win.hawkeye_keylogger (Back to overview)

HawkEye Keylogger

aka: Predator Pain, HawkEye Reborn
URLhaus      

There is no description at this point.

References
http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/
https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/
https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/
https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/
https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
Yara Rules
[TLP:WHITE] win_hawkeye_keylogger_w0 (20170517 | No description)
rule win_hawkeye_keylogger_w0 {
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2015/06"
		ref = "http://malwareconfig.com/stats/HawkEye"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/HawkEye.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$key = "HawkEyeKeylogger" wide
		$salt = "099u787978786" wide
		$string1 = "HawkEye_Keylogger" wide
		$string2 = "holdermail.txt" wide
		$string3 = "wallet.dat" wide
		$string4 = "Keylog Records" wide
    $string5 = "<!-- do not script -->" wide
    $string6 = "\\pidloc.txt" wide
    $string7 = "BSPLIT" wide

	condition:
		$key and $salt and all of ($string*)
}
Download all Yara Rules