user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PWS:Win32/Dyzap.A
PWS:Win32/Dyzap.A - Windows Defender threat signature analysis

PWS:Win32/Dyzap.A - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PWS:Win32/Dyzap.A
Classification:
Type:PWS
Platform:Win32
Family:Dyzap
Detection Type:Concrete
Known malware family with identified signatures
Variant:A
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for 32-bit Windows platform, family Dyzap

Summary:

PWS:Win32/Dyzap.A is a concrete detection for a component of the Dyzap malware family, strongly associated with the notorious Dyreza banking Trojan. This threat is designed to steal sensitive information, including credentials, through techniques like browser injection and network interception, and communicates with command-and-control servers for data exfiltration and further instructions.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - \DYRE\Release\zapuskator (PEHSTR_EXT)
 - AUTOBACKCONN (PEHSTR_EXT)
 - =RBSG_CORP4P&domain= (PEHSTR_EXT)
 - </rpci> (PEHSTR_EXT)
 - send browsnapshot failed (PEHSTR_EXT)
 - /%s/%s/%d/%s/%s/ (PEHSTR_EXT)
 - \DYRE\x64\Release\dyrecontroller.pdb (PEHSTR_EXT)
 - /%s/%s/5/publickey/ (PEHSTR_EXT)
YARA Rule:
rule PWS_Win32_Dyzap_A_2147687905_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "PWS:Win32/Dyzap.A"
        threat_id = "2147687905"
        type = "PWS"
        platform = "Win32: Windows 32-bit platform"
        family = "Dyzap"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "\\DYRE\\Release\\zapuskator" ascii //weight: 1
        $x_1_2 = ".\\pipe\\RangisPipe" wide //weight: 1
        $x_1_3 = "AUTOBACKCONN" ascii //weight: 1
        $x_1_4 = "=RBSG_CORP4P&domain=" ascii //weight: 1
        $x_1_5 = {48 83 ec 20 ff 55 08 48 8b 4d cc 48 8d 64 cc 20 5f 48 89 45 f4 e8 00 00 00 00 c7 44 24 04 23 00 00 00 83 04 24 0d cb}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (4 of ($x*))
}
Known malware which is associated with this threat:
Filename: dyre.exe
10745182ac1b738e4a363166f650069d16b81873b3bbb1990e7d07cb652495e8
22/03/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system. Perform a full system scan with updated antivirus software, ensuring all malicious files are quarantined or removed. Investigate for persistence mechanisms, command-and-control communication, and potential data exfiltration. Reset all compromised credentials, especially banking, corporate, and sensitive online accounts. Consider a system reimage if complete eradication cannot be confirmed.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 22/03/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$