SYMBOLCOMMON_NAMEaka. SYNONYMS
win.spyeye (Back to overview)

SpyEye


SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

References
2017-09-15MicrosoftMicrosoft
@online{microsoft:20170915:trojanwin32spyeye:c1c6062, author = {Microsoft}, title = {{Trojan:Win32/Spyeye}}, date = {2017-09-15}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye}, language = {English}, urldate = {2019-11-24} } Trojan:Win32/Spyeye
SpyEye
2012-01-04PCWorldJeremy Kirk
@online{kirk:20120104:spyeye:3ecb013, author = {Jeremy Kirk}, title = {{SpyEye Malware Borrows Zeus Trick to Mask Fraud}}, date = {2012-01-04}, organization = {PCWorld}, url = {https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html}, language = {English}, urldate = {2020-01-08} } SpyEye Malware Borrows Zeus Trick to Mask Fraud
SpyEye
2011-07-26ComputerworldJeremy Kirk
@online{kirk:20110726:spyeye:a7ad044, author = {Jeremy Kirk}, title = {{SpyEye Trojan defeating online banking defenses}}, date = {2011-07-26}, organization = {Computerworld}, url = {https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html}, language = {English}, urldate = {2020-01-13} } SpyEye Trojan defeating online banking defenses
SpyEye
2011-04-26Brian Krebs
@online{krebs:20110426:spyeye:b9e984e, author = {Brian Krebs}, title = {{SpyEye Targets Opera, Google Chrome Users}}, date = {2011-04-26}, url = {https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/}, language = {English}, urldate = {2020-01-08} } SpyEye Targets Opera, Google Chrome Users
SpyEye
2010-09-17KrebsOnSecurityBrian Krebs
@online{krebs:20100917:spyeye:92d9e7f, author = {Brian Krebs}, title = {{SpyEye Botnet’s Bogus Billing Feature}}, date = {2010-09-17}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/}, language = {English}, urldate = {2019-10-15} } SpyEye Botnet’s Bogus Billing Feature
SpyEye
2010-06-15SANSHarshit Nayyar
@online{nayyar:20100615:clash:8d2f45c, author = {Harshit Nayyar}, title = {{Clash of the Titans: ZeuS v SpyEye}}, date = {2010-06-15}, organization = {SANS}, url = {https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393}, language = {English}, urldate = {2020-01-09} } Clash of the Titans: ZeuS v SpyEye
SpyEye
2010-04-01KrebsOnSecurityBrian Krebs
@online{krebs:20100401:spyeye:d557888, author = {Brian Krebs}, title = {{SpyEye vs. ZeuS Rivalry}}, date = {2010-04-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/}, language = {English}, urldate = {2019-11-28} } SpyEye vs. ZeuS Rivalry
SpyEye
2010-02-19MalwareIntelligenceJorge Mieres
@online{mieres:20100219:spyeye:244807f, author = {Jorge Mieres}, title = {{SpyEye Bot (Part two). Conversations with the creator of crimeware}}, date = {2010-02-19}, organization = {MalwareIntelligence}, url = {http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html}, language = {English}, urldate = {2020-01-13} } SpyEye Bot (Part two). Conversations with the creator of crimeware
SpyEye
2010-02-04SymantecPeter Coogan
@online{coogan:20100204:spyeye:5c54efe, author = {Peter Coogan}, title = {{SpyEye Bot versus Zeus Bot}}, date = {2010-02-04}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot}, language = {English}, urldate = {2020-01-06} } SpyEye Bot versus Zeus Bot
SpyEye
Yara Rules
[TLP:WHITE] win_spyeye_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_spyeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6800000040 57 e8???????? 8bf8 83ffff }
            // n = 5, score = 700
            //   6800000040           | push                0x40000000
            //   57                   | push                edi
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83ffff               | cmp                 edi, -1

        $sequence_1 = { 6a03 57 6a01 56 ff750c e8???????? 8bd8 }
            // n = 7, score = 700
            //   6a03                 | push                3
            //   57                   | push                edi
            //   6a01                 | push                1
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_2 = { ff7508 ffd0 8b65fc c9 c20800 55 }
            // n = 6, score = 700
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_3 = { 8965fc ff750c ff7508 ffd0 8b65fc c9 c20800 }
            // n = 7, score = 700
            //   8965fc               | mov                 dword ptr [ebp - 4], esp
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c20800               | ret                 8

        $sequence_4 = { 56 53 57 e8???????? 83f8ff }
            // n = 5, score = 700
            //   56                   | push                esi
            //   53                   | push                ebx
            //   57                   | push                edi
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1

        $sequence_5 = { 6889000000 ff7508 33db 897df8 }
            // n = 4, score = 700
            //   6889000000           | push                0x89
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   897df8               | mov                 dword ptr [ebp - 8], edi

        $sequence_6 = { be80000000 56 6a03 57 6a01 6889000000 }
            // n = 6, score = 700
            //   be80000000           | mov                 esi, 0x80
            //   56                   | push                esi
            //   6a03                 | push                3
            //   57                   | push                edi
            //   6a01                 | push                1
            //   6889000000           | push                0x89

        $sequence_7 = { ff7510 ff750c ff7508 ffd0 8b65fc c9 }
            // n = 6, score = 700
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ffd0                 | call                eax
            //   8b65fc               | mov                 esp, dword ptr [ebp - 4]
            //   c9                   | leave               

        $sequence_8 = { c9 c21000 55 8bec 51 6871c517ae }
            // n = 6, score = 700
            //   c9                   | leave               
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   6871c517ae           | push                0xae17c571

        $sequence_9 = { 57 8b7d08 57 e8???????? 83f8ff 740a 83e0fe }
            // n = 7, score = 700
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   57                   | push                edi
            //   e8????????           |                     
            //   83f8ff               | cmp                 eax, -1
            //   740a                 | je                  0xc
            //   83e0fe               | and                 eax, 0xfffffffe

    condition:
        7 of them and filesize < 741376
}
Download all Yara Rules