FlawedGrace
FlawedGrace is a remote access trojan (RAT) malware family associated with TA505 and CL0P-linked activity, and is also referenced alongside FIN11 in the provided reporting. It has been used by TA505 since at least November 2017. Reported delivery and deployment methods in the provided content include phishing campaigns using a macro-enabled document and the Get2 malware dropper to download SDBot and FlawedGrace, as well as post-exploitation persistence following SolarWinds Serv-U CVE-2021-35211 exploitation, where attackers hijacked the legitimate RegIdleBackup scheduled task and abused its COM handler/CLSID registry objects to load a FlawedGrace RAT loader stored as Base64-encoded registry data. The content also notes Truebot has been used by TA505 to download FlawedGrace or Cobalt Strike beacons. High-confidence behavioral details from the supplied reverse-engineering summary describe FlawedGrace as having a sophisticated, high-performance, robust, and flexible networking component and a custom, complex virtual filesystem used for configuration management and command-and-control communications. ATT&CK-related content in the provided material associates FlawedGrace with obfuscated or encrypted/encoded files or information. Additional artifacts directly mentioned include a YARA rule named "Windows.Trojan.FlawedGrace," malware-analysis IDA databases for the main executable and a 64-bit password stealer module, and sample hashes for the main executable: SHA-1 9bb72ae1dc6c49806064992e0850dc8cb02571ed and MD5 bc91e2c139369a1ae219a11cbd9a243b.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...abusing the COM handler associated with it to execute malicious code, leading to FlawedGrace RAT.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load 'FlawedGrace RAT.'
rule Windows_Trojan_FlawedGrace_8c5eb04b { ... threat_name = "Windows.Trojan.FlawedGrace" ... }
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueCL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.
Stealth
2 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
Credential Access
1 techniqueYou can find the IDB for the main executable, and for the 64-bit password stealer module, here.
Command and Control
2 techniquesFlawedAmmyy / FlawedGrace remote access trojan (RAT) collects information and attempts to communicate with the Command and Control (C2) server to enable the download of additional malware components [T1071], [T1105].
FlawedAmmyy / FlawedGrace remote access trojan (RAT) collects information and attempts to communicate with the Command and Control (C2) server to enable the download of additional malware components [T1071], [T1105].
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Like the previous two entries in this series on ComRAT v4 and FlawedGrace, I did this analysis as part of my preparation for an upcoming class on C++ reverse engineering.
Remote access trojan used by TA505 for persistence after exploitation, loaded via a hijacked scheduled task COM handler.
Remote Access Trojan; in these incidents its loader was stored as Base64-encoded strings in registry CLSID objects and executed via hijacking the RegIdleBackup scheduled task COM handler for persistence.
Remote access trojan; in these incidents it is delivered via scheduled task (RegIdleBackup) COM handler hijacking, with a loader stored as Base64-encoded strings in the registry.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.