MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 5668f2f784befed20b52f3d30aa3a9ab374b35a1a853d908ff9ac5c82ddea749
SHA3-384 hash: 1249ffef32ad8e4ea38ae8d1ffd06ea97ee316a85a2a4477897ec1b22b384333c4b2526401f12714ad0623810df4e547
SHA1 hash: 3c93cd0ef4c38e4055b88c22bb398dd45a66fb4f
MD5 hash: 992e9518d69039c3ebae4191e1f8b8b6
humanhash: crazy-spring-seven-lake
File name:flokibot_0.0.0.14.vir
Download: download sample
Signature n/a
File size:364'898 bytes
First seen:2020-07-19 17:21:24 UTC
Last seen:2020-07-19 19:15:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b68e3e47a44ce9797fabf7eb0125aee
ssdeep 6144:Fw7HVJnyNnTu9g8m8MJub7rucVCs4/cbVjWX/mHFrYG3:Fw7VJn+uG8mobMs4UbxWX/I7
TLSH B274CE23BFD718D2D8FE81758E999EFA5E6F7EF77261202B8FE0045C88941902CD9521
Reporter @tildedennis
Tags:flokibot


Twitter
@tildedennis
flokibot version 0.0.0.14

Intelligence


File Origin
# of uploads :
2
# of downloads :
19
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247136 Sample: flokibot_0.0.0.14.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 51 web.netsworkupdates.com 2->51 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 4 other signatures 2->69 9 flokibot_0.0.0.14.exe 2->9         started        13 kihyuvso.exe 2->13         started        15 wscript.exe 1 2->15         started        signatures3 process4 dnsIp5 53 0.0.0.14 unknown unknown 9->53 79 Detected unpacking (changes PE section rights) 9->79 81 Detected unpacking (overwrites its own PE header) 9->81 83 Tries to detect sandboxes / dynamic malware analysis system (file name check) 9->83 91 4 other signatures 9->91 17 flokibot_0.0.0.14.exe 9->17         started        20 cmd.exe 2 9->20         started        85 Antivirus detection for dropped file 13->85 87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 23 kihyuvso.exe 13->23         started        25 cmd.exe 13->25         started        signatures6 process7 file8 57 Maps a DLL or memory area into another process 17->57 27 explorer.exe 2 17 17->27         started        47 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 20->47 dropped 59 Command shell drops VBS files 20->59 61 Drops VBS files to the startup folder 20->61 32 conhost.exe 20->32         started        34 explorer.exe 23->34         started        36 conhost.exe 25->36         started        signatures9 process10 dnsIp11 55 web.netsworkupdates.com 27->55 49 C:\ProgramData\xyofh\kihyuvso.exe, PE32 27->49 dropped 93 Contains functionality to capture and log keystrokes 27->93 95 Deletes itself after installation 27->95 97 Maps a DLL or memory area into another process 27->97 99 Creates a thread in another existing process (thread injection) 27->99 38 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 1 27->38 injected 41 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 27->41 injected 43 lYiKwiBgbCOsUXsKTWLMzzYpyQsUg.exe 27->43 injected 45 9 other processes 27->45 file12 signatures13 process14 signatures15 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 38->71 73 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 38->73 75 Overwrites code with function prologues 38->75 77 Modifies Internet Explorer zone settings 38->77
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2016-11-17 15:59:09 UTC
AV detection:
37 of 42 (88.10%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Program crash
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Program crash
Drops startup file
Deletes itself
Drops startup file
UPX packed file
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments