{
	"id": "09d5ec39-2596-41d1-a1f1-fb17fca98fab",
	"created_at": "2026-04-06T00:07:33.749402Z",
	"updated_at": "2026-04-10T03:20:19.946531Z",
	"deleted_at": null,
	"sha1_hash": "395c06068fcb8dda51fcb23aef26859caf369adb",
	"title": "Analysis of a New HawkEye Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2390694,
	"plain_text": "Analysis of a New HawkEye Variant\r\nBy Xiaopeng Zhang\r\nPublished: 2019-06-18 · Archived: 2026-04-05 14:44:21 UTC\r\nThreat Analysis by FortiGuard Labs\r\nBackground\r\nFortiGuard Labs recently captured a malware being spread by a phishing email. After a quick analysis, I\r\ndiscovered that it was a new variant of the HawkEye malware.\r\nHawkEye is known as a keylogger and an application credential stealing malware. Over past few years, we have\r\nseen it spread by email, and carried in MS Word documents, Excel files, PowerPoint files, and RTF files. In this\r\nanalysis, I am going to provide an overview of what this new variant can do to a victim’s system.\r\nDistribution and Download\r\nHere is the email content, masquerading as an airline ticket confirmation, which asks the targeted victim to click\r\non a link. \r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 1 of 12\n\nFigure 1. The email content\r\nIt was designed so that a victim downloads a 7z file from the link shown in figure 1 that contains this new variant\r\nof HawkEye and runs it on the victim’s system.\r\nUnfortunately, on initial analysis the URL was not available and I received a “404 Not Found” message in the\r\nbrowser.\r\nBrowsing to its main page. It turned out to be an FTP service, containing several related network folders about this\r\ncampaign, with most containing the same malware sample (Figure 2).\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 2 of 12\n\nFigure 2. Screenshot of the main page\r\nAfter the downloaded 7z file was decompressed, we retrieved the EXE file\r\n“TICKET%2083992883992AIR8389494VERVED37783PDF.exe”, which is the new variant of HawkEye.\r\nStart HawkEye\r\nOnce HawkEye started, it spawned a suspended child process, “RegAsm.exe”, from the Microsoft .Net framework\r\ninstallation directory – which is a tool for Assembly Registration. Meanwhile, HawkEye extracted a PE file into\r\nits memory and then moved the PE file into “RegAsm.exe”. The dynamically extracted PE file is the main\r\nprogram of HawkEye. It’s called “HawkEye_RegAsm,” to differentiate these files in the analysis.\r\nHawkEye_RegAsm began running after resuming running “RegAsm.exe” after being suspended.\r\nHawkEye_RegAsm is a .Net written program, which is packed by ConfuserEx v1.0.0 to protect itself. This creates\r\na big challenge for analysts to read its code and analyze it. The code was actually totally obfuscated, as shown in\r\nfigure 3.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 3 of 12\n\nFigure 3. Obfuscated Entry function of HawkEye_RegAsm\r\nAfter sleeping 10 seconds, HawkEye_RegAsm starts its work on the victim’s system. Through analysis so far, it\r\nappears to mainly perform the following functions:\r\n1\u003e Set up clipboard logger\r\n2\u003e Set up keyboard logger\r\n3\u003e Spawn another two child processes “vbc.exe”, both from the .Net framework directory as well.\r\n4\u003e Send collected data to an email address using SMTP from time to time (every 10 minues).\r\nHawkEye_RegAsm starts a thread to perform the above tasks, and then every 10 minutes it sends its collected\r\ninformation to its Yandex email address.\r\nHawkEye_RegAsm sets up a clipboard and keyboard logger using Windows-native APIs (such as\r\nSetWindowsHookEx, SetClipboardViewer, etc.) Its local functions can record victim’s behaviors when the victim\r\ntypes on the keyboard as well as when copying data into the system clipboard.\r\nFigure 4 shows an example of the information that HawkEye_RegAsm collected from its keyboard and clipboard\r\nlogger, as well as the software title from when the event occurred.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 4 of 12\n\nFigure 4. Example of collected Clipboard and Keyboard data\r\nCollecting Credentials from Saved Credential Storage\r\nHawkEye_RegAsm performs a similar task as to the RegAsm.exe. It spawns two suspended child processes,\r\n“vbc.exe”, which are from the same directory as RegAsm.exe. HawkEye dynamically extracts two PE files into its\r\nmemory, which are then copied into the two newly created child processes of “vbc.exe”. It also modifies its\r\nThreadContext data (It calls the API, SetThreadContext) and makes its entry point to the transfered PE file. When\r\n“vbc.exe” resumes running it can be executed. It’s a trick that malware often performs to camouflage itself behind\r\nof a normal process.\r\nThe two “vbc.exe” processes collect credentials from the victim’s system. One is used to collect the credentials of\r\nbrowsers. The other one focuses on email clients and IM clients to steal credentials and profiles. Both PE files\r\ninjected into “vbc.exe” have the same code framework. They first call a function to collect credentials and save\r\nthem in memory, and second, it reads the collected data, formats it, and saves it to a tmp file from its command\r\nline parameter.\r\nFigure 5 shows HawkEye calling the CreateProcess API to start one of the two “vbc.exe” processes, with the\r\nparameter shown below in the “Locals” sub-tab. You can see the full path of “vbc.exe”.\r\n“/stext \"\"C:\\Users\\*********\\AppData\\Local\\Temp\\tmpBE3D.tmp\"\"\" is the parameter passed to it. The tmp file\r\nname is random and different from the two “vbc.exe” processes, which temporarily saves collected credentials.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 5 of 12\n\nFigure 5. Break on when calling CreateProcess to start a “vbc.exe”\r\nThe two PE files are not packer protected and not .Net written program.\r\nThe first “vbs.exe” collects credentials from victim’s browsers and the system credential manager for IE.\r\nIn my analysis, this variant of HawkEye focuses on the following browsers:\r\nMicrosoft Internet Explorer, Google Chrome, Apple Safari, Opera, Mozilla Sunbird, Mozilla Firefox,\r\nMozilla Portable Thunderbird, Mozilla SeaMonkey, YandexBrowser, Vivaldi browser, and more.\r\nFigure 6 shows some strings defined in the ASM code of the browsers that the HawkEye malware wants to collect\r\ncredentials from. \r\nThe collected credentials are then saved into the tmp file from its command line parameter. HawkEye_RegAsm\r\nkeeps checking this tmp file, and once the credentials are collected, it is done. HawkEye_RegAsm then reads the\r\nentire data of this tmp file into its memory and the deletes it immediately.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 6 of 12\n\nFigure 6. Browsers’ information defined in the first PE file\r\nThe second PE file in “vbc.exe”collects profile and credential information of the email and IM software client\r\ninstalled on a victim’s machine.\r\nThe clients it targets are:\r\nQualcomm Eudora, Mozilla Thunderbird, MS Office Outlook, IncrediMail, Groupmail, MSNMessenger,\r\nYahoo!Pager/Yahoo!Messenger and Windows Mail.\r\nBelow is an example list that HawkEye stole from the Chrome browser on my test machine. As you can see, it\r\nincludes login URL, Browser name, User name, Password, Created time, and the full path of the file where the\r\ncollected information came from. \r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 7 of 12\n\nFigure 7. “vbc.exe” saves collected server address information to tmp file\r\nThe second PE file in “vbc.exe” not only collects the client’s login username and password, but also profile\r\ninformation, such as the recipent Server address, recipient Server Port, protocol Type (POP3), SMTP Server,\r\nSMTP Port, etc. Figure 7 shows a screenshot of Ollydbg when “vbc.exe” was about to write the collected recipient\r\nServer addresses into its tmp file. It writes one line once. The same tmp file is finally read by HawkEye_RegAsm\r\nand then deleted.\r\nOn my test machine, I only installed MS Outlook with one account. My test account and server profile were\r\ncollected and put in the structure shown below, which would normally be sent to the attacker’s email box. \r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 8 of 12\n\nSending Collected Data to the Attacker via SMTP\r\nOk. Now let’s go back to the main process of HawkEye_RegAsm, which controls all tasks of HawkEye and sends\r\nthe victim’s credentials. In its main program, it calls Thread.Sleep(600000), and pauses while collecting\r\ncredentials every 10 minutes. That is, it reports the collected data to attacker the once every 10 minutes.\r\nIt first sends an HTTP request, http://bot.whatismyipaddress.com, to ask for my machine’s public IP. This is a way\r\nto ensure that the victim’s machine is able to access the internet. If it did not reply with a public IP, it stops\r\nsending collected data to the email box. In addition, the IP appears in the email subject so it can identify victims.\r\nThe attacker’s email is in Yandex.mail, whose email account and password are used when sending collected data\r\nthrough the Yandex SMTP server. That’s why I was able to get the attacker’s email credentials while tracking the\r\nmain program. You can see the screenshot in figure 8 when I was debugging it.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 9 of 12\n\nFigure 8. Sending collected data to the attacker’s email box\r\nEvery ten minutes it sends packets such as that shown in Figure 9 to tell the attacker about what it has collected\r\nfrom the victim’s machine using the keylogger, clipboard, browser credentials, and IM and email client credentials\r\nand profiles.  \r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 10 of 12\n\nFigure 9. Sending collected data to the attacker’s Yandex email address over SMTP\r\nFigure 10. Glancing at an attacker’s harvest\r\nVisiting the attacker’s account, we can see what the attacker has harvested, as shown in figure 10.\r\nSolutions\r\nThe original URL in the email has been rated as “Malicious Websites“ by the FortiGuard Web Filtering service.\r\nThe decompressed exe file is detected as “AutoIt/Injector.EAH!tr” by the FortiGuard Antivirus service.\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 11 of 12\n\nSample SHA256\r\n[TICKET%2083992883992AIR8389494VERVED37783PDF.exe]\r\n3E7AD2A554F89B2A5E52E5C4843111342182DA4409A038CF800570B65A13F875\r\n[Ticketmasterconfirmation3883948383948394.7z]\r\nBBB46F812126FAEB543B02D143EF450887A043185AF98210D8F827924B31CF7A\r\n[TKT8839483993993fligh booking ticket confirmationupdate.7z]\r\nF2B921726D728037F9BA0C63FB6C31F77983C3A6E3938B46C411E80C218A2E84\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices. \r\nSource: https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nhttps://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html"
	],
	"report_names": [
		"hawkeye-malware-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434053,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/395c06068fcb8dda51fcb23aef26859caf369adb.pdf",
		"text": "https://archive.orkl.eu/395c06068fcb8dda51fcb23aef26859caf369adb.txt",
		"img": "https://archive.orkl.eu/395c06068fcb8dda51fcb23aef26859caf369adb.jpg"
	}
}