{
	"id": "ce64cb61-7385-40fa-8a88-7a160158f0e0",
	"created_at": "2026-04-06T00:06:58.486532Z",
	"updated_at": "2026-04-10T13:11:50.66245Z",
	"deleted_at": null,
	"sha1_hash": "25d6695d4477a92a544ddaaa2eae8c38478bb5a7",
	"title": "Explained: Smart Memory Dumping - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 389423,
	"plain_text": "Explained: Smart Memory Dumping - VMRay\r\nBy VMRay Labs\r\nPublished: 2019-05-08 · Archived: 2026-04-05 12:48:30 UTC\r\nIn a recent major update of our flagship platform, VMRay Analyzer 3.0, we made dramatic improvements in the\r\nsystem’s memory dumping capabilities. In an automated approach we call smart memory dumping, VMRay\r\nAnalyzer now triggers more frequent and more relevant memory dumps to capture a comprehensive view of\r\nmalware characteristics and behavior. In turn, this increases the speed and accuracy of malware analysis and\r\ndetection.\r\nFor incident responders, smart memory dumping makes their jobs easier by automating many tasks that previously\r\nrequired manual intervention. In addition, more frequent and relevant dumps enhance digital forensics by\r\ncapturing a more complete record of artifacts created by threats and attacks.\r\nWhat Gets Packed, Must be Unpacked\r\nMalware authors routinely combine multiple techniques to evade detection and analysis by layered defenses: anti-virus, static analysis, and dynamic analysis tools. A popular approach is to compress, encrypt and/or obfuscate\r\nmalicious files, making it harder and more time-consuming to identify and classify the malware—and address the\r\nthreat it poses.\r\nTo do their dirty work, however, malware files need to be restored to their original state in memory so they can\r\nexecute as intended. And that creates an opportunity to detect potentially malicious behavior in the safe\r\nenvironment of the sandbox.\r\nAs successive layers of protection are removed—the packer layer, the compression layer, the obfuscation layer—\r\nthe characteristics and behavior of malware are revealed. For instance, memory has to be allocated to store\r\ndecrypted or deobfuscated data and code. In response to such changes, the VMRay Platform triggers a succession\r\nof memory dumps, creating snapshots of telltale information about a potential threat or attack. (See Figure 1.)\r\nSome examples of changes that trigger memory dumps:\r\nPrivate memory regions/buffers are marked as executable\r\nCode has executed in the memory region\r\nThe memory region was written into\r\nhttps://www.vmray.com/cyber-security-blog/smart-memory-dumping/\r\nPage 1 of 4\n\nFigure 1: VMRay triggers a series of dumps for a memory region at important phases of memory\r\nusage\r\nIn the screen capture above, taken from a VMRay Analyzer report on Remcos, a series of dumps is created in\r\nresponse to code being executed in the memory region that starts at 0x400000.\r\n(Remcos is a remote access tool widely used for malicious purposes.) Here’s what this high-level view shows:\r\nBecause VMRay Analyzer automatically applies YARA rules to memory dumps, all the resulting YARA\r\nmatches are displayed.\r\nThe dump listed on Line 1 appears to be benign as no YARA matches were found.\r\nLikewise, there are no YARA matches for the dump listed on Line 3. However, the content of memory has\r\nchanged, and that triggers a subsequent dump that we’ll examine shortly in Figure 2.\r\nLine 4 shows that, after monitoring and dumping the region, YARA matching detected potentially\r\nmalicious indicators in that particular dump. Later in the post, we’ll show the memory dump−after it has\r\nbeen loaded into IDA for easier analysis−and we’ll explore it in a bit more detail. (See Figure 3.)\r\nWhy Timing and Frequency Matter\r\nWith memory dumping, frequency and timing matter. Dump too often and you’ll create more information than\r\nyou need. Dump infrequently or at the wrong times and you’ll miss information that could enhance analysis and\r\ndetection, such as identifying malicious URLs or registry keys the malware is designed to access.\r\nSmart memory dumping addresses these challenges. In a process analogous to burst mode on a camera, triggers\r\nbuilt into VMRay dynamically initiates a memory dump any time something changes (see Figure 2).\r\nhttps://www.vmray.com/cyber-security-blog/smart-memory-dumping/\r\nPage 2 of 4\n\nFigure 2: VMRay Analyzer memory dump loaded in IDA\r\nThis screenshot of a VMRay Analyzer memory dump loaded in IDA shows details from one of the first memory\r\ndumps we saw initiated in Figure 1 when the code starting at Entry Point 0x00418340 executed.\r\nThe first several lines, highlighted in green, show areas of memory that are empty, indicating they’re free\r\nof threats.\r\nHowever, the next line, in red, shows a set of instructions, starting with the pusha instruction in the\r\npreviously mentioned memory location 0x418340. VMRay captures the whole sequence of instructions\r\nthat follow, also shown in red.\r\nThough not illustrated here, the importance of timely memory dumps is easily understood in the context of\r\nmalware that “cleans up” by re-encrypting parts of itself that have been temporarily decrypted so they can execute.\r\nThe decrypted data may only be visible for an infinitesimal period of time, but VMRay takes a snapshot that\r\ncaptures it before it disappears again.\r\nBetter Malware Classification \u0026 Streamlined Manual Analysis\r\nImproved memory dumping creates a more complete and detailed picture of malware activity, for example by\r\nrevealing suspect code and strings associated with known signatures and malware families.\r\nContinuing with the example we’ve been discussing, Figure 3 now shows that the benign-looking region in\r\nFigure 2 has changed, revealing strings and other indicators of the malware.\r\nYou would typically see this on malware that unpacks and decrypts parts of itself in memory. Our memory\r\ndumping feature was able to capture this transition.\r\nHighlighted in yellow, VMRay identifies the file as a likely Remcos sample. Remcos is a remote access\r\ntool (RAT) widely used for malicious purposes\r\nIn turn, that bolsters the automated pattern-matching power of YARA rules, resulting in faster, more accurate\r\nmalware classification and better detection rates.\r\nhttps://www.vmray.com/cyber-security-blog/smart-memory-dumping/\r\nPage 3 of 4\n\nFigure 3: VMRay memory dumps, as shown here in the IDA interface, reveal concealed malware\r\nbehavior to analysts\r\nWith VMRay, security teams can utilize their own custom YARA rules along with VMRay-provided rules. And\r\nthey can more easily write new rules, for example, to automate the extraction of new C2 servers and malware\r\nsamples.\r\nVersion 3.0’s enhanced memory dumping also streamlines manual analysis. Decompressed or decrypted code that\r\nhas been captured via a memory dump can be directly examined in a disassembler, such as IDA or GHIDRA.\r\nTranslating machine language into higher-level languages makes human analysis easier and eliminates the tedious\r\nprocess of debugging packed files.\r\nGet-hands on with VMRay Analyzer’s enhanced memory dumping capabilities. Start your trial today!\r\nSource: https://www.vmray.com/cyber-security-blog/smart-memory-dumping/\r\nhttps://www.vmray.com/cyber-security-blog/smart-memory-dumping/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/smart-memory-dumping/"
	],
	"report_names": [
		"smart-memory-dumping"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25d6695d4477a92a544ddaaa2eae8c38478bb5a7.pdf",
		"text": "https://archive.orkl.eu/25d6695d4477a92a544ddaaa2eae8c38478bb5a7.txt",
		"img": "https://archive.orkl.eu/25d6695d4477a92a544ddaaa2eae8c38478bb5a7.jpg"
	}
}