Home / malware Infostealer.Hawket
First posted on 18 November 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Hawket.
Explanation :
The Trojan may arrive on the compromised computer through spam or phishing attacks.
When the Trojan is executed, it may create the following files:
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\system.pif%Temp%\[RANDOM FILE NAME]\%Temp%\[RANDOM FILE NAME]\[RANDOM FILE NAME].exe%Temp%\Default Folder\%Temp%\Default Folder\Microsoft Update.exe%SystemDrive%\Default Folder\%SystemDrive%\Default Folder\Microsoft Update.exe%UserProfile%\Application Data\Imminent\%UserProfile%\Application Data\Imminent\Path.dat%UserProfile%\Application Data\Imminent\Logs\%UserProfile%\Application Data\Imminent\Logs\[CURRENT DATE]
The Trojan may modify the following file:
%System%\drivers\etc\hosts
The Trojan may create the following registry entry so that it executes whenever Windows starts:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Default Key" = "%Temp%\Default Folder\Microsoft Update.exe"
The Trojan may steal the following information from the compromised computer:
KeystrokesClipboard contentsScreenshots
The Trojan may steal passwords from the following browsers and applications:
Google ChromeMozilla FirefoxSafariInternet ExplorerOperaAOL Instant MessengerMinecraftNimbuzzOutlookFileZillaSteamSmartFTPPidginBitcoin walletPalTalkInternet Download ManagerJDownloader
The Trojan may send the stolen information to a remote location or email address selected by the attacker.
The Trojan may perform the following actions on the compromised computer:
Spread through USB devicesSpread through peer-to-peer applicationsDisable PC administration toolsClear browsing historyClear chat historyBlock websitesDownload potentially malicious filesClear web browser cookiesClear Steam session filesLast update 18 November 2015
