MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749
SHA3-384 hash: 1249ffef32ad8e4ea38ae8d1ffd06ea97ee316a85a2a4477897ec1b22b384333c4b2526401f12714ad0623810df4e547
SHA1 hash: 3c93cd0ef4c38e4055b88c22bb398dd45a66fb4f
MD5 hash: 992e9518d69039c3ebae4191e1f8b8b6
humanhash: crazy-spring-seven-lake
File name:flokibot_0.0.0.14.vir
Download: download sample
File size:364'898 bytes
First seen:2020-07-19 17:21:24 UTC
Last seen:2020-07-19 19:15:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b68e3e47a44ce9797fabf7eb0125aee
ssdeep 6144:Fw7HVJnyNnTu9g8m8MJub7rucVCs4/cbVjWX/mHFrYG3:Fw7VJn+uG8mobMs4UbxWX/I7
Threatray 113 similar samples on MalwareBazaar
TLSH B274CE23BFD718D2D8FE81758E999EFA5E6F7EF77261202B8FE0045C88941902CD9521
Reporter tildedennis
Tags:flokibot


Avatar
tildedennis
flokibot version 0.0.0.14

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27967/
Detection(s):
SecuriteInfo.com.Generic_r.PLO.13517.9758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389922
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247136 Sample: flokibot_0.0.0.14.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 51 web.netsworkupdates.com 2->51 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 4 other signatures 2->69 9 flokibot_0.0.0.14.exe 2->9         started        13 kihyuvso.exe 2->13         started        15 wscript.exe 1 2->15         started        signatures3 process4 dnsIp5 53 0.0.0.14 unknown unknown 9->53 79 Detected unpacking (changes PE section rights) 9->79 81 Detected unpacking (overwrites its own PE header) 9->81 83 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->83 91 4 other signatures 9->91 17 flokibot_0.0.0.14.exe 9->17         started        20 cmd.exe 2 9->20         started        85 Antivirus detection for dropped file 13->85 87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 23 kihyuvso.exe 13->23         started        25 cmd.exe 13->25         started        signatures6 process7 file8 57 Maps a DLL or memory area into another process 17->57 27 explorer.exe 2 17 17->27         started        47 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 20->47 dropped 59 Command shell drops VBS files 20->59 61 Drops VBS files to the startup folder 20->61 32 conhost.exe 20->32         started        34 explorer.exe 23->34         started        36 conhost.exe 25->36         started        signatures9 process10 dnsIp11 55 web.netsworkupdates.com 27->55 49 C:\ProgramData\xyofh\kihyuvso.exe, PE32 27->49 dropped 93 Contains functionality to capture and log keystrokes 27->93 95 Deletes itself after installation 27->95 97 Maps a DLL or memory area into another process 27->97 99 Creates a thread in another existing process (thread injection) 27->99 38 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 1 27->38 injected 41 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 27->41 injected 43 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 27->43 injected 45 9 other processes 27->45 file12 signatures13 process14 signatures15 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->71 73 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 38->73 75 Overwrites code with function prologues 38->75 77 Modifies Internet Explorer zone settings 38->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2016-11-17 15:59:09 UTC
AV detection:
40 of 48 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
24a1e4d82d8a6b9594aa9bc4d26df0f212c6b2cf48964fdd46cdad6c03782a1f
2fa19780fb5e238d3ac3491b18e2c795d0a4cc31d5c03c9b4a727613397c23e5
5028124ce748b23e709f1540a7c58310f8481e179aff7986d5cfd693c9af94da
73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2
88303bec606c271a2db6fe1bb0945c7e79835203ff2d9ee629c1d9e3987ccaac
c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42
c3f8265bfcc61ef328a8f776318d74e588873047f51e0dc8e445c1f6d4334f30
e43ee2ab62f9dbeb6c3c43c91778308b450f5192c0abb0242bfddb8a65ab883a
e4cd3a3bbf851aea2645ff32eeb8fbe177b79bf8149737c52acb413b2ff13eb6
f06047b09abc77529969c5949deda36ff154539d1b9ed8942c22fbb307d8aac9
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200719-aesnrc966j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Program crash
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Program crash
Drops startup file
Deletes itself
Drops startup file
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://zeusmuseum.com/flokibot/
Cape
Cape
https://www.capesandbox.com/analysis/27967/

Comments