Floki Bot - TRACK 2 GRABBER - FORMGRABBER - WEBINJECTS - BYPASS TRUSTEER RAPPORT

rachelmaple · #1 05-10-2025, 06:39 AM

Floki Bot
Dropper
Injects payload in zombie process without decrypting it inside dropper. Payload does not go through NtWriteVirtualMemory/NtMapViewOfSection calls but instead
a PE loader is injected that uses NtReadVirtualMemory then decompresses, decrypts and executes it. Decompression and decryption of payload only happens in zombie process (explorer.exe or svchost.exe).
After launch of payload in zombie process, payload injects itself in all running 32-bit processes.
EOF is not used.
Execution rate - 70%+.
Payload
Based on Zeus 2.0.8.9 source-code. Payload uses a different communication protocol that cannot be detected by Deep-Packet-Inspection unlike Zeus (Packets dont look like Zeus). Config is transfered to bot directly through gate.php encrypted.
All reports are written to HDD and then transfered in a single request to command and control center. This system reduces stress on server allowing you to hold more bots than it would send requests one by one (zeus) and ensures you dont loose a single report in case of downtime. Configuration file and dropper is automatically updated from webpanel using MD5 checks done by bot itself. Configuration supports unlimited URL.
Feature List:
Track 2 Grabber + Keylogger for CVV
Using memory hooks, it grabs all Track 2 with very low CPU usage(~0%).
Standard scanner/grabber(Dexter, Alina, all other) misses some Track 2 because it can be removed from memory before scan but with memory hooks this case cannot happen.
Track 2 data is analyzed and reported as what possible credit-card it is (Visa, Master-card, etc).
Formgrabber and Webinjects for Internet Explorer and Mozilla Firefox.
Bypass Trusteer Rapport
https://www.sendspace.com/file/mjlo6l (Video, need Adobe Flash)
FTP/POP3 Grabber
Cookies grabber for Internet Explorer
Ring-3 Rootkit unhooker
Bot will attempt to remove all inline hooks by reading and mapping original file and comparing bytes.
Hook Protection
Bot intercept NtProtectVirtualMemory calls to protect its own hooks against unhookers.
Backconnect SOCKS/VNC currently is not available as it is being recoded. Chrome webinjects and Webfakes will be available in future.
Price: 1000$, Bitcoin is only accepted payment method.
Escrow/garant is accepted.
Jabber: mailto:[email protected]
Testing is available when money is deposited in escrow/garant!

rc.if · #2 05-10-2025, 07:16 AM

бля, хочу такой зловред...но че-то пока в силушках не уверен... да и флок, хуй проссышь, как долго проживет...
Добавлено через 2 минуты 33 секунды
блин, аж колется... нада партнеру своему зарядить, но он жеж бля, ьакой консерватор, как ему объяснить, когда он не копенгаген.

August · #3 05-10-2025, 07:29 AM

Vouch ++

rachelmaple · #4 05-10-2025, 07:38 AM

I am still selling.
Test only with escrow (garant).
Jabber: mailto:[email protected]

rachelmaple · #5 05-10-2025, 07:51 AM

SOCKS and RDP will be released at same time
no review copy will be given out, you can test bot when working with escrow before releasing funds
Демо/тест возможен только после внесения полной суммы в гарант этого форума
Price is still $1000.
Jabber: mailto:[email protected]