SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hawkeye_keylogger (Back to overview)

HawkEye Keylogger

aka: HawkEye, HawkEye Reborn, Predator Pain
URLhaus      

HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.

References
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap GuLoader HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-02-20GovCERT.chGovCERT.ch
@online{govcertch:20200220:analysis:18301ef, author = {GovCERT.ch}, title = {{Analysis of an Unusual HawkEye Sample}}, date = {2020-02-20}, organization = {GovCERT.ch}, url = {https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/}, language = {English}, urldate = {2020-02-20} } Analysis of an Unusual HawkEye Sample
HawkEye Keylogger
2019-08-13CyberbitHod Gavriel
@online{gavriel:20190813:hawkeye:379a3e4, author = {Hod Gavriel}, title = {{HawkEye Malware Changes Keylogging Technique}}, date = {2019-08-13}, organization = {Cyberbit}, url = {https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/}, language = {English}, urldate = {2020-01-08} } HawkEye Malware Changes Keylogging Technique
HawkEye Keylogger
2019-06-18FortinetXiaopeng Zhang
@online{zhang:20190618:analysis:8190926, author = {Xiaopeng Zhang}, title = {{Analysis of a New HawkEye Variant}}, date = {2019-06-18}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html}, language = {English}, urldate = {2020-01-13} } Analysis of a New HawkEye Variant
HawkEye Keylogger
2019-04-15TalosEdmund Brumaghin, Holger Unterbrink
@online{brumaghin:20190415:new:bf931b1, author = {Edmund Brumaghin and Holger Unterbrink}, title = {{New HawkEye Reborn Variant Emerges Following Ownership Change}}, date = {2019-04-15}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html}, language = {English}, urldate = {2020-01-09} } New HawkEye Reborn Variant Emerges Following Ownership Change
HawkEye Keylogger
2018-07-11MicrosoftOffice 365 Threat Research
@online{research:20180711:hawkeye:c74affb, author = {Office 365 Threat Research}, title = {{Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis}}, date = {2018-07-11}, organization = {Microsoft}, url = {https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/}, language = {English}, urldate = {2019-11-27} } Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis
HawkEye Keylogger
2017-07-25FireEyeYogesh Londhe, Swapnil Patil
@online{londhe:20170725:hawkeye:a4071fa, author = {Yogesh Londhe and Swapnil Patil}, title = {{HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign}}, date = {2017-07-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html}, language = {English}, urldate = {2019-12-20} } HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
HawkEye Keylogger
2016-07-01SpiderLabs BlogRodel Mendrez
@online{mendrez:20160701:how:0434028, author = {Rodel Mendrez}, title = {{How I Cracked a Keylogger and Ended Up in Someone's Inbox}}, date = {2016-07-01}, organization = {SpiderLabs Blog}, url = {https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/}, language = {English}, urldate = {2019-07-11} } How I Cracked a Keylogger and Ended Up in Someone's Inbox
HawkEye Keylogger
2016-02-29SophosPaul Ducklin
@online{ducklin:20160229:hawkeye:e5bd59b, author = {Paul Ducklin}, title = {{The “HawkEye” attack: how cybercrooks target small businesses for big money}}, date = {2016-02-29}, organization = {Sophos}, url = {https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/}, language = {English}, urldate = {2019-11-27} } The “HawkEye” attack: how cybercrooks target small businesses for big money
HawkEye Keylogger
2015-10-16Palo Alto Networks Unit 42Rob Downs
@online{downs:20151016:surveillance:86d472f, author = {Rob Downs}, title = {{Surveillance Malware Trends: Tracking Predator Pain and HawkEye}}, date = {2015-10-16}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/}, language = {English}, urldate = {2019-12-20} } Surveillance Malware Trends: Tracking Predator Pain and HawkEye
HawkEye Keylogger
2014-04-27StopMalvertisingKimberly
@online{kimberly:20140427:analysis:a034e60, author = {Kimberly}, title = {{Analysis of the Predator Pain Keylogger}}, date = {2014-04-27}, organization = {StopMalvertising}, url = {http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html}, language = {English}, urldate = {2019-11-24} } Analysis of the Predator Pain Keylogger
HawkEye Keylogger
Yara Rules
[TLP:WHITE] win_hawkeye_keylogger_w0 (20170517 | No description)
rule win_hawkeye_keylogger_w0 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2015/06"
		ref = "http://malwareconfig.com/stats/HawkEye"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/HawkEye.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$key = "HawkEyeKeylogger" wide
		$salt = "099u787978786" wide
		$string1 = "HawkEye_Keylogger" wide
		$string2 = "holdermail.txt" wide
		$string3 = "wallet.dat" wide
		$string4 = "Keylog Records" wide
    $string5 = "<!-- do not script -->" wide
    $string6 = "\\pidloc.txt" wide
    $string7 = "BSPLIT" wide

	condition:
		$key and $salt and all of ($string*)
}
Download all Yara Rules