About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Dyre Configuration Dumper

It’s been over a year since Dyre first appeared, and with a rise of infections in 2015, it doesn’t look like the attackers are stopping anytime soon. At PhishMe we’ve been hit with a number of Dyre attacks this week, so to make analysis a little easier, I tossed together a quick python script that folks can use for dumping the configurations for Dyre.

To dump the memory, you can use Process Explorer to do a “full dump” on the process they inject into. (Typically the top-most svchost.exe, sometimes explorer.exe) Here’s what the output looks like:

Figure 1 Dyre Config Dump

Figure 1 — Dyre Configuration Dumper

By adding the “-c” flag to the end of it, we can get more information about the configs the attackers have in memory. Here’s a quick snapshot:

Figure 2 More Config Dumps

Figure 2 — More Dyre Config Dumps

You can download the script from here. Happy config dumping!