAfee PWS-Zbot.gen.uh 20120626\r\nMcAfee-GW-Edition PWS-Zbot.gen.uh 20120626\r\nMicrosoft Worm:Win32/Cridex.E 20120626\r\nNOD32 Win32/AutoRun.Spy.Banker.P 20120626\r\nNorman W32/Injector.AQSI 20120625\r\nnProtect Trojan/W32.Agent.112096.B 20120626\r\nPanda Generic Malware 20120625\r\nPCTools Malware.Cridex 20120626\r\nRising - 20120626\r\nSophos Troj/DwnLdr-KAY 20120626\r\nTheHacker Trojan/Dropper.Dapato.bhxh 20120625\r\nTrendMicro TROJ_KRYPTIK.MIC 20120626\r\nTrendMicro-HouseCall TROJ_KRYPTIK.MIC 20120625\r\nVBA32 TrojanDropper.Dapato.bhxh 20120625\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 5 of 10\n\nVIPRE Trojan.Win32.Generic.pak!cobra 20120626\r\nViRobot Dropper.A.Dapato.112096 20120626\r\nVirusBuster Worm.AutoRun!tSqW3tx0AYY 20120625\r\n#Cridex worm\r\n=========================================================\r\nSHA256: a7e62a16c47fede2772d4f4bf980cdb58b5d110887e001ab632d7f40159dfa13\r\nSHA1: d186e8ebb104ba0d64ad6052107420debef3da00\r\nMD5: c497b4d6dfadd4609918282cf91c6f4e\r\nFile size: 157.0 KB ( 160768 bytes )\r\nFile name: KB00385258.exe / about.exe\r\nFile type: Win32 EXE\r\nTags: peexe upx\r\nDetection ratio: 1 / 41\r\nAnalysis date: 2012-08-02 19:53:34 UTC ( 5 hours, 53 minutes ago )\r\nKaspersky UDS:DangerousObject.Multi.Generic 20120802\r\nhttp://hookpublications.com/wp-admin/atbilred.html\r\nhttp://advancementwowcom.org/main.php?page=19152be46559e39d\r\nhttp://advancementwowcom.org/w.php?f=14095\u0026e=2\r\nPosted 7 hours, 58 minutes ago by BornSlippy\r\n#cridex\r\nhttp://tevrom.ro/modules/atbilred.html\r\nhttp://advancementwowcom.org/main.php?page=19152be46559e39d\r\nhttp://advancementwowcom.org/w.php?f=14095\u0026e=2\r\nPosted 8 hours, 9 minutes ago by BornSlippy\r\ntrojan Cridex, payload of Blackhole exploit kit at hxxp://unboxhibernation.org/w.php?f=14095\u0026e=2\r\nhttp://camas.comodo.com/cgi-bin/submit?\r\nfile=a7e62a16c47fede2772d4f4bf980cdb58b5d110887e001ab632d7f40159dfa13\r\n=======================================================\r\nSHA256: 65bd088579107f13bf5e3aaba25b07b413343a823e7a3499d907b1bf564f36e5\r\nSHA1: 7263fe0d3a095d59c8e0c895a9c585e343e7141c\r\nMD5: 43cd850fcdade4330a5bea6f16ee971c\r\nFile size: 142.0 KB ( 145408 bytes )\r\nFile name: 43cd850fcdade4330a5bea6f16ee971c\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 29 / 41\r\nAnalysis date: 2012-08-02 17:21:11 UTC ( 9 hours, 54 minutes ago )\r\n04\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 6 of 10\n\nMore details\r\nAntivirus Result Update\r\nAhnLab-V3 - 20120802\r\nAntiVir TR/Spy.145408.64 20120802\r\nAntiy-AVL - 20120802\r\nAvast Win32:Downloader-PUU [Trj] 20120802\r\nAVG SHeur4.AKQG 20120802\r\nBitDefender Trojan.Generic.KD.684302 20120802\r\nByteHero - 20120723\r\nCAT-QuickHeal - 20120802\r\nClamAV - 20120802\r\nCommtouch W32/Trojan3.DWW 20120802\r\nComodo TrojWare.Win32.Trojan.Agent.Gen 20120802\r\nDrWeb Trojan.Necurs.21 20120802\r\nEmsisoft Trojan.Win32.Buzus!IK 20120802\r\neSafe Win32.Trojan 20120802\r\nESET-NOD32 Win32/AutoRun.Spy.Banker.R 20120802\r\nF-Prot W32/Trojan3.DWW 20120802\r\nF-Secure Trojan-Spy:W32/Agent.DUCE 20120802\r\nFortinet W32/Palevo.EYYX!worm 20120802\r\nGData Trojan.Generic.KD.684302 20120802\r\nIkarus Trojan.Win32.Buzus 20120802\r\nJiangmin Backdoor/RBot.obc 20120802\r\nK7AntiVirus Riskware 20120802\r\nKaspersky P2P-Worm.Win32.Palevo.eyyx 20120802\r\nMcAfee PWS-Zbot.gen.ajh 20120802\r\nMcAfee-GW-Edition Generic.dx!bf3x 20120802\r\nMicrosoft Worm:Win32/Cridex.E 20120802\r\nNorman W32/Troj_Generic.DDRRO 20120802\r\nnProtect Worm/W32.Palevo.145408.AE 20120802\r\nPanda - 20120802\r\nRising - 20120802\r\nSophos Troj/Agent-XGF 20120802\r\nSUPERAntiSpyware - 20120802\r\nSymantec W32.Cridex 20120802\r\nTheHacker - 20120801\r\nTotalDefense - 20120802\r\nTrendMicro TROJ_INJECTR.PAL 20120802\r\nTrendMicro-HouseCall TROJ_INJECTR.PAL 20120802\r\nVBA32 - 20120802\r\nVIPRE Trojan.Win32.Generic!BT 20120802\r\nViRobot Worm.Win32.A.P2P-Palevo.145408.AD 20120802\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 7 of 10\n\nVirusBuster - 20120802\r\nComments\r\nVotes\r\nAdditional information\r\nBehavioural information\r\n#backdoor bot\r\nhttp://keaaushoppingcenter.com/mail.htm\r\nonline-cammunity.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c\r\nonline-cammunity.ru:8080/forum/w.php?f=182b5\u0026e=2\r\nFile uploaded for analysis to ;\r\nhttp://jsunpack.jeek.org/dec/go?report=07777d69d6d6f5e180519988ad3df85613285e58\r\n===============================================================\r\nSHA256: c11a3d4f4630211cd458a022fa8c346d8a1a836561897e9ba6b4098605cf49b7\r\nSHA1: ef006795e39b4cc7469107c0b04d37ca492e062a\r\nMD5: 213d5022047029071afd372302e07dd8\r\nFile size: 96.0 KB ( 98304 bytes )\r\nFile name: Booking_Confirmation_08012012.exe\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 21 / 41\r\nAnalysis date: 2012-08-02 13:31:05 UTC ( 13 hours, 53 minutes ago )\r\n00\r\nMore details\r\nAntivirus Result Update\r\nAhnLab-V3 Win32/Cridex.worm.98304.B 20120802\r\nAntiVir TR/Graftor.385561 20120802\r\nAVG SHeur4.AKTK 20120802\r\nBitDefender Trojan.Generic.KDV.686322 20120802\r\nByteHero - 20120801\r\nCAT-QuickHeal - 20120802\r\nCommtouch W32/Trojan3.DXI 20120802\r\nDrWeb Trojan.Necurs.20 20120802\r\nEmsisoft Worm.Win32.Cridex!IK 20120802\r\neSafe - 20120731ESET-NOD32 Win32/AutoRun.Spy.Banker.M 20120802\r\nF-Prot W32/Trojan3.DXI 20120802\r\nF-Secure Trojan.Generic.KDV.686322 20120802\r\nGData Trojan.Generic.KDV.686322 20120802\r\nIkarus Worm.Win32.Cridex 20120802\r\nKaspersky Worm.Win32.Cridex.gt 20120802\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 8 of 10\n\nMcAfee PWS-Zbot.gen.ajm 20120802\r\nMcAfee-GW-Edition - 20120802\r\nnProtect Trojan.Generic.KDV.686322 20120802\r\nPanda Suspicious file 20120802\r\nSophos Troj/Cridex-O 20120802\r\nSUPERAntiSpyware - 20120802\r\nSymantec W32.Cridex 20120802\r\nTrendMicro PAK_Generic.012 20120802\r\nTrendMicro-HouseCall PAK_Generic.012 20120802\r\nVIPRE Trojan.Win32.Generic!BT 20120802\r\n==========================================================\r\nSHA256: 76b22b77e5df1134619e8ac3fd6a8c8cf72de879e0c4afbd11ebcaa14bc2a38e\r\nSHA1: d64623b8b5bbfa20bb7a08a43d7fed0e7d503e4f\r\nMD5: e187763c92e2acc6bb1c804309ebb381\r\nFile size: 79.0 KB ( 80896 bytes )\r\nFile name: smona_76b22b77e5df1134619e8ac3fd6a8c8cf72de879e0c4afbd11ebcaa14bc2a38e.bin\r\nFile type: Win32 EXE\r\nTags: peexe\r\nDetection ratio: 33 / 40\r\nAnalysis date: 2012-08-01 23:38:20 UTC ( 1 day, 3 hours ago )\r\n06\r\nMore details\r\nAntivirus Result Update\r\nAhnLab-V3 Win32/Cridex.worm.80896.C 20120801\r\nAntiVir TR/Cehscok.A 20120801\r\nAntiy-AVL - 20120801\r\nAvast Win32:Kryptik-JJP [Trj] 20120802\r\nAVG Generic28.CNKE 20120801\r\nBitDefender Trojan.Generic.KDV.681199 20120802\r\nByteHero - 20120723\r\nCAT-QuickHeal Trojan.Yakes.ahur 20120801\r\nClamAV W32.Trojan.Yakes-25 20120801\r\nCommtouch W32/Falab.F.gen!Eldorado 20120801\r\nComodo TrojWare.Win32.Kryptik.AITM 20120802\r\nDrWeb Trojan.Necurs.21 20120802\r\nEmsisoft Trojan.Win32.Yakes!IK 20120801\r\nESET-NOD32 Win32/AutoRun.Spy.Banker.R 20120801\r\nF-Prot W32/Falab.F.gen!Eldorado 20120801\r\nF-Secure Trojan:W32/Injector.AA 20120802\r\nFortinet W32/Kryptik.AB!tr 20120801\r\nGData Trojan.Generic.KDV.681199 20120802\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 9 of 10\n\nIkarus Trojan.Win32.Yakes 20120801\r\nJiangmin Trojan/JboxGeneric.kue 20120801\r\nK7AntiVirus Trojan 20120801\r\nKaspersky Trojan.Win32.Yakes.ahur 20120801\r\nMcAfee PWS-Zbot.gen.air 20120802\r\nMcAfee-GW-Edition PWS-Zbot.gen.air 20120801\r\nMicrosoft Worm:Win32/Cridex.E 20120802\r\nNorman W32/Troj_Generic.DBZPN 20120801\r\nnProtect Trojan.Generic.KDV.681199 20120801\r\nPanda Generic Trojan 20120801\r\nRising - 20120801\r\nSophos Troj/Katusha-AG 20120802\r\nSUPERAntiSpyware - 20120801\r\nSymantec W32.Cridex 20120801\r\nTheHacker Trojan/Yakes.ahur 20120801\r\nTotalDefense - 20120801\r\nTrendMicro TROJ_INJECTR.VYQ 20120802\r\nTrendMicro-HouseCall TROJ_INJECTR.VYQ 20120801\r\nVIPRE Trojan.Win32.Generic!BT 20120802\r\nViRobot Trojan.Win32.A.Yakes.80896.D 20120801\r\nhttp://bartblaze.blogspot.com/2012/07/scan-from-hewlett-packard-scanjet.html\r\nPosted 1 week ago by bartblaze\r\nSource: http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nhttp://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html"
	],
	"report_names": [
		"cridex-analysis-using-volatility-by.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22b369cdbf078b436544e6426a2a706ecc698f80.pdf",
		"text": "https://archive.orkl.eu/22b369cdbf078b436544e6426a2a706ecc698f80.txt",
		"img": "https://archive.orkl.eu/22b369cdbf078b436544e6426a2a706ecc698f80.jpg"
	}
}