arrow_back
search
close

TSPY_DYRE.CAS

November 12, 2015
 ALIASES:

Infostealer.Dyre (Symantec)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size:

542862 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

02 Nov 2015

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system and executes them:

  • %Windows%\{random file name 1}.exe
  • %Windows%\{random file name 1}_.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following files:

  • %System%\Tasks\{Random file name 1}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This spyware connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.1.13:4443
  • {BLOCKED}.{BLOCKED}.116.174:443
  • {BLOCKED}.{BLOCKED}.212.105:443
  • {BLOCKED}.{BLOCKED}.180.41:4443
  • {BLOCKED}.{BLOCKED}.69.251:443
  • {BLOCKED}.{BLOCKED}.49.11:443
  • {BLOCKED}.{BLOCKED}.228.68:4443
  • {BLOCKED}.{BLOCKED}.166.94:4443
  • {BLOCKED}.{BLOCKED}.50.124:4443
  • {BLOCKED}.{BLOCKED}.239.194:443
  • {BLOCKED}.{BLOCKED}.101.194:4443
  • {BLOCKED}.{BLOCKED}.122.32:443
  • {BLOCKED}.{BLOCKED}.40.144:443
  • {BLOCKED}.{BLOCKED}.109.92:443
  • {BLOCKED}.{BLOCKED}.76.17:4443
  • {BLOCKED}.{BLOCKED}.217.70:443
  • {BLOCKED}.{BLOCKED}.68.104:443
  • {BLOCKED}.{BLOCKED}.68.129:443
  • {BLOCKED}.{BLOCKED}.9.108:443
  • {BLOCKED}.{BLOCKED}.9.141:443
  • {BLOCKED}.{BLOCKED}.9.225:443
  • {BLOCKED}.{BLOCKED}.167.234:4443
  • {BLOCKED}.{BLOCKED}.138.66:443
  • {BLOCKED}.{BLOCKED}.240.79:4443
  • {BLOCKED}.{BLOCKED}.77.76:443
  • {BLOCKED}.{BLOCKED}.206.82:443
  • {BLOCKED}.{BLOCKED}.60.33:443
  • {BLOCKED}.{BLOCKED}.67.190:443
  • {BLOCKED}.{BLOCKED}.104.166:4443
  • {BLOCKED}.{BLOCKED}.101.2:4443
  • {BLOCKED}.{BLOCKED}.108.47:4443
  • {BLOCKED}.{BLOCKED}.200.112:443
  • {BLOCKED}.{BLOCKED}.182.109:443
  • {BLOCKED}.{BLOCKED}.67.80:443
  • {BLOCKED}.{BLOCKED}.28.44:443
  • {BLOCKED}.{BLOCKED}.251.162:443
  • {BLOCKED}.{BLOCKED}.196.217:443
  • {BLOCKED}.{BLOCKED}.208.13:443
  • {BLOCKED}.{BLOCKED}.131.116:443
  • {BLOCKED}.{BLOCKED}.226.74:443
  • {BLOCKED}.{BLOCKED}.71.149:4443
  • {BLOCKED}.{BLOCKED}.176.230:4443
  • {BLOCKED}.{BLOCKED}.232.18:443
  • {BLOCKED}.{BLOCKED}.48.38:443
  • {BLOCKED}.{BLOCKED}.131.229:443
  • {BLOCKED}.{BLOCKED}.62.195:4443

It deletes the initially executed copy of itself