Trojan SpyEye (alias Pincav)

Forum for analysis and discussion about malware.
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Fri Apr 13, 2012 2:09 pm

EP_X0FF wrote:SpyEye was much more widely spread on black market than for example TDL.
Oh, I know and this is one of the reason that SpyEye guys were identificated and are defendants of ZBot-botnet "taken down" story.
kevinfisher
Posts: 1
Joined: Thu Apr 12, 2012 4:20 am

Mon Apr 30, 2012 1:58 am

Hi,

Any one has a sample of this?
https://www.virustotal.com/file/99da9cc ... /analysis/
a) name: Artemis!D0BBB116666C
b) SHA256: 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7

Thanks!
User avatar
hx1997
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am

Mon Apr 30, 2012 8:27 am

kevinfisher wrote:Hi,

Any one has a sample of this?
https://www.virustotal.com/file/99da9cc ... /analysis/
a) name: Artemis!D0BBB116666C
b) SHA256: 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7

Thanks!
Hi, 99da9ccef2a9d110a0059c56bb9c2a11cfe0c68c8ef00251befc27f6d26d56d7 in attach.
You do not have the required permissions to view the files attached to this post.
markusg
Posts: 735
Joined: Mon Mar 15, 2010 2:53 pm

Tue May 08, 2012 6:27 pm

You do not have the required permissions to view the files attached to this post.
Albus
Posts: 2
Joined: Wed Nov 16, 2011 10:52 am

Fri May 18, 2012 8:05 am

Decrypted config is attached.
Password is "infected"
You do not have the required permissions to view the files attached to this post.
Flamef
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm

Sun May 20, 2012 3:48 pm

Found a video,how to unpack Spyeye and seemed interesting http://www.youtube.com/watch?v=ns7fQhSN ... tu.be&hd=1 .
It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?If yes,i guess you must be experienced in order accomplish it.
I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
By the way,is there any effective way to determine the purpose of hooked API's?For example why does Spyeye hooks InternetWriteFile etc?
Other way than debugging it?
User avatar
rkhunter
Posts: 1156
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Sun May 20, 2012 5:07 pm

Flamef wrote:I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
http://artemonsecurity.blogspot.com/201 ... -tool.html
User avatar
EP_X0FF
Global Moderator
Posts: 4887
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun May 20, 2012 5:46 pm

Flamef wrote:It says that config password can be found in the Explorer.exe(where spyeye injects its code),is this possible?
Yes.
If yes,i guess you must be experienced in order accomplish it.
No.
I just read somewhere,that Spyeye hooks several APIS,including HttpSendRequestA.It hooks HttpSendRequestA in order to monitor visited URLs and search engine queries,as well as to steal credentials for any websites user logs into,right?
Yes.
By the way,is there any effective way to determine the purpose of hooked API's?


RE + live analysis + network activity analysis. There are no easy ways.
For example why does Spyeye hooks InternetWriteFile etc?
It grab login info and cookies for websites to let SpyEye plugins modify request headers before sending request. So before calling real InternetWriteFile params of this routine passed to SpyEye plugins that have Callback_ChangePostRequest function. Of course plugin must support this callback.
Ring0 - the source of inspiration
360Tencent
Posts: 116
Joined: Thu Dec 15, 2011 12:47 pm

Wed May 23, 2012 3:30 am

http://blog.gdatasoftware.com/blog/arti ... -name.html

SHA256: show in "an interesting spyeye build"

and maybe kaspersky also found it

http://www.securelist.com/en/blog/208193513/Big_Brother
Post Reply