{
	"id": "1721efa0-3603-4c19-b6f1-9a90b4cd5f51",
	"created_at": "2026-04-06T00:07:12.494102Z",
	"updated_at": "2026-04-10T13:11:52.353315Z",
	"deleted_at": null,
	"sha1_hash": "973ba6ab30bc98ea37c0cf1afb004f9a992726db",
	"title": "Floki Bot Strikes, Talos and Flashpoint Respond",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 549482,
	"plain_text": "Floki Bot Strikes, Talos and Flashpoint Respond\r\nBy Edmund Brumaghin\r\nPublished: 2016-12-07 · Archived: 2026-04-05 18:29:46 UTC\r\nWednesday, December 7, 2016 11:02\r\nThis blog post was authored by Ben Baker, Edmund Brumaghin, Mariano Graziano, and Jonas Zaddach\r\nExecutive Summary\r\nFloki Bot is a new malware variant that has recently been offered for sale on various darknet markets. It is based\r\non the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011.\r\nRather than simply copying the features that were present within the Zeus trojan \"as-is\", Floki Bot claims to\r\nfeature several new capabilities making it an attractive tool for criminals. As Talos is constantly monitoring\r\nchanges across the threat landscape to ensure that our customers remain protected as threats continue to evolve,\r\nwe took a deep dive into this malware variant to determine the technical capabilities and characteristics of Floki\r\nBot.\r\nDuring our analysis of Floki Bot, Talos identified modifications that had been made to the dropper mechanism\r\npresent in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect. Talos also\r\nobserved the introduction of new code that allows Floki Bot to make use of the Tor network. However, this\r\nfunctionality does not appear to be active for the time being. Finally, through the use of the FIRST framework\r\nduring the analysis process, Talos was able to quickly identify code/function reuse between Zeus and Floki Bot.\r\nThis made sample analysis more efficient and decreased the amount of time spent documenting various functions\r\npresent within the Floki Bot samples we analyzed.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 1 of 11\n\nTalos worked in collaboration with Flashpoint during the analysis of Floki Bot. This collaborative effort allowed\r\nTalos and Flashpoint to quickly communicate intelligence data related to active campaigns distributing Floki Bot\r\nas well as data regarding the technical functionality present within the malware. Additionally, Talos is making\r\nscripts available to the open source community that will help malware analysts automate portions of the Floki Bot\r\nanalysis process and make the process of analyzing Floki Bot easier to perform.\r\nFloki Bot Details\r\nThe infection process used by Floki Bot is comprised of several steps. At a high level, this process is illustrated in\r\nthe following diagram:\r\nWe started our analysis of Floki Bot using the following binary:\r\n5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e (SHA256)\r\nOnce the malware is executed, it attempts to inject malicious code into 'explorer.exe' - the Microsoft Windows file\r\nmanager. If it is unable to open 'explorer.exe', it will then inject into 'svchost.exe'. The first injection is simply a\r\ntrampoline (step one in Figure 1). This trampoline performs two different calls. The first call is a 'Sleep()' for 100\r\nmilliseconds. The second call passes control to another payload function. The argument to that function is a\r\nstructure with the initial sample's process ID, the decryption key for further binary payloads, and the pointer and\r\nsize of the payload resource in the initial sample's address space. Curiously enough, though the initial sample has\r\nresources labeled 'bot32' and 'bot64', the sample we analyzed is hardcoded to only pass the address of the 'bot32'\r\nresource to the injected payload. The reversed code responsible for mapping the 'bot32', 'bot64' and 'key' resources\r\nis shown in Figure 2.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 2 of 11\n\nFigure 2: Mapping of 'bot32', 'bot64' and 'key' Resources \r\nAs you can see from the following screenshots, Figure 3 shows the code responsible for preparing the shellcode\r\nfor the injection. This operation is performed in the initial binary. Figure 4 shows the result of the injection into\r\nthe 'explorer.exe' process. We can clearly observe that the disassembly is based on the previous shellcode and\r\ncontains the two calls described above. Specifically, the call at 0xA001F invokes the payload, which is the step\r\ntwo in Figure 1.\r\nFigure 3: Shellcode Preparation\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 3 of 11\n\nFigure 4: Disassembly of the Injected Shellcode \r\nThe next logical step is another injection which also happens within the 'explorer.exe' address space. This time the\r\npayload - the one executed after the trampoline - resolves the required APIs via the use of a CRC lookup and then\r\nmaps the 'bot32' resource section from the initial binary.\r\nThe resource is encrypted with RC4, and can be decrypted with the 16 byte key data from the 'key' resource,\r\nwhich is passed as an argument to the injected code. Moreover, the resource is compressed with the LZNT1\r\nalgorithm, and is extracted by invoking RtlDecompressBuffer. Talos has created and is releasing a script called\r\n'PayloadDump' which will extract these bot payloads. This bot is the final component and is the one containing the\r\nbanking trojan functionality. It is flagged by many AV engines as a classic Zeus bot. The bot is loaded and injected\r\ninto 'explorer.exe'. These steps are the labeled 3 and 4 in Figure 1.\r\nAt every stage, the malware uses hashing to obfuscate module and function names used in dynamic library\r\nresolution. Interestingly, the initial sample and the bot (bot32) executable use the same CRC32 implementation\r\nand XOR the result with a static key, in our case this was 0x5E58, while the payload uses the same CRC32\r\nimplementation but a different XOR key, in our case 0x3086. The names of the modules are converted to\r\nlowercase before the computation (Windows file names are traditionally case insensitive).\r\nCurrently, the 'bot32' resource is immediately recognized by more than 30 AV engines on Virustotal, with most of\r\nthe detections identifying it as Zbot, while the 'bot64' resource is detected as malicious by only 10 AV engines.\r\nDuring our analysis, we extracted the sample from both a physical memory dump of the explorer.exe process (See\r\nthe Memory Analysis section), as well as from the resource section of the initial binary. At first glance, this sample\r\nlooks like a normal Zeus bot. The main difference is support for the Tor network that should be activated when the\r\nC2 domain specified in the malware configuration ends with '.onion' which is the pseudo TLD for Tor related\r\ndomains.. When this is the case, a standard Tor proxy server is configured to listen on localhost:9050, as you can\r\nsee in the screenshot below:\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 4 of 11\n\nFigure 5: Floki Bot Tor Functionality\r\nThis feature appears to be under development and could not be activated in the samples Talos analyzed.\r\nFloki Bot's Dropper/Loader\r\nThe loader used by Floki Bot is not encrypted. It also does not utilize any anti-debugging techniques. The loader\r\ndoes hide the system calls used to inject the malicious payload into other processes. The injection technique used\r\nby the Floki Bot loader has already been thoroughly documented here so we will not go into significant detail on\r\nhow that process works.\r\nNetwork Analysis\r\nFloki Bot communicates with C2 over an HTTPS connection. Interestingly, the malware author advertises an anti\r\ndeep packet inspection feature. To achieve this, the bytes in network packets are packaged in BinStorage\r\nstructures that are sent over HTTPS. Each byte in the BinStorage structure is XOR'd by the previous byte and then\r\nadditionally encrypted with RC4. This functionality was also present in the leaked Zeus source code and is not\r\nnew to Floki Bot. By breaking the HTTPS connection and decrypting the packet payloads, we noticed that the\r\nmalware sends back information about the infected machine such as the computer name and the screen resolution.\r\nFloki Bot claimed it \"cannot be detected by Deep-Packet-Inspection unlike Zeus\", but the only major change to\r\nthe leaked source code is Tor support, which was not found to be used by any samples found in the wild. Talos\r\nwas able to decrypt Floki Bot network packets after intercepting them using mitmproxy as the malware does not\r\nuse certificate pinning for its communications.\r\nMemory Analysis\r\nDuring our analysis we also performed a memory-based forensic analysis after infecting a VM with Floki Bot. In\r\nthis way we used an opposite approach, starting our analysis from the end and then trying to rebuild the different\r\nsteps of the infection process. First, we took a physical memory dump with win32dd and analyzed it with\r\nVolatility - a famous open source memory forensics framework. First we used the 'pslist' Volatility plugin. This\r\nplugin lists all processes by walking the double linked list connecting all of the _EPROCESS objects. Nothing\r\nsuspicious was found from its output. We then used the 'netscan' plugin and it showed network activity from the\r\n'explorer.exe' process, which is something that needed more investigation as it is definitely not normal to have\r\nnetwork traffic from the file manager. Based on this finding, we ran 'malfind' on the 'explorer.exe' process and\r\nidentified interesting traces and the PE file injected into the process. We dumped these artifacts and they matched\r\nthe partial results of the reversing process. We could observe the trampoline, the payload and the PE file. In\r\nrelation to the persistence mechanisms employed by Floki Bot, we identified some artifacts using 'filescan' and\r\nobserved that the binary (with a random name) was also copied into the Startup folder.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 5 of 11\n\nCollaboration with Flashpoint\r\nDuring our investigation into the Floki Bot malware, we leveraged a collaborative relationship with Flashpoint,\r\nwho we worked with to gather intelligence information and share technical details regarding the malware samples,\r\nthe campaigns that are currently using Floki Bot, and the darknet markets on which Floki Bot is being bought and\r\nsold. Flashpoint has been tracking several Floki Bot actors and campaigns. Flashpoint has also released a blog\r\npost that contains relevant intelligence information related to currently active Floki Bot campaigns operating\r\nglobally. The Flashpoint post can be found here.\r\nUsing FIRST to Analyze Floki Bot\r\nDuring the analysis process, Talos leveraged the Function Identification and Recovery Signature Tool (FIRST)\r\nand associated IDA Python plugin to collect and document functionality present within the Floki Bot samples that\r\nwere analyzed. FIRST is an open source framework recently released by Talos that allows malware analysts and\r\nresearchers to collaborate and share analysis data related to the malicious functions present in malware samples.\r\nUsing FIRST enables quick and efficient analysis of malware as it minimizes the amount of time spent analyzing\r\nmalicious code that has already been analyzed and documented. FIRST currently contains information for over\r\n170,000 functions including: common libraries like Zlib and OpenSSL, leaked malware source code, and\r\nmalicious Windows and Linux files analyzed by the community. It is particularly helpful when analyzing statically\r\nlinked executables with thousands of library functions. Tools like Bindiff can be very useful, but they only let you\r\ncompare a handful of files, and you have to find and obtain these files before you can do these comparisons. The\r\nFIRST plugin automatically looks for function similarities in each of the thousands of files submitted by the\r\ncommunity.\r\nIDA Pro uses FLIRT signatures to attempt to identify commonly used library functions, but it was unable to\r\nidentify any functions in this sample of Floki Bot. IDA Pro's default response to unidentified functions is to name\r\nthe functions according to the starting address. In this case we get 516 functions with generic names like\r\n\"sub_402F34\".\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 6 of 11\n\nFigure 6: IDA Pro Function List before running FIRST\r\nWe queried FIRST, and within seconds had 128 functions labelled with meaningful names, prototypes, and\r\ncomments. We can now instantly see what these functions do, and what arguments they take, even when those\r\narguments are custom structures.\r\nFigure 7: IDA Pro Function List after running FIRST \r\nMany functions are difficult to classify without first analyzing their child-functions. Analysts often use a depth-first approach to label functions with obvious behaviors, then backtrack to the parent once they have a better\r\nunderstanding of the nested functions.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 7 of 11\n\nFigure 8: IDA Pro Showing Calls to Unknown Functions without FIRST \r\nFIRST identified all of the functions in this example, and labeled them with their argument names and types.\r\nFunctions now have comments showing these functions were from leaked Zeus source code, which gives us a\r\nsubstantial lead on where to find more info about the unidentified functions. Some functions not identified by\r\nFIRST are similar to functions in the Zeus source, but have been changed by modifications in the source code or\r\ncompiler options.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 8 of 11\n\nFigure 9: The Same Function Labeled by FIRST\r\nIf you compared this Floki Bot executable with Zeus, you would see the sizes of the BASECONFIG structures are\r\ndifferent, and the offsets for global variables have changed as well. One of FIRST's engines identified these\r\nfunctions despite modifications to these parameters. Thanks to FIRST, we are able to quickly find the chunk of\r\nleaked source code responsible for this function.\r\nFigure 10: Leaked Function Source Code\r\nAll of the analysis data and function documentation that was created by Talos while analyzing Floki Bot samples\r\nhave been made available via the public Talos FIRST server (beta). More information about the FIRST framework\r\nand how it can be used can be found here.\r\nDuring the analysis process, Talos also created scripts to help automate portions of the analysis of Floki Bot,\r\nwhich are now being released to the open source community. These scripts enable analysts to dump the\r\nconfiguration parameters used by Floki Bot samples, as well as the Floki Bot payload itself.\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 9 of 11\n\nPayloadDump - Extracts the final payload in PE32 format from the initial Floki Bot sample.\r\nConfigDump - Enables the extraction of the Floki Bot configuration parameters used by the sample.\r\nThese scripts can be downloaded from Github here.\r\nConclusion\r\nFloki Bot is another example of what happens when the source code of successful malware kits gets leaked online.\r\nAs we have seen several times since the Zeus source code became available, new malware variants based on this\r\ncodebase continue to emerge. Floki Bot is unique in that the authors of this malware have put effort into\r\nexpanding upon the functionality that was present in Zeus and have implemented new functionality making Floki\r\nBot very attractive to criminals.\r\nAs Floki Bot is currently being actively bought and sold on several darknet markets it will likely continue to be\r\nseen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their\r\nefforts. As the leak of the Zeus source code continues to have ripple effects across the threat landscape, Talos will\r\ncontinue to monitor this and other threats that are actively being used in the wild to ensure that customers remain\r\nprotected as new threats emerge or as existing threats change over time.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nIndicators of Compromise (IOCs)\r\nMalware Binaries:\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 10 of 11\n\n08e132f3889ee73357b6bb38e752a749f40dd7e9fb168c6f66be3575dbbbc63d (SHA256)\r\n5028124ce748b23e709f1540a7c58310f8481e179aff7986d5cfd693c9af94da (SHA256)\r\n0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03 (SHA256)\r\n5e1967db286d886b87d1ec655559b9af694fc6e002fea3a6c7fd3c6b0b49ea6e (SHA256)\r\nd1d851326a00c1c14fc8ae77480a2150c398e4ef058c316ea32b191fd0e603c0 (SHA256)\r\ne0b599f73d0c46a5130396f81daf5ba9f31639589035b49686bf3ef5f164f009 (SHA256)\r\ne43ee2ab62f9dbeb6c3c43c91778308b450f5192c0abb0242bfddb8a65ab883a (SHA256)\r\n2b832ef36978f7852be42e6585e761c3e288cfbb53aef595c7289a3aef0d3c95 (SHA256)\r\n4bdd8bbdab3021d1d8cc23c388db83f1673bdab44288fccae932660eb11aec2a (SHA256)\r\n3c2c753dbb62920cc00e37a7cab64fe0e16952ff731d39db26573819eb715b67 (SHA256)\r\n7bd22e3147122eb4438f02356e8927f36866efa0cc07cc604f1bff03d76222a6 (SHA256)\r\n9d9c0ada6891309c2e43f6bad7ffe55c724bb79a0983ea6a51bc1d5dc7dccf83 (SHA256)\r\ne205a0f5688810599b1af8f65e8fd111e0e8fa2dc61fe979df76a0e4401c2784 (SHA256)\r\nac5ae89af8d2ffdda465a4038f0f24fcbcb650140741c2b48adadc252a140e54 (SHA256)\r\nCommand and Control URLs:\r\nhttps[:]//193.201.225[.]30/sweetdream/gxve8xj4a7t8t8sug8s57.php\r\nhttps[:]//shhtunnel[.]at/class/gate.php\r\nhttps[:]//extensivee[.]bid/000L7bo11Nq36ou9cfjfb0rDZ17E7ULo_4agents/gate.php\r\nhttps[:]//5.154.190[.]248/gate.php\r\nhttps[:]//vtraffic[.]su/gate.php\r\nhttps[:]//springlovee[.]at/adm/config.bin\r\nhttps[:]//feed.networksupdates[.]com/feed/webfeed.xml\r\nhttps[:]//wowsupplier[.]ga/cpflkabwbebeu/gtlejbsbu.php\r\nhttps[:]//adultgirlmail[.]com/mail/gate.php\r\nhttps[:]//uspal[.]cf/3faf5c96-9c2b-11e6-95d4-00163c75bf83/gate.php\r\nSource: http://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nhttp://blog.talosintel.com/2016/12/flokibot-collab.html#more\r\nPage 11 of 11\n\nstructure with size of the payload the initial sample's resource process ID, in the initial sample's the decryption address space. key for further binary Curiously enough, payloads, and though the the pointer initial sample and has\nresources labeled 'bot32' and 'bot64', the sample we analyzed is hardcoded to only pass the address of the 'bot32'\nresource to the injected payload. The reversed code responsible for mapping the 'bot32', 'bot64' and 'key' resources\nis shown in Figure 2.     \n   Page 2 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintel.com/2016/12/flokibot-collab.html#more"
	],
	"report_names": [
		"flokibot-collab.html#more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434032,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/973ba6ab30bc98ea37c0cf1afb004f9a992726db.pdf",
		"text": "https://archive.orkl.eu/973ba6ab30bc98ea37c0cf1afb004f9a992726db.txt",
		"img": "https://archive.orkl.eu/973ba6ab30bc98ea37c0cf1afb004f9a992726db.jpg"
	}
}