{
	"id": "ab844f2d-9ef8-451e-a262-a525ba1c81e7",
	"created_at": "2026-04-06T00:16:37.473517Z",
	"updated_at": "2026-04-10T13:12:38.107762Z",
	"deleted_at": null,
	"sha1_hash": "58bdcc2c950ed66827214f2654c11162a42409af",
	"title": "HawkEye Malware Changes Keylogging Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67181,
	"plain_text": "HawkEye Malware Changes Keylogging Technique\r\nBy sharon\r\nPublished: 2019-08-13 · Archived: 2026-04-05 18:35:17 UTC\r\nCyberbit Labs have observed HawkEye malware variants changed their keylogging technique. Until now, the most\r\npervasive keylogger malware technique was to register a procedure into the message hook chain of a window\r\nusing SetWindowsHookExA API.  The new variants exploit RegisterRawInputDevices API to register for input\r\nfrom the keyboard. This technique is not a new one. it has been used in  Metasploit. but this is the first time it has\r\nbeen observed at use in a HawkEye malware sample.\r\nHawkeye malware is sold as malware-as-a-service. Over the years, Hawkeye malware has been updated and\r\nimproved. New capabilities and techniques are added to it from time to time.\r\nIts top targeted industries include software and tech, banking, energy, chemical and automotive.\r\nIn this blog post, I will explain and compare the old and the new keylogging techniques used by Hawkeye\r\nmalware. The device keylogging technique is less common among malware – and was likely adopted by malware\r\nauthors as an effective way to evade detection by security products that do not intercept all kind of keylogging\r\ntechniques.\r\nI will also demonstrate how Cyberbit EDR solution is able to successfully detect all keylogging techniques.\r\nTwo Hawkeye Malware Keylogging Techniques\r\nSample 1 – Using SetWindowsHookExA\r\nSHA256: dff7820b2b0b877c46a0cbc6be22b45b11511af7d50e36c7d83fa27f3db277b0\r\nThis Hawkeye malware `sample is written in C# and obfuscated. As with most HawkEye samples, it performs\r\nprocess hollowing to its child process – RegAsm.exe – a legitimate Microsoft software used for .NET assembly\r\nregistration.\r\nThe keylogging is done from the hollowed RegAsm.exe\r\nHawkeye-malware-metasploit-1\r\nFigure 1 – Entry point of the sample is the Main() of groanwarriorer. Names vary between\r\nmeaningful words to non-meaningful ones.\r\nhawkeye-malware-metasploit-2\r\nFigure 2 – HawkEye spawns a child process, and injects its code into it.\r\nWe put a breakpoint on user32.dll!SetWindowsHookExA at the process RegAsm.exe just after user32.dll was\r\nloaded. This DLL exports the function SetWindowsHookExA.\r\nhttps://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/\r\nPage 1 of 4\n\nThis function is used to register a procedure to the message hook chain of a window. After registration, this\r\nprocedure processes window messages and looks for keyboard messages (using two types of hooks –\r\nWH_KEYBOARD or WH_KEYBOARD_LL) – and retrieves from them the key pressed by the user.\r\nWe got a breakpoint hit and can see with which parameters SetWindowsHookExA was called:\r\nSetWindowsHookExA(0xD, 0x7D18EA,0,0)\r\nidHook = 0xD = WH_KEYBOARD_LL – Type of hook to install\r\nlpfn = 0x7D17EA – Address of procedure that processes the windows messages\r\nhmod = 0  – NULL since the procedure  is within the code of the current process and all the threads running in the\r\nsame desktop are monitored (see last parameter)\r\ndwThreadId = 0 – Install the hook on all currently existing threads in the same desktop as the calling thread\r\nHawkeye Malware Keylogging figure 3\r\nFigure 3 – Breakpoint hit and the stack on SetWindowsHookExA\r\nThe logged keystrokes are later sent to the attacker at a the chosen protocol. Keystrokes can be sent via SMTP\r\n(mail), FTP or HTTP, depending on how the sample was configured.\r\nCyberbit EDR detects this keylogging technique  executed from RegAsm.exe\r\nFigure 4 – SetWindowsHookExA keylogger method used by RegAsm.exe\r\nHawkeye Malware Keylogging figure 4\r\nFigure 4 – SetWindowsHookExA keylogger method used by RegAsm.exe\r\nSample 2 – Using RegisterRawInputDevices\r\nSHA256: a5b2f2fc5b08b09d95302786304f6e4b05b0d326fae8a7fbad6da72ef6e61f25\r\nAs in the previous sample, this is an obfuscated C# sample that creates a suspended RegAsm.exe and injects into\r\nit. However, this time the breakpoint on user32.dll!SetWindowsHookExA didn’t hit.\r\nThere are many ways to log user input, one of them is registering to a raw input device – such as a keyboard,\r\nmouse, joystick, etc.\r\nThe Windows API RegisterRawInputDevices is the one used for registering to raw input devices messages. After\r\nregistration, the WM_INPUT message should be processed in order to retrieve the key pressed. For an example of\r\nhow it can be done read Windows Keylogger Part 1\r\nWe put a breakpoint on user32.dll!RegisterRawInputDevices at the injected RegAsm.exe and got a hit.\r\nHawkeye Malware Keylogging figure 5\r\nFigure 5 – 1. The breakpoint hit on RegisterRawInputDevices. 2. The stack at the time the\r\nbreakpoint hits. 3. The structure at 0x54FF70 contains a RAWINPUTDEVICE structure. 4. The last\r\nhttps://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/\r\nPage 2 of 4\n\nmember of the structure at 0x000C0366 is a handle to a window\r\nThis function receives 3 parameters:\r\nPCRAWINPUTDEVICE pRawInputDevices\r\nUINT uiNumDevices\r\nUINT cbSize\r\npRawInputDevices is an array of RAWINPUTDEVICE structures that represent the devices that supply the raw\r\ninput.\r\nuiNumDevices is The number of RAWINPUTDEVICE structures pointed to by pRawInputDevices.\r\ncbSize is the size, in bytes, of a RAWINPUTDEVICE structure.\r\nThe struct RAWINPUTDEVICE looks like this:\r\ntypedef struct tagRAWINPUTDEVICE {\r\n    USHORT usUsagePage;\r\n    USHORT usUsage;     \r\n    DWORD dwFlags;\r\n    HWND hwndTarget;   \r\n} RAWINPUTDEVICE, *PRAWINPUTDEVICE, *LPRAWINPUTDEVICE;\r\nusUsagePage specifies the type of device.\r\nusUsage specifices the device within the group of usUsagePage.\r\ndwFlags is a mode flag that specifics how to interpret the information between usUsagePage and usUsage.\r\nhwndTarget is a handle to the target window\r\nLet’s look at the parameters passed by the keylogging malware (figure 5):\r\nRegisterRawInputDevices(0x54FF70,1,0xC)\r\nPRawInputDevices = 0x54ff70\r\nAt address 0x54FF70 we can see one structure of RAWINPUTDEVICE with the following values:\r\nusUsagePage = 0x0001 – Generic desktop controls\r\nusUsage = 0x0006 – Keyboard\r\ndwFlags = 0x00000100 – RIDEV_INPUTSINK – If set, this enables the caller to receive the input even when the\r\ncaller is not in the foreground. Note that hwndTarget must be specified.\r\nhttps://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/\r\nPage 3 of 4\n\nhwndTarget = 0xc0366\r\nuiNumDevices =  1  – only one structure\r\ncbSize = 0xC – Sum of two USHORT variables, one DWORD and HWND which is also DWORD in size  = 2 + 2\r\n+ 4 + 4 = 0xC\r\nIt is clear now that the malware registered for WM_INPUT messages from the keyboard in order to monitor which\r\nkeys are pressed.\r\nThis keylogging technique is also used by the well-known attack simulation platform Metasploit\r\nCyberbit EDR also detects this technique, executed from RegAsm.exe:\r\nHawkeye Malware Keylogging figure 6\r\nFigure 6 – RegisterRawInputDevices keylogger method used by RegAsm.exe\r\nWatch HawkEye Malware Analysis Video:\r\nTo Learn More About How to Defend against Hawkeye and other fileless malware – Download Free Whitepaper:\r\nSource: https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/\r\nhttps://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/\r\nPage 4 of 4\n\nHawkeye Figure Malware 5 – 1. The breakpoint Keylogging figure hit on RegisterRawInputDevices. 5 2. The stack at the time the \nbreakpoint hits. 3. The structure at 0x54FF70 contains a RAWINPUTDEVICE structure. 4. The last\n   Page 2 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/"
	],
	"report_names": [
		"hawkeye-malware-keylogging-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775434597,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58bdcc2c950ed66827214f2654c11162a42409af.pdf",
		"text": "https://archive.orkl.eu/58bdcc2c950ed66827214f2654c11162a42409af.txt",
		"img": "https://archive.orkl.eu/58bdcc2c950ed66827214f2654c11162a42409af.jpg"
	}
}