ATMMalScan – Tool for Windows which helps to search for malware traces on an ATM during the DFIR process

Click the icon to Follow me:- twitterTelegramRedditDiscord
ATMMalScan 1 ATMMalScan Logo

ATMMalScan is a commandline tool for Windows operating systems version 7 and higher, which helps to search for malware traces on an ATM during the DFIR process. This tool examines the running processes of a system, as well as the hard disk, depending on the specified file path. To scan a system, a user with standard rights is sufficient. However, ATMMalScan provides the best results with administrator privileges.

Known issues:

Currently ATMMalScan does not support codepages that require Unicode, this means Windows operating systems that are set to e.g. Cyrillic or Chinese characters, no representative result can be guaranteed.


Make sure at least Visual C++ Redistributable for Visual Studio 2015 has been installed on the ATM, you like to scan.

Usage (Example)

Step1 => Scan process memory and disk. ===> Check if Admin privileges are available on the device for best results!

ATMMalScan 2 1 Scan Mem Disk

Step2 => ATMMalScan detected a Malware called XFS_DIRECT in a process, gives details about the thread and its rules matches. Further a full processmemory dump has been saved to disk, to catch the malicious process, its modules, as well as its stack and heap pages.

ATMMalScan 3 2 Scan Malware Detected

Step3 => Dump can be found here => .Dump

ATMMalScan 4 3 Scan Malware Dump

Step4 => Open dumpfile with Windbg and extract the ATM malware to disk using “.writemem”

ATMMalScan 5 4 Windbg Malware

Step5 => Repair the dumped PE with one of your favorite PE-Fixers and start analysing the malware in detail.

ATMMalScan 6 5

Download ATMMalScan

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.


Original Source