SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spyeye (Back to overview)

SpyEye

VTCollection    

SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

References
2021-05-07Department of JusticeOffice of Public Affairs
Four Individuals Plead Guilty to RICO Conspiracy Involving “Bulletproof Hosting” for Cybercriminals
Citadel SpyEye Zeus
2021-03-31Kaspersky SASKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-08-09F5 LabsDebbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2017-09-15MicrosoftMicrosoft
Trojan:Win32/Spyeye
SpyEye
2012-01-04PCWorldJeremy Kirk
SpyEye Malware Borrows Zeus Trick to Mask Fraud
SpyEye
2011-07-26ComputerworldJeremy Kirk
SpyEye Trojan defeating online banking defenses
SpyEye
2011-04-26Brian Krebs
SpyEye Targets Opera, Google Chrome Users
SpyEye
2010-09-17KrebsOnSecurityBrian Krebs
SpyEye Botnet’s Bogus Billing Feature
SpyEye
2010-06-15SANSHarshit Nayyar
Clash of the Titans: ZeuS v SpyEye
SpyEye
2010-04-01KrebsOnSecurityBrian Krebs
SpyEye vs. ZeuS Rivalry
SpyEye
2010-02-19MalwareIntelligenceJorge Mieres
SpyEye Bot (Part two). Conversations with the creator of crimeware
SpyEye
2010-02-04SymantecPeter Coogan
SpyEye Bot versus Zeus Bot
SpyEye
Yara Rules
[TLP:WHITE] win_spyeye_auto (20260504 | Detects win.spyeye.)
rule win_spyeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.spyeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8965fc ff7514 ff7510 ff750c ff7508 ffd0 }
            // n = 6, score = 700
            //   8965fc               | mov                 dword ptr [ebp - 4], esp
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax

        $sequence_1 = { 8d45e8 50 8d45e0 50 53 e8???????? 85c0 }
            // n = 7, score = 700
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_2 = { ff750c ff7508 ffd0 8b65fc }
            // n = 4, score = 700
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]

        $sequence_3 = { 81fbffffff7f 7509 56 57 e8???????? 8bd8 3bde }
            // n = 7, score = 700
            //   81fbffffff7f         | cmp                 ebx, 0x7fffffff
            //   7509                 | jne                 0xb
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   3bde                 | cmp                 ebx, esi

        $sequence_4 = { 56 57 8b7d08 57 e8???????? 83f8ff }
            // n = 6, score = 700
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1

        $sequence_5 = { 740e 837dfcff 7408 ff75fc e8???????? }
            // n = 5, score = 700
            //   740e                 | je                  0x10
            //   837dfcff             | cmp                 dword ptr [ebp - 4], -1
            //   7408                 | je                  0xa
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     

        $sequence_6 = { 837dfcff 7408 ff75fc e8???????? 3bdf }
            // n = 5, score = 700
            //   837dfcff             | cmp                 dword ptr [ebp - 4], -1
            //   7408                 | je                  0xa
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   3bdf                 | cmp                 ebx, edi

        $sequence_7 = { 57 6a01 be00000040 56 ff750c e8???????? }
            // n = 6, score = 700
            //   57                   | push                edi
            //   6a01                 | push                1
            //   be00000040           | mov                 esi, 0x40000000
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     

        $sequence_8 = { 53 e8???????? 85c0 7407 c745f801000000 397dfc }
            // n = 6, score = 700
            //   53                   | push                ebx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1
            //   397dfc               | cmp                 dword ptr [ebp - 4], edi

        $sequence_9 = { ff7508 ffd0 8b65fc c9 c20400 55 }
            // n = 6, score = 700
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 741376
}
Download all Yara Rules