SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spyeye (Back to overview)

SpyEye


SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

References
2021-05-07Department of JusticeOffice of Public Affairs
@online{affairs:20210507:four:8efdc7e, author = {Office of Public Affairs}, title = {{Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals}}, date = {2021-05-07}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals}, language = {English}, urldate = {2021-05-11} } Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals
Citadel SpyEye Zeus
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2017-09-15MicrosoftMicrosoft
@online{microsoft:20170915:trojanwin32spyeye:c1c6062, author = {Microsoft}, title = {{Trojan:Win32/Spyeye}}, date = {2017-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye}, language = {English}, urldate = {2019-11-24} } Trojan:Win32/Spyeye
SpyEye
2012-01-04PCWorldJeremy Kirk
@online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } SpyEye Malware Borrows Zeus Trick to Mask Fraud
SpyEye
2011-07-26ComputerworldJeremy Kirk
@online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } SpyEye Trojan defeating online banking defenses
SpyEye
2011-04-26Brian Krebs
@online{krebs:20110426:spyeye:b9e984e, author = {Brian Krebs}, title = {{SpyEye Targets Opera, Google Chrome Users}}, date = {2011-04-26}, url = {https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/}, language = {English}, urldate = {2020-01-08} } SpyEye Targets Opera, Google Chrome Users
SpyEye
2010-09-17KrebsOnSecurityBrian Krebs
@online{krebs:20100917:spyeye:92d9e7f, author = {Brian Krebs}, title = {{SpyEye Botnet’s Bogus Billing Feature}}, date = {2010-09-17}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/}, language = {English}, urldate = {2019-10-15} } SpyEye Botnet’s Bogus Billing Feature
SpyEye
2010-06-15SANSHarshit Nayyar
@online{nayyar:20100615:clash:8d2f45c, author = {Harshit Nayyar}, title = {{Clash of the Titans: ZeuS v SpyEye}}, date = {2010-06-15}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393}, language = {English}, urldate = {2020-01-09} } Clash of the Titans: ZeuS v SpyEye
SpyEye
2010-04-01KrebsOnSecurityBrian Krebs
@online{krebs:20100401:spyeye:d557888, author = {Brian Krebs}, title = {{SpyEye vs. ZeuS Rivalry}}, date = {2010-04-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/}, language = {English}, urldate = {2019-11-28} } SpyEye vs. ZeuS Rivalry
SpyEye
2010-02-19MalwareIntelligenceJorge Mieres
@online{mieres:20100219:spyeye:244807f, author = {Jorge Mieres}, title = {{SpyEye Bot (Part two). Conversations with the creator of crimeware}}, date = {2010-02-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html}, language = {English}, urldate = {2020-01-13} } SpyEye Bot (Part two). Conversations with the creator of crimeware
SpyEye
2010-02-04SymantecPeter Coogan
@online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } SpyEye Bot versus Zeus Bot
SpyEye
Yara Rules
[TLP:WHITE] win_spyeye_auto (20230125 | Detects win.spyeye.)
rule win_spyeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.spyeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd8 83fbff 751b 57 }
            // n = 4, score = 700
            //   8bd8                 | mov                 ebx, eax
            //   83fbff               | cmp                 ebx, -1
            //   751b                 | jne                 0x1d
            //   57                   | push                edi

        $sequence_1 = { 740b 8965fc ff7508 ffd0 }
            // n = 4, score = 700
            //   740b                 | je                  0xd
            //   8965fc               | mov                 dword ptr [ebp - 4], esp
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax

        $sequence_2 = { 8908 83c004 c3 55 }
            // n = 4, score = 700
            //   8908                 | mov                 dword ptr [eax], ecx
            //   83c004               | add                 eax, 4
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_3 = { 57 ff7604 ffd3 6a02 57 6af8 ff7604 }
            // n = 7, score = 700
            //   57                   | push                edi
            //   ff7604               | push                dword ptr [esi + 4]
            //   ffd3                 | call                ebx
            //   6a02                 | push                2
            //   57                   | push                edi
            //   6af8                 | push                -8
            //   ff7604               | push                dword ptr [esi + 4]

        $sequence_4 = { 85f6 750f 39750c 750d 33c0 }
            // n = 5, score = 700
            //   85f6                 | test                esi, esi
            //   750f                 | jne                 0x11
            //   39750c               | cmp                 dword ptr [ebp + 0xc], esi
            //   750d                 | jne                 0xf
            //   33c0                 | xor                 eax, eax

        $sequence_5 = { 8b7018 8b4640 8906 8a4644 }
            // n = 4, score = 700
            //   8b7018               | mov                 esi, dword ptr [eax + 0x18]
            //   8b4640               | mov                 eax, dword ptr [esi + 0x40]
            //   8906                 | mov                 dword ptr [esi], eax
            //   8a4644               | mov                 al, byte ptr [esi + 0x44]

        $sequence_6 = { c7460803000000 397e08 74be 397e08 7515 }
            // n = 5, score = 700
            //   c7460803000000       | mov                 dword ptr [esi + 8], 3
            //   397e08               | cmp                 dword ptr [esi + 8], edi
            //   74be                 | je                  0xffffffc0
            //   397e08               | cmp                 dword ptr [esi + 8], edi
            //   7515                 | jne                 0x17

        $sequence_7 = { 8b4724 8a18 8819 41 40 ff4d0c }
            // n = 6, score = 700
            //   8b4724               | mov                 eax, dword ptr [edi + 0x24]
            //   8a18                 | mov                 bl, byte ptr [eax]
            //   8819                 | mov                 byte ptr [ecx], bl
            //   41                   | inc                 ecx
            //   40                   | inc                 eax
            //   ff4d0c               | dec                 dword ptr [ebp + 0xc]

        $sequence_8 = { 57 56 6a03 57 6a01 be00000040 }
            // n = 6, score = 700
            //   57                   | push                edi
            //   56                   | push                esi
            //   6a03                 | push                3
            //   57                   | push                edi
            //   6a01                 | push                1
            //   be00000040           | mov                 esi, 0x40000000

        $sequence_9 = { 83c410 8bf0 8b65fc 8d45f4 50 e8???????? }
            // n = 6, score = 700
            //   83c410               | add                 esp, 0x10
            //   8bf0                 | mov                 esi, eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 741376
}
Download all Yara Rules