A forum for reverse engineering, OS internals and malware analysis 

Win32/Dyzap (Dyre)

Forum for analysis and discussion about malware.

Re: Win32/Dyzap (Dyre)

 #25969  by forty-six
 Mon Jun 01, 2015 4:27 am
robemtnez wrote:Upatre was the one checking for CPU numbers and not Dyre, and I understand it was a feature of the packer and not the malware itself.
I think the total number of Upatre and Dyre samples you have reversed is 0.

Re: Win32/Dyzap (Dyre)

 #25977  by EP_X0FF
 Mon Jun 01, 2015 7:29 am
robemtnez wrote:Upatre was the one checking for CPU numbers and not Dyre, and I understand it was a feature of the packer and not the malware itself.
Have you ever opened this malware in anything before doing this post?

Image

Lame shit like whole this malware. This check will defeat VirtualPC and lame security experts running VM with 1 CPU in 2015.

Re: Win32/Dyzap (Dyre)

 #25980  by EP_X0FF
 Mon Jun 01, 2015 7:46 am
patriq wrote:
Xylitol wrote: https://www.youtube.com/watch?v=hKkmQ3tGJa0
is GetSystemPowerStatus used to test for sandbox/vm?
I do believe it is a part/sort of antiemulation, just like empty WriteConsoleW before.

Re: Win32/Dyzap (Dyre)

 #26212  by Xylitol
 Tue Jun 30, 2015 11:09 am
+3 Fubuki
https://www.virustotal.com/en/file/2c35 ... 435662044/
https://www.virustotal.com/en/file/8429 ... 435662070/
https://www.virustotal.com/en/file/fd4e ... 435662330/

DYRE trojan targets Spain ~ http://securityblog.s21sec.com/2015/07/ ... spain.html
Attachments
infected
(1.17 MiB) Downloaded 72 times

Re: Win32/Dyzap (Dyre)

 #26781  by EP_X0FF
 Mon Sep 21, 2015 2:32 pm
Here is some modification from August.

7afb5ac0aaec4198d8cd1acf04865bf32a81c651c0210fc2c18b3b1766c1e3fd (+unpacked vt result)
https://www.virustotal.com/en/file/7afb ... 442845678/
https://www.virustotal.com/en/file/40b8 ... 442845503/
Attachments
pass: infected
(368.17 KiB) Downloaded 71 times
 Return to “Malware”