BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
16
Global rank
51 infographic chevron month
Month rank
58 infographic chevron week
Week rank
519
IOCs

Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Keylogger
Type
Unknown
Origin
1 January, 2013
First seen
14 February, 2024
Last seen
Also known as
Predator Pain
HawkEye Reborn

How to analyze Hawkeye with ANY.RUN

Type
Unknown
Origin
1 January, 2013
First seen
14 February, 2024
Last seen

IOCs

Hashes
413a42c64c862a424e79979d3026c1f26b024165844955b79ed1b721452cb5a3
f11baabe455c3de987af3dfaf0e4f18e3d710e9a30201d475f5cfc815530f477
ba02bb1d70f89855db9e8282b7663e4a0929eb1fe3e033ded9852887a5a89482
758d83537ae892881b18a246827db4f8e70f556a4f2d8678bc2e95079ca1a1a6
cc515da48783f53ad962940c229d7d7639306760183007bb9db1888eee1f1701
f627f36ccebc43271b4a81606ee095c40684e458eaf0dc65bb7166a7d441ab29
f7e9d1cfd5116f8b834a014cad91c3cf3362423c2ef36dfa65c4c5a95c975fd2
7c83fbdc8c7108d705b5f0dba74d7d765dfac7e5311273e03cd2e21d48a1dd4d
59dfab2e1cfb701eb41cfa86fb86658ab388475da5f936c802c63276eca06795
eabe7a328a8c330407eec24e5a1c08f983b8ef4b032798cf6f7acc914e8c9fd6
8e8c82a1e703ceb979d35c4441c036cc9f3bdf3df29b47d3cd9edb58e16a03e8
1745870e72b522d26907dd2a6b9005804bf5aa390df6cc9cac32d3cd1d118cfc
0299150a64cbdf7b7ec5048b5ddab864171910cf4ed9da586a44caa2228be443
4862edfbf96fcb5c48f2b095f5e111d550e5c771d87e0576c6aaaae4095fe550
9e9f92380f188db60ef0e21107e13c96aa6d3c08489b746ccb8a20ec9b15f5e3
29fc63c40c257f95215bf9c5072c6e3ef4e4999193f8c786f8cc4981a0da2f0d
49b97300ef5876903c2907267926d50670520830acf64e6c1245b691ea47ec4e
f8065278001b9ac6c296fbd3dac4146bc1da3c1fe75465b9289591b4303b22bc
92376bf56f0b6dd0a4f1bc99ae63012ca37e407cfd2fea3a3c93dedc1e2046c1
0a0e7c81912b02e6ec1c7fbb338f4ef200e23d441d57c692cc88fef616593f0d
Last Seen at

Recent blog posts

post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 283
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 271
comments 0
post image
Understanding Macros in Malware: Types, Capab...
watchers 378
comments 0

What is Hawkeye malware?

Hawkeye, also known as Predator Pain, is a dangerous trojan and keylogger - a malware used to steal information from PCs. It has very advanced detection evasion and information stealing functionality. Hawkeye can be combined with other malicious software to steal passwords from email clients and web browsers.

Available as a service on the dark web, Hawkeye can be used even by non-technically savvy attackers. In addition, this malware is known to have been advertised for some time on the general Internet on its own website, which today is unavailable. What’s more, the creators of Hawkeye have developed a unique business model in which intermediaries are used for reselling the malware.

General description of Hawkeye

Hawkeye keylogger is capable of stealing a variety of information from the victim's PC, including passwords from mail clients, web browsers, and bitcoin wallet information, as ransomware does. Furthermore, this malware can take screenshots, have a keylogger functionality, and retrieve data from the Internet download manager to employ JDownloader to steal passwords.

Predator Pain targets victims worldwide, but its attacks are being registered most often in the countries with the wealthiest economies, according to the GPD data, such as the USA, Canada, Italy, and others.

Hawkeye keylogger employs a sophisticated technique to stay hidden from the antiviruses called process hollowing. In essence, the Trojan generates a new instance of a harmless process to swap the native code with a malicious one subsequently. The 8 version of Hawkeye keylogger is different from previous iterations of the malware. Instead of running the main malicious code as a new process, the latest build injects the payload into MSBuild.exe, RegAsm.exe, and VBC.exe, which are a part of the .NET framework, enabling the virus to further disguises itself as a real and harmless process.

Another difference between the newest Predator Pain version from the older ones is that instead of being written in C, now it uses .NET and calls the native Windows API directly.

The primary function of the Hawkeye keylogger is to record the key and mouse presses along with window context and clipboard data. In addition, the malware has special modules that allow it to derive information from certain applications, including a popular video game Minecraft, the FTP client FileZilla and others.

Somewhat standardly, Predator Pain utilizes real BrowserPassView and MailPassView tools to save data from browsers and emails. In addition, the malware is able to activate and take control of the webcam if the infected machine has one connected.

To prevent detection and analysis, Hawkeye comes equipped with a series of anti-evasion tools besides processes hollowing. For instance, the malware sets a delay before being executed, which helps it trick some of the automated sandbox analysis tools. It also comes equipped with a technique that targets specific antivirus processes and stops them from executing and blocks access to several domains used by antivirus programs for updating.

What’s more, the malware takes active steps to prevent the victim from disabling its own processes by taking control over command prompt, registry editor, and task manager. At the same time, Hawkeye constantly scans the computer for other malicious programs and instantly deletes them if found.

Hawkeye keylogger malware analysis

The execution process of the Predator Pain keylogger can be reviewed in a lot of detail in a video recorded in the ANY.RUN malware hunting service

hawkeye execution process graph

Figure 1. a visual process graph generated by ANY.RUN allows reviewing the lifecycle of the Hawkeye quickly

text report of the hawkeye malware analysis

Figure 2. ANY.RUN also allows researchers to generate customizable text reports which are a great way to present the analysis results

Hawkeye execution process

hawkeye execution process tree

Figure 3. Execution processes of Hawkeye as displayed by the ANY.RUN malware hunting service

Hawkeye keylogger often reaches users' devices through phishing emails, most commonly as a malicious Microsoft Office file, such as Docx file. After the user opens the downloaded file, it either asks the user to enable macros or uses vulnerabilities to download and execute the main payload. In most cases, it downloads itself into the %AppData% folder. To maintain its presence, the malware adds itself to the autorun registry. It also uses process hollowing to hide its code in legitimate processes. For example, the 8 version of Hawkeye, presented in this task from our simulation, injects itself into MSBuild.exe, RegAsm.exe, or VBC.exe. Before sending information to the control server, Hawkeye saves stolen data in Tmp files into the %Temp% folder. Usually, these Tmp files are deleted after the information is sent to a control server.

stolen by hawkeye data saved in tmp file

Figure 4. Information saved in .TMP file

How to avoid infection by Hawkeye?

Following some common online hygiene guidelines is a good way to stay safe from getting infected with Hawkeye. In addition, users should be careful when downloading free software from unknown or suspicious websites and carefully check the URLs when downloading any software in general.

In addition, after receiving a suspicious email or an email from an unidentified sender, users should be cautious when downloading attachments. Although the opened document prompts the user to enable macros or activate the editing, users must never follow these instructions as they most likely indicate the file's malicious nature.

Distribution of Hawkeye

Hawkeye trojan uses multiple distribution methods, including packaging within free downloadable programs or disguised as legitimate software. Hawkeye can also be installed on the victim’s PC manually if the attacker gains remote or physical access to the machine.

However, the most commonly used distribution method is email phishing, the same as ransomware, where the malware is distributed as a malicious attachment, usually a Microsoft Word document. The technique is used by different malware, including Ursnif and Raccoon. Known phishing campaigns usually revolve around notifications regarding an issue with a real product, quotation requests, payment orders, or random or personal, disturbing topics aimed at tricking the victim into downloading the attachment.

In most cases, the Microsoft Office opens the document with a warning, and Hawkeye displays a message prompting to enable editing. Thus, the user must interact with to make the trojan start the execution process. However, in some other cases, the malware uses Microsoft Office exploits, allowing Hawkeye to start the execution without any user interaction.

How to detect Hawkeye using ANY.RUN?

Some versions of this malware create files that allow analysts to say for sure that this is Hawkeye. First, click on the malicious process in the process tree and then click the "More info" button. Then, in the upper-right corner of the "Events" panel, switch from "Friendly" to "Raw." Now you see all operations with files that were performed by a chosen process. Often, this malware family tries to create files with "Reborn" in their names. And based on that type, you can determine that it is Hawkeye.

Files created by hawkeye Figure 5: Files created by Hawkeye

Conclusion

Carrying extremely advanced anti-evasion techniques and robust info-stealing functionality, Hawkeye presents a danger to corporations and individuals all around the globe. Unfortunately, the distribution of malware as a service allows even non-technically savvy cybercriminals to set up effective attack campaigns, contributing to the overall popularity of the virus.

Furthermore, Hawkeye trojan uses a set of special techniques to complicate the analysis and trick automated analysis services and confuse the development of countermeasures.

However, interactive analysis services like ANY.RUN gives researchers the ability to examine malware even as elusive as Hawkeye is and conduct effective studies.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy