SYMBOLCOMMON_NAMEaka. SYNONYMS
win.floki_bot (Back to overview)

FlokiBot

There is no description at this point.

References
2017-03-14Arnaud DelmasArnaud Delmas
@online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } Analyzing and Deobfuscating FlokiBot Banking Trojan
FlokiBot
2017-03-01CylanceCylance Threat Research Team
@online{team:20170301:threat:5837922, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Flokibot PoS Malware}}, date = {2017-03-01}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html}, language = {English}, urldate = {2020-01-06} } Threat Spotlight: Flokibot PoS Malware
FlokiBot
2016-12-07Cisco TalosBen Baker, Edmund Brumaghin, Mariano Graziano, Jonas Zaddach
@online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } Floki Bot Strikes, Talos and Flashpoint Respond
FlokiBot
2016-11-10MalwarebytesMalwarebytes Labs
@online{labs:20161110:floki:cb97f8d, author = {Malwarebytes Labs}, title = {{Floki Bot and the stealthy dropper}}, date = {2016-11-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/}, language = {English}, urldate = {2019-12-20} } Floki Bot and the stealthy dropper
FlokiBot
2016-10-03FlashpointFlashpoint
@online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } Multi-Purpose “Floki Bot” Emerges as New Malware Kit
FlokiBot
2015-12-07FlashpointFlashpoint, Talos
@online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } Flashpoint and Talos Analyze the Curious Case of the flokibot Connector
FlokiBot
Yara Rules
[TLP:WHITE] win_floki_bot_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_floki_bot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 85f6 7416 57 8bfe 6bff1c 037c240c }
            // n = 6, score = 1100
            //   85f6                 | test                esi, esi
            //   7416                 | je                  0x18
            //   57                   | push                edi
            //   8bfe                 | mov                 edi, esi
            //   6bff1c               | imul                edi, edi, 0x1c
            //   037c240c             | add                 edi, dword ptr [esp + 0xc]

        $sequence_1 = { 8b450c 8b4d08 e8???????? 8b450c 8b4d08 d1e8 e8???????? }
            // n = 7, score = 1100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   d1e8                 | shr                 eax, 1
            //   e8????????           |                     

        $sequence_2 = { 896f50 896f54 896f58 896f5c e8???????? bb00000400 }
            // n = 6, score = 1100
            //   896f50               | mov                 dword ptr [edi + 0x50], ebp
            //   896f54               | mov                 dword ptr [edi + 0x54], ebp
            //   896f58               | mov                 dword ptr [edi + 0x58], ebp
            //   896f5c               | mov                 dword ptr [edi + 0x5c], ebp
            //   e8????????           |                     
            //   bb00000400           | mov                 ebx, 0x40000

        $sequence_3 = { c3 56 6a30 5e e8???????? 85c0 7403 }
            // n = 7, score = 1100
            //   c3                   | ret                 
            //   56                   | push                esi
            //   6a30                 | push                0x30
            //   5e                   | pop                 esi
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5

        $sequence_4 = { 0f845a010000 84c0 0f8452010000 0fb6c0 0fb6cb 6603c1 0fb6ca }
            // n = 7, score = 1100
            //   0f845a010000         | je                  0x160
            //   84c0                 | test                al, al
            //   0f8452010000         | je                  0x158
            //   0fb6c0               | movzx               eax, al
            //   0fb6cb               | movzx               ecx, bl
            //   6603c1               | add                 ax, cx
            //   0fb6ca               | movzx               ecx, dl

        $sequence_5 = { 40 83c710 3bc1 72f4 eb0a c1e004 03c2 }
            // n = 7, score = 1100
            //   40                   | inc                 eax
            //   83c710               | add                 edi, 0x10
            //   3bc1                 | cmp                 eax, ecx
            //   72f4                 | jb                  0xfffffff6
            //   eb0a                 | jmp                 0xc
            //   c1e004               | shl                 eax, 4
            //   03c2                 | add                 eax, edx

        $sequence_6 = { 8bf9 7611 2b44240c 50 e8???????? 2b5c240c 43 }
            // n = 7, score = 1100
            //   8bf9                 | mov                 edi, ecx
            //   7611                 | jbe                 0x13
            //   2b44240c             | sub                 eax, dword ptr [esp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   2b5c240c             | sub                 ebx, dword ptr [esp + 0xc]
            //   43                   | inc                 ebx

        $sequence_7 = { 8b4310 e8???????? 84c0 0f84dd000000 8b4318 2b44243c 8b7c2414 }
            // n = 7, score = 1100
            //   8b4310               | mov                 eax, dword ptr [ebx + 0x10]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84dd000000         | je                  0xe3
            //   8b4318               | mov                 eax, dword ptr [ebx + 0x18]
            //   2b44243c             | sub                 eax, dword ptr [esp + 0x3c]
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]

        $sequence_8 = { 6a16 8bc6 eb20 6a6a 8d75f4 58 e8???????? }
            // n = 7, score = 1100
            //   6a16                 | push                0x16
            //   8bc6                 | mov                 eax, esi
            //   eb20                 | jmp                 0x22
            //   6a6a                 | push                0x6a
            //   8d75f4               | lea                 esi, [ebp - 0xc]
            //   58                   | pop                 eax
            //   e8????????           |                     

        $sequence_9 = { 5f 68???????? ff15???????? 8b45f8 5e 5b }
            // n = 6, score = 1100
            //   5f                   | pop                 edi
            //   68????????           |                     
            //   ff15????????         |                     
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules