A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12688  by rkhunter
 Fri Apr 13, 2012 2:09 pm
EP_X0FF wrote:SpyEye was much more widely spread on black market than for example TDL.
Oh, I know and this is one of the reason that SpyEye guys were identificated and are defendants of ZBot-botnet "taken down" story.
 #12957  by hx1997
 Mon Apr 30, 2012 8:27 am
kevinfisher wrote:Hi,

Any one has a sample of this?
https://www.virustotal.com/file/99da9cc ... /analysis/
a) name: Artemis!D0BBB116666C
b) SHA256: 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7

Thanks!
Hi, 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7 in attach.
You do not have the required permissions to view the files attached to this post.
 #13327  by Flamef
 Sun May 20, 2012 3:48 pm
Found a video,how to unpack Spyeye and seemed interesting http://www.youtube.com/watch?v=ns7fQhSN ... tu.be&hd=1 .
It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?If yes,i guess you must be experienced in order accomplish it.
I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
By the way,is there any effective way to determine the purpose of hooked API's?For example why does Spyeye hooks InternetWriteFile etc?
Other way than debugging it?
 #13333  by EP_X0FF
 Sun May 20, 2012 5:46 pm
Flamef wrote:It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?
Yes.
If yes,i guess you must be experienced in order accomplish it.
No.
I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
Yes.
By the way,is there any effective way to determine the purpose of hooked API's?


RE + live analysis + network activity analysis. There are no easy ways.
For example why does Spyeye hooks InternetWriteFile etc?
It grab login info and cookies for websites to let SpyEye plugins modify request headers before sending request. So before calling real InternetWriteFile params of this routine passed to SpyEye plugins that have Callback_ChangePostRequest function. Of course plugin must support this callback.
  • 1
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42