SYMBOLCOMMON_NAMEaka. SYNONYMS
win.floki_bot (Back to overview)

FlokiBot


There is no description at this point.

References
2017-03-14Arnaud DelmasArnaud Delmas
@online{delmas:20170314:analyzing:1c055df, author = {Arnaud Delmas}, title = {{Analyzing and Deobfuscating FlokiBot Banking Trojan}}, date = {2017-03-14}, organization = {Arnaud Delmas}, url = {http://adelmas.com/blog/flokibot.php}, language = {English}, urldate = {2020-01-08} } Analyzing and Deobfuscating FlokiBot Banking Trojan
FlokiBot
2017-03-01CylanceCylance Threat Research Team
@online{team:20170301:threat:5837922, author = {Cylance Threat Research Team}, title = {{Threat Spotlight: Flokibot PoS Malware}}, date = {2017-03-01}, organization = {Cylance}, url = {https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html}, language = {English}, urldate = {2020-01-06} } Threat Spotlight: Flokibot PoS Malware
FlokiBot
2016-12-07Cisco TalosBen Baker, Edmund Brumaghin, Mariano Graziano, Jonas Zaddach
@online{baker:20161207:floki:69ffd12, author = {Ben Baker and Edmund Brumaghin and Mariano Graziano and Jonas Zaddach}, title = {{Floki Bot Strikes, Talos and Flashpoint Respond}}, date = {2016-12-07}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/12/flokibot-collab.html#more}, language = {English}, urldate = {2020-01-09} } Floki Bot Strikes, Talos and Flashpoint Respond
FlokiBot
2016-11-10MalwarebytesMalwarebytes Labs
@online{labs:20161110:floki:cb97f8d, author = {Malwarebytes Labs}, title = {{Floki Bot and the stealthy dropper}}, date = {2016-11-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/}, language = {English}, urldate = {2019-12-20} } Floki Bot and the stealthy dropper
FlokiBot
2016-10-03FlashpointFlashpoint
@online{flashpoint:20161003:multipurpose:436518b, author = {Flashpoint}, title = {{Multi-Purpose “Floki Bot” Emerges as New Malware Kit}}, date = {2016-10-03}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/}, language = {English}, urldate = {2020-01-07} } Multi-Purpose “Floki Bot” Emerges as New Malware Kit
FlokiBot
2015-12-07FlashpointFlashpoint, Talos
@online{flashpoint:20151207:flashpoint:3f5aee6, author = {Flashpoint and Talos}, title = {{Flashpoint and Talos Analyze the Curious Case of the flokibot Connector}}, date = {2015-12-07}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/}, language = {English}, urldate = {2019-11-20} } Flashpoint and Talos Analyze the Curious Case of the flokibot Connector
FlokiBot
Yara Rules
[TLP:WHITE] win_floki_bot_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_floki_bot_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4714 8b0e 03c7 8908 8b4e04 894804 8b4e08 }
            // n = 7, score = 1100
            //   8b4714               | mov                 eax, dword ptr [edi + 0x14]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   03c7                 | add                 eax, edi
            //   8908                 | mov                 dword ptr [eax], ecx
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8b4e08               | mov                 ecx, dword ptr [esi + 8]

        $sequence_1 = { 8d45e4 50 6a01 57 56 e8???????? 8945d8 }
            // n = 7, score = 1100
            //   8d45e4               | lea                 eax, [ebp - 0x1c]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_2 = { 8d7dbc 58 e8???????? 8b4508 8b701c }
            // n = 5, score = 1100
            //   8d7dbc               | lea                 edi, [ebp - 0x44]
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b701c               | mov                 esi, dword ptr [eax + 0x1c]

        $sequence_3 = { 89750c e8???????? 8b450c 8b4d10 8901 8bc3 5e }
            // n = 7, score = 1100
            //   89750c               | mov                 dword ptr [ebp + 0xc], esi
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   8bc3                 | mov                 eax, ebx
            //   5e                   | pop                 esi

        $sequence_4 = { c6470e02 eb04 c6470e01 b001 5b 5e c9 }
            // n = 7, score = 1100
            //   c6470e02             | mov                 byte ptr [edi + 0xe], 2
            //   eb04                 | jmp                 6
            //   c6470e01             | mov                 byte ptr [edi + 0xe], 1
            //   b001                 | mov                 al, 1
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c9                   | leave               

        $sequence_5 = { 56 50 ff35???????? ff15???????? c3 57 }
            // n = 6, score = 1100
            //   56                   | push                esi
            //   50                   | push                eax
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   c3                   | ret                 
            //   57                   | push                edi

        $sequence_6 = { 7412 83ffff 750d 8bf8 66897002 e8???????? 8bf8 }
            // n = 7, score = 1100
            //   7412                 | je                  0x14
            //   83ffff               | cmp                 edi, -1
            //   750d                 | jne                 0xf
            //   8bf8                 | mov                 edi, eax
            //   66897002             | mov                 word ptr [eax + 2], si
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_7 = { 57 c644240f00 0f8316010000 6a1e }
            // n = 4, score = 1100
            //   57                   | push                edi
            //   c644240f00           | mov                 byte ptr [esp + 0xf], 0
            //   0f8316010000         | jae                 0x11c
            //   6a1e                 | push                0x1e

        $sequence_8 = { 56 6800040000 ff15???????? 8bf8 3bfe 0f8483000000 8d45e8 }
            // n = 7, score = 1100
            //   56                   | push                esi
            //   6800040000           | push                0x400
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   3bfe                 | cmp                 edi, esi
            //   0f8483000000         | je                  0x89
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_9 = { 51 57 e8???????? e8???????? ebc3 55 }
            // n = 6, score = 1100
            //   51                   | push                ecx
            //   57                   | push                edi
            //   e8????????           |                     
            //   e8????????           |                     
            //   ebc3                 | jmp                 0xffffffc5
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 286720
}
Download all Yara Rules