win.hawkeye_keylogger (Back to overview)

HawkEye Keylogger

aka: Predator Pain, HawkEye Reborn
URLhaus      

There is no description at this point.

References
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/
https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/
https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/
Yara Rules
[TLP:WHITE] win_hawkeye_keylogger_auto (20180607 | autogenerated rule brought to you by yara-signator)
rule win_hawkeye_keylogger_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 58 c3 c3 56 }
            // n = 4, score = 2000
            //   58                   | pop                 eax
            //   c3                   | ret                 
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_1 = { 56 8b7508 6a00 e8a008ffff }
            // n = 4, score = 2000
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   6a00                 | push                0
            //   e8a008ffff           | call                0x43bab4

        $sequence_2 = { 53 8bce ff5018 e874f3ffff }
            // n = 4, score = 2000
            //   53                   | push                ebx
            //   8bce                 | mov                 ecx, esi
            //   ff5018               | call                dword ptr [eax + 0x18]
            //   e874f3ffff           | call                0x418ac3

        $sequence_3 = { 8b742408 6a08 e8d308ffff 837c241000 }
            // n = 4, score = 2000
            //   8b742408             | mov                 esi, dword ptr [esp + 8]
            //   6a08                 | push                8
            //   e8d308ffff           | call                0x43bab4
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0

        $sequence_4 = { 8bf1 8d5e2c e865f3ffff ff74240c }
            // n = 4, score = 2000
            //   8bf1                 | mov                 esi, ecx
            //   8d5e2c               | lea                 ebx, dword ptr [esi + 0x2c]
            //   e865f3ffff           | call                0x418ac3
            //   ff74240c             | push                dword ptr [esp + 0xc]

        $sequence_5 = { 6a08 e8d308ffff 837c241000 59 }
            // n = 4, score = 2000
            //   6a08                 | push                8
            //   e8d308ffff           | call                0x43bab4
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0
            //   59                   | pop                 ecx

        $sequence_6 = { 8d5e2c e865f3ffff ff74240c 8bce }
            // n = 4, score = 2000
            //   8d5e2c               | lea                 ebx, dword ptr [esi + 0x2c]
            //   e865f3ffff           | call                0x418ac3
            //   ff74240c             | push                dword ptr [esp + 0xc]
            //   8bce                 | mov                 ecx, esi

        $sequence_7 = { c7462440000000 c7461c08000000 c20800 55 }
            // n = 4, score = 2000
            //   c7462440000000       | mov                 dword ptr [esi + 0x24], 0x40
            //   c7461c08000000       | mov                 dword ptr [esi + 0x1c], 8
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_8 = { 6a08 58 c3 c3 }
            // n = 4, score = 2000
            //   6a08                 | push                8
            //   58                   | pop                 eax
            //   c3                   | ret                 
            //   c3                   | ret                 

        $sequence_9 = { 8bce e8fbf9ffff 5e 5b }
            // n = 4, score = 2000
            //   8bce                 | mov                 ecx, esi
            //   e8fbf9ffff           | call                0x419164
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

    condition:
        7 of them
}
[TLP:WHITE] win_hawkeye_keylogger_w0   (20170517 | No description)
rule win_hawkeye_keylogger_w0 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2015/06"
		ref = "http://malwareconfig.com/stats/HawkEye"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/HawkEye.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$key = "HawkEyeKeylogger" wide
		$salt = "099u787978786" wide
		$string1 = "HawkEye_Keylogger" wide
		$string2 = "holdermail.txt" wide
		$string3 = "wallet.dat" wide
		$string4 = "Keylog Records" wide
    $string5 = "<!-- do not script -->" wide
    $string6 = "\\pidloc.txt" wide
    $string7 = "BSPLIT" wide

	condition:
		$key and $salt and all of ($string*)
}
Download all Yara Rules