{
	"id": "fe7a1920-14ef-4c90-831e-1788c2f997a5",
	"created_at": "2026-04-06T00:21:54.834554Z",
	"updated_at": "2026-04-10T13:11:59.237111Z",
	"deleted_at": null,
	"sha1_hash": "9e2db423f93107663722102b8fb581d25e7c07e0",
	"title": "Floki Bot – A Zeus Wannabe with Delusions of Grandeur?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278443,
	"plain_text": "Floki Bot – A Zeus Wannabe with Delusions of Grandeur?\r\nBy SC Staff\r\nPublished: 2016-10-31 · Archived: 2026-04-05 21:11:31 UTC\r\nWell, it was a nice summer and, as I waited for the magazine to finish developing the new look on our website I\r\nspent a lot of time crawling around the Dark Web looking for tidbits of interest. That's the good news. The bad\r\nnews is there were more than I could consume over the entire summer. So, on the advice of one of our Lab\r\nApproved vendors I decided to take a deep dive into a bot that has been on the horizon since September - a\r\nrelative newcomer. The story behind this one is, on the surface, innocuous. But, as the infomercials say, \"Wait!\r\nThere's more!\"\r\nFloki Bot is now well-advertised in the underground marketplaces and I pulled information from a variety of\r\nsources, not the least of which was Alphabay. This is a fairly open, but mildly vetted, pay-for-play underground\r\nmarketplace where you can buy anything for bitcoins from malware to drugs to hackers for hire. The actor in this\r\ncase is advertising heavily in several marketplaces including Alphabay. So it is safe to say this bug is likely to hit\r\nthe streets fairly soon if it hasn't - and I suspect that it has based upon the ease with which I found my sample and\r\nother information about it - already.\r\nThis week we'll take a look at the bot, the author's claims and what the likely truth is along with how to prepare\r\nfor it in case it does become active. That is one of the themes for Threat Hunter 2.0: we want to help you become\r\nproactive. I'll be looking for things that are still in their formative stages, but which have a reasonable likelihood\r\nof becoming pesky in the near future.\r\nThe second theme is that I have teamed with our Lab Approved vendors along with a few others to provide the\r\ntools I'll use in each week's analysis. At the end of each blog I'll list the tools I used that week so you can consider\r\nhow they might fit in your security/threat hunting stack. Some of those tools, by the way, will be open source or\r\nfree in addition to the commercial tools I'll use. When you're threat hunting everything that can help you be\r\nproactive is on the table.\r\nThere are, really, two kinds of threat hunting: pre and post event. Post event I equate to dead-box forensics. The\r\ndamage has been done and now we are left with the analysis. Pre event is proactive and seeks to predict what\r\npossible threats really will become threats in the future. We will focus on pre but touch on the cleanup aspects\r\nwhere it makes sense. Now on to our bug....\r\nThe actor burst on the scene in underground marketplaces in September with the claim of a new bot that is built\r\nfrom Zeus 2.0.8.9. The bot has appeared in the wild in a limited way so we can expect that this proof of concept\r\nwill blossom into a full-blown bot net when our actor gets a customer.\r\nHe claimed that the bot could not be detected by deep packet inspection. That appears to be at least partially true.\r\nWe ran our sample through our Cuckoo sandbox and it failed to find any network connections. Then we detonated\r\nthe bot in a sacrificial host and monitored with Wireshark. We saw some activity to several IP addresses, most of\r\nwhich host malware, largely Trojans of various flavors. Running our sample through VirusTotal we got hits on 26\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 1 of 6\n\nof 56 anti-malware programs and those 26 showed everything from Zbot to various Trojans and droppers. A closer\r\nlook will explain some of that.\r\nWe went back to AlphaBay and found a demo of the bot bypassing IBM's Trusteer Rapport. This yielded an IP\r\naddress - 46.165.210.17 - that we started digging on that traces to a German ISP\r\n(germany.privateinternetaccess.com). Running that IP in OpenDNS Investigate did not get us much, but running it\r\nin CyMon and ThreatCrowd did. ThreatCrowd was especially interesting because it provided a web of\r\ninterconnects with other IPs and domains, virtually all of which host malware. The domain in OpenDNS\r\nInvestigate also was more fruitful than the IP alone.\r\nExpanding the domain name out to the IPs and other domains that it hosts gave a bunch of malicious sites, mostly\r\nbranching off of 178.162.199.99. It also gave us the MD5 for a piece of malware hosted on the IP\r\n(10375c3524c5271d487b141aa00a1a18) which turns out to be an iFrame Trojan. The Trojan shows up on the\r\nfollowing:\r\n178.162.199.99\r\n68.232.35.90\r\n173.194.65.95\r\n149.126.72.131\r\n173.194.65.120\r\n108.161.188.209\r\n149.126.72.124\r\n85.25.149.38\r\n69.55.52.73\r\n108.162.197.244\r\n88.212.196.75\r\n74.206.167.145\r\n95.211.221.247\r\n95.211.221.145\r\n95.101.0.88\r\nzxeutaa.myvnc.com\r\nasianalbum.com\r\nads.juicyads.com\r\nmobile.juicyads.com\r\nfonts.googleapis.com\r\ncode.jquery.com\r\nfonts.gstatic.com\r\nalientraf.com\r\nwww.juicyads.com\r\ntwiant.com\r\nThe next treasure trove came when we ran the IP through BotScout. This gave us a good amount of information in\r\nthe form of registrant emails, many of which appeared to be created using DGAs. As well, many email addresses\r\nuse the .xyz top level domain[1].\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 2 of 6\n\nSo, what do we know so far? First, the IP in the video may or may not be a direct C\u0026C connection with the bot.\r\nLet us assume, for safety, that it is a command and control server. There is some evidence for this assumption at\r\nVirusTotal[2]. The site lists over 15 malicious files that communicate with this IP. If we do the same lookup on the\r\n178.162.199.99 IP we get even more, including a hash for a piece of malware that is served by that IP. While not\r\nthe same malware that we found in this IP earlier, it has a similar purpose. We also see a couple of malware hashes\r\nfor files that communicate with this IP. The evidence for the IP - or, at least, the hosting company - being used as a\r\nC\u0026C for the Trusteer test is piling up.\r\nWill that end up being a C\u0026C of the bot net? Probably not. The actor is selling the bot so whomever he sells it to\r\nlikely will set up a botnet for it. Would I block the hosting company? Yep. And, I'd block the IPs just for safety\r\nsince they are hosting domains as well.\r\nFigure 1 shows the control panel for the C\u0026C.\r\nFigure 1 - Floki Bot Control Panel\r\nWhat about detecting the bot at your gateway? We cannot depend upon detecting Zeus as a way to detect Floki\r\nbot. Also, I was interested to note in the demo video that the actor referred to the bot as \"loki\" rather than \"floki\".\r\nLoki bot is a password and wallet stealer. So this raises the question as to whether this is a variant of loki rather\r\nthan Zeus, or if the demo used loki to try to scam buyers, or if our actor just got careless with his keyboard.\r\nLet's dig into the floki bot's general functionality as claimed by the actor.\r\nThe bot works on Windows XP, Vista and Win7 with UAC as well as server 2003/2003R2 and 2008/2008R2. It\r\nruns its code on each process the user executes and requires almost no privileges so it can run in the Guest account\r\n(which should be disabled, of course). The bot runs several special processes that allow such things as bypassing\r\nfirewalls and it can send the victim configuration to the server so that the server/operator can generate commands\r\nto the victim. Even though the bot communicates with http, it's communication is encrypted with a key unique to\r\neach instance of the bot. there is a Back-connect feature (apparently with some problems) that allows a connection\r\nback to the victim for such things as RDP and FTP.\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 3 of 6\n\nHTTP injects allow modification of loaded pages on the victim and the bot can scrape the screen for useful\r\ninformation such as bank accounts or credentials. There are a number of blocking functions as well. The bot\r\nincludes a sniffer and a keystroke monitor/grabber. It can import Windows certificates. Scripts can be run from the\r\ncontrol panel. The bot can be removed from the victim via the control panel.\r\nWhen the payload is dropped it is encrypted and stays that way until the dropper creates a process in explorer or\r\nsvchost. At that point the payload is unencrypted, decompressed and injected into all running 32-bit processes.\r\nNow the final payload can be unencrypted and decompressed to execute. The bot renames itself and copies itself\r\ninto a subdirectory under Application Data. In our sample it renamed to dymasa.exe. Stolen data is encrypted and\r\nstored in a different subdirectory under Application Data. An entry in the Startup folder is added for persistence.\r\nThere are a number of changes/additions to the registry as well. These modify the victim's security.\r\nTwo interesting features of the bot are its claimed high execution rate: 70% as opposed to Zeus' supposed 30%,\r\nand, its ability to read track 2 of a credit card. This gives it a future as a tool for stealing credit cards. Returning to\r\nthe speculation that there may be pieces of loki code as well as Zeus, we note that some of the functionality of the\r\nloki stealer might be incorporated in the bot. A complete reversing of our sample will, perhaps, shed some light on\r\nthat.\r\nThat brings us to a stopping point for this entry. We are completing the reversing of our Floki Bot sample and we'll\r\ndig into the internals next time and see if the actor's claims are accurate. For that we have partnered with one of\r\nthe top malware reversing engineers in the business.... stay tuned for that one. One of the new features in Threat\r\nHunter 2.0 is partnering with some of the best threat hunters available.\r\nUntil then, here are your new malicious sites for this week along with three new features. First, we have a pie\r\nchart that shows the top five C\u0026C IPs that hit our honeypots as monitored by Packetsled this week. Second,\r\nanother pie chart shows the top five attacking IPs as monitored on our honeypots by Packetsled. Finally, in no\r\nparticular order, we have the top attack types against our honeypots as detected by our Niksun NetDetector. Watch\r\nfor those indicators again as we update them later in the week.\r\n--Dr. S\r\nOur tools this week were:\r\n·         Niksun NetDetector\r\n·         Packetsled\r\n·         Cisco OpenDNS Investigate\r\n·         Cymon\r\n·         AlienVault OTX\r\n·         ThreatCrowd\r\n·         Intel471\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 4 of 6\n\n·         Silobreaker\r\n·         Cuckoo sandbox\r\nFigure 2 - Top Command and Control Servers Against our Honeypots\r\nFigure 3 - Top Attacking IPs Against our Honeypots\r\nFigure 4 - Top Attack Types Against our Honeypots\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 5 of 6\n\nFigure 5 - This Week's New Malicious Domains from Malware Domain List\r\n[1] https://botscout.com/search.htm?stype=q\u0026sterm=46.165.210.17\u0026cc=\u0026page=1\r\n[2] https://www.virustotal.com/en/ip-address/46.165.210.17/information/\r\nSource: https://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nhttps://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.scmagazine.com/home/opinions/blogs/the-threat-hunter-blog/floki-bot-a-zeus-wannabe-with-delusions-of-grandeur/"
	],
	"report_names": [
		"floki-bot-a-zeus-wannabe-with-delusions-of-grandeur"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434914,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e2db423f93107663722102b8fb581d25e7c07e0.pdf",
		"text": "https://archive.orkl.eu/9e2db423f93107663722102b8fb581d25e7c07e0.txt",
		"img": "https://archive.orkl.eu/9e2db423f93107663722102b8fb581d25e7c07e0.jpg"
	}
}