MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e
SHA3-384 hash: ea048b80bdbacf5b704ae948a1120c30b04dd1419707ab2604dfdf83ee23612b525baa7b4e4183e36a3952b8de01dded
SHA1 hash: b057d20122048001850afeca671fd31dbcdd1c76
MD5 hash: 5649e7a200df2fb85ad1fb5a723bef22
humanhash: high-sierra-wolfram-papa
File name:flokibot_0.0.0.12.vir
Download: download sample
Signature n/a
File size:238'080 bytes
First seen:2020-07-19 16:44:54 UTC
Last seen:2020-07-19 19:10:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43e464016faeb4bab85676f508decd6e
ssdeep 6144:3Kk3o2044/KBDyoEUkJlZth4hbNcfCz4j2DNHaFC1C+R:ak3+S9vkv74bYeDRaFwC+
TLSH 9E34120FF583E8B1CB9D393155161425C2BD2959358EFC83F71A9ABDA023DD0B1CA3A2
Reporter @tildedennis
Tags:flokibot


Twitter
@tildedennis
flokibot version 0.0.0.12

Intelligence


File Origin
# of uploads :
3
# of downloads :
18
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 247139 Sample: flokibot_0.0.0.12.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 32 extensivee.bid 2->32 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Binary is likely a compiled AutoIt script file 2->50 52 2 other signatures 2->52 8 flokibot_0.0.0.12.exe 2->8         started        12 ebrau.exe 2->12         started        signatures3 process4 dnsIp5 34 0.0.0.12 unknown unknown 8->34 62 Maps a DLL or memory area into another process 8->62 14 explorer.exe 2 18 8->14         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 19 explorer.exe 12->19         started        signatures6 process7 dnsIp8 36 extensivee.bid 14->36 30 C:\ProgramData\ezun\ebrau.exe, MS-DOS 14->30 dropped 38 Contains functionality to capture and log keystrokes 14->38 40 Contains functionality to inject code into remote processes 14->40 42 Deletes itself after installation 14->42 44 2 other signatures 14->44 21 vrwLJeUBYbtGRkBlNzbAHtxoZh.exe 1 14->21 injected 24 vrwLJeUBYbtGRkBlNzbAHtxoZh.exe 14->24 injected 26 vrwLJeUBYbtGRkBlNzbAHtxoZh.exe 14->26 injected 28 10 other processes 14->28 file9 signatures10 process11 signatures12 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->54 56 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 21->56 58 Overwrites code with function prologues 21->58 60 Modifies Internet Explorer zone settings 21->60
Threat name:
Win32.Trojan.Zeus
Status:
Malicious
First seen:
2016-10-07 22:06:17 UTC
AV detection:
29 of 31 (93.55%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Drops startup file
Deletes itself
Deletes itself
Drops startup file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments