https://github.com/cisco-talos/flokibot

rc4

Last synced: 14 days ago
JSON representation

Host: GitHub
URL: https://github.com/cisco-talos/flokibot
Owner: Cisco-Talos
License: gpl-2.0
Created: 2016-12-02T15:16:37.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2016-12-07T20:41:24.000Z (over 8 years ago)
Last Synced: 2025-03-24T09:03:38.272Z (30 days ago)
Topics: rc4
Language: Python
Homepage: https://talosintelligence.com/flokibot
Size: 12.7 KB
Stars: 29
Watchers: 13
Forks: 10
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Flokibot Tools

## PayloadDump.py

PayloadDump takes a Flokibot sample like 7bd22e3147122eb4438f02356e8927f36866efa0cc07cc604f1bff03d76222a6, and extracts payload binaries from the compressed/encrypted PE resources. It outputs a file named BOT32 or BOT64 in the current working directory.

```
python PayloadDump.py samples\7bd22e3147122eb4438f02356e8927f36866efa0cc07cc604f1bff03d76222a6 BOT32
Successfully Dumped payload BOT32
```

## ConfigDump.py

ConfigDump takes a 32 bit Flokibot payload extracted using PayloadDump, and extracts the obfuscated config block containing a C2 URL and an RC4 network key. It outputs a file named config.bin, and prints out the URL contained in the deobfuscated config block.

```
python ConfigDump.py BOT32
Successfully dumped config.bin.
URL: https://adultgirlmail[.]com/mail/gate[.]php
```

## Required Python Libraries
* pefile
* rc4

```
pip install pefile rc4
```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/cisco-talos/flokibot

Awesome Lists containing this project

README