The Floki Dropper looks simple and it has been found in wild without any outer protection layer. It has 3 resources with descriptive names bot32, bot64, and key. When we try to observe its activity, we can see it making an injection into explorer. However, when we trace the API calls, we cannot find any reference to a function that will write the code into the explorer process. Instead of leaving artifacts for easy detection, the author was trying not to leave any artifacts that could allow easy detection.”]
Source: https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/

