{
	"id": "71c6b531-b570-4737-bc4a-b9fddbc5f4c6",
	"created_at": "2026-04-06T00:17:19.934797Z",
	"updated_at": "2026-04-10T03:20:31.913821Z",
	"deleted_at": null,
	"sha1_hash": "2ceb0a36b3c794417f3a8dad8e086871d37d19d2",
	"title": "malware-analysis-writeups/HawkEye/HawkEye.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2575785,
	"plain_text": "malware-analysis-writeups/HawkEye/HawkEye.md at main ·\r\nitaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 20:44:31 UTC\r\nMalware\r\nName\r\nFile Type SHA256\r\nHawkEye\r\nx32 exe\r\n(.NET)\r\nb9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a\r\nAnalysis process\r\nThe file is a Dotnet PE:\r\nOn execution the file spawns a child process of the legitimate Dotnet AppLaunch.exe:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 1 of 13\n\nThere is only one reason to do that - Process Hollowing (A.K.A RunPE). As i learned from the great OALabs\r\nchannel, whenever you want to break with a dubugger on an injection to a remote process,\r\nCreateProcessInternalW and WriteProcessMemory are the first calls that you want to put a break on. doing as i\r\nlearned gave me a quick treat:\r\nThe malware is calling to CreateProcessInternalW , pass AppLaunch.exe as a parameter, and \"4\" as seventh\r\nargument which will make the process in suspended mode (Process Hollowing creates a process in suspended\r\nmode so it can hollows out the process, inject, and then execute).\r\nWe could manually find the unpacked PE in memory and dump it, and we also can be lazy and let great\r\nHollows_Hunter.exe do it for us:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 2 of 13\n\n😊\r\nDropping the unpacked (Dotnet as well) to Dnspy hollows out our eyes 😨:\r\nNot sure if the file dumped successfully or this one is perfectly obfuscated. Trying to deobfuscate with De4dot:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 3 of 13\n\nis throwing an error.. a closer look at the file in Dnspy reveals the obfuscator which apparently is not supported /\r\nknown by De4dot:\r\nSome googling on deobfuscating ConfuserEx gives us this project which adds to De4dot exactly this capability:\r\nNow the file is dumped and cleand (pretty much) 😎.\r\nAnalyzing the code (which is still a bit obfuscated) reveals that this is a kelogger / stealer (with some RAT\r\ncapabilities) named HawkEye Reborn version 8:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 4 of 13\n\nDescription from Malpedia:\r\nHawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently\r\nspread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal\r\ncredentials from numerous applications but, in the last observed versions, new \"loader capabilities\"\r\nhave been spotted. It is sold by its development team on dark web markets and hacking forums.\r\nFrom here on i used only static analysis on the unpacked sample\r\nAnti-Analysis capabilities\r\nChecks if it runs under process monitor software:\r\nChecks if it runs under Sandboxie (SbieDll.dll) or Wireshark:\r\nDisables Task Manager, Cmd, and Regedit:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 5 of 13\n\nSets hidden + system attributes for itself:\r\nThe malware has the functionality to block websites by overriding the Hosts file and redirect them to the localhost\r\naddress:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 6 of 13\n\nStealing capabilities\r\nThe malware has Keylogging capabilities (Also called HawkEye Keylogger):\r\nTakes screenshots of the infected computer:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 7 of 13\n\nSteals Chrome browser data:\r\nSteals Firefox browser data:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 8 of 13\n\nSteals CoreFTP software data:\r\nSteals Minecraft data:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 9 of 13\n\nCollects a plenty of more information: internal \u0026 external address, geolocation, installed software, clipboard\r\ncontent, screenshots, passwords and more:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 10 of 13\n\nAnd post all the data to the C2:\r\nC2: pomf.cat\r\nPersistence:\r\nThe malware persist itself via a run key:\r\nMore capabilities:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 11 of 13\n\nThe malware uses P/Invoke calls to native libraries to extend the capabilities and harden the analysis:\r\nSeems like the next commands are used to be written into a .bat file that responsible for the persistence via the run\r\nkey, it's executes the malware, and then possibly deletes itself (and written back next execution, depending if is\r\nwritten to \"run\" or \"runonce\"):\r\nAlso, the malware seems to inject itself into a remote process due to these API calls:\r\nThat's it for today, hope you enjoyed ☺️\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 12 of 13\n\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md"
	],
	"report_names": [
		"HawkEye.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434639,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ceb0a36b3c794417f3a8dad8e086871d37d19d2.pdf",
		"text": "https://archive.orkl.eu/2ceb0a36b3c794417f3a8dad8e086871d37d19d2.txt",
		"img": "https://archive.orkl.eu/2ceb0a36b3c794417f3a8dad8e086871d37d19d2.jpg"
	}
}