FlawedGrace (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.flawedgrace (Back to overview)

FlawedGrace

aka: GraceWire

Actor(s): TA505

VTCollection

According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands:
FlawedGrace also uses a series of commands, provided below for reference:
* desktop_stat
* destroy_os
* target_download
* target_module_load
* target_module_load_external
* target_module_unload
* target_passwords
* target_rdp
* target_reboot
* target_remove
* target_script
* target_servers
* target_update
* target_upload

References

2023-12-30 ⋅ Rewterz Information Security ⋅ Rewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
EugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT Storm-0506

2023-06-12 ⋅ The DFIR Report ⋅ Maxime Thiebaut
A Truly Graceful Wipe Out
FlawedGrace Silence

2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport

2022-11-11 ⋅ Codesec ⋅ Hugo Caron
GraceWire / FlawedGrace malware adventure
FlawedGrace

2021-12-01 ⋅ NCC Group ⋅ Michael Sandee, Nikolaos Pantazopoulos
Tracking a P2P network related to TA505
FlawedGrace Necurs

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-19 ⋅ Proofpoint ⋅ Axel F, Brandon Murphy, Crista Giering, Georgi Mladenov, Matthew Mesa, Zydeca Cass
Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
FlawedGrace MirrorBlast

2021-03-02 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace

2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot

2020-06-22 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-06-17 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505

2019-01-14 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace

2019-01-09 ⋅ Proofpoint ⋅ Dennis Schwarz, Proofpoint Staff
ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper

Yara Rules

[TLP:WHITE] win_flawedgrace_auto (20260504 | Detects win.flawedgrace.)

rule win_flawedgrace_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.flawedgrace."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c414 8d4df8 e8???????? 8b4df8 3b4f24 7591 57 }
            // n = 7, score = 200
            //   83c414               | add                 esp, 0x14
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   e8????????           |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   3b4f24               | cmp                 ecx, dword ptr [edi + 0x24]
            //   7591                 | jne                 0xffffff93
            //   57                   | push                edi

        $sequence_1 = { c68503e4ffff00 c68504e4ffff19 c68505e4ffffa0 c68506e4ffff3e c68507e4ffffa0 c68508e4ffff66 c68509e4ffffa0 }
            // n = 7, score = 200
            //   c68503e4ffff00       | mov                 byte ptr [ebp - 0x1bfd], 0
            //   c68504e4ffff19       | mov                 byte ptr [ebp - 0x1bfc], 0x19
            //   c68505e4ffffa0       | mov                 byte ptr [ebp - 0x1bfb], 0xa0
            //   c68506e4ffff3e       | mov                 byte ptr [ebp - 0x1bfa], 0x3e
            //   c68507e4ffffa0       | mov                 byte ptr [ebp - 0x1bf9], 0xa0
            //   c68508e4ffff66       | mov                 byte ptr [ebp - 0x1bf8], 0x66
            //   c68509e4ffffa0       | mov                 byte ptr [ebp - 0x1bf7], 0xa0

        $sequence_2 = { 0fb6c0 85c0 741f 8b8de4c0ffff 8b5108 8995ccc0ffff 8b95e4c0ffff }
            // n = 7, score = 200
            //   0fb6c0               | movzx               eax, al
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   8b8de4c0ffff         | mov                 ecx, dword ptr [ebp - 0x3f1c]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   8995ccc0ffff         | mov                 dword ptr [ebp - 0x3f34], edx
            //   8b95e4c0ffff         | mov                 edx, dword ptr [ebp - 0x3f1c]

        $sequence_3 = { c6853ec3ffff00 c6853fc3ffff00 c68540c3ffff10 c68541c3ffff00 c68542c3ffff00 c68543c3ffff00 c68544c3ffff00 }
            // n = 7, score = 200
            //   c6853ec3ffff00       | mov                 byte ptr [ebp - 0x3cc2], 0
            //   c6853fc3ffff00       | mov                 byte ptr [ebp - 0x3cc1], 0
            //   c68540c3ffff10       | mov                 byte ptr [ebp - 0x3cc0], 0x10
            //   c68541c3ffff00       | mov                 byte ptr [ebp - 0x3cbf], 0
            //   c68542c3ffff00       | mov                 byte ptr [ebp - 0x3cbe], 0
            //   c68543c3ffff00       | mov                 byte ptr [ebp - 0x3cbd], 0
            //   c68544c3ffff00       | mov                 byte ptr [ebp - 0x3cbc], 0

        $sequence_4 = { c685f9c9ffffe8 c685fac9ffffda c685fbc9ffff0a c685fcc9ffff00 c685fdc9ffff00 c685fec9ffff48 c685ffc9ffff83 }
            // n = 7, score = 200
            //   c685f9c9ffffe8       | mov                 byte ptr [ebp - 0x3607], 0xe8
            //   c685fac9ffffda       | mov                 byte ptr [ebp - 0x3606], 0xda
            //   c685fbc9ffff0a       | mov                 byte ptr [ebp - 0x3605], 0xa
            //   c685fcc9ffff00       | mov                 byte ptr [ebp - 0x3604], 0
            //   c685fdc9ffff00       | mov                 byte ptr [ebp - 0x3603], 0
            //   c685fec9ffff48       | mov                 byte ptr [ebp - 0x3602], 0x48
            //   c685ffc9ffff83       | mov                 byte ptr [ebp - 0x3601], 0x83

        $sequence_5 = { 0fb6c3 330c85e0934500 334f48 894de4 c1eb18 8b45ec c1e810 }
            // n = 7, score = 200
            //   0fb6c3               | movzx               eax, bl
            //   330c85e0934500       | xor                 ecx, dword ptr [eax*4 + 0x4593e0]
            //   334f48               | xor                 ecx, dword ptr [edi + 0x48]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   c1eb18               | shr                 ebx, 0x18
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c1e810               | shr                 eax, 0x10

        $sequence_6 = { c6857de1ffff00 c6857ee1ffff00 c6857fe1ffff00 c68580e1ffff00 c68581e1ffff00 c68582e1ffff00 c68583e1ffff00 }
            // n = 7, score = 200
            //   c6857de1ffff00       | mov                 byte ptr [ebp - 0x1e83], 0
            //   c6857ee1ffff00       | mov                 byte ptr [ebp - 0x1e82], 0
            //   c6857fe1ffff00       | mov                 byte ptr [ebp - 0x1e81], 0
            //   c68580e1ffff00       | mov                 byte ptr [ebp - 0x1e80], 0
            //   c68581e1ffff00       | mov                 byte ptr [ebp - 0x1e7f], 0
            //   c68582e1ffff00       | mov                 byte ptr [ebp - 0x1e7e], 0
            //   c68583e1ffff00       | mov                 byte ptr [ebp - 0x1e7d], 0

        $sequence_7 = { c68580e4ffff00 c68581e4ffff00 c68582e4ffff00 c68583e4ffff00 c68584e4ffff00 }
            // n = 5, score = 200
            //   c68580e4ffff00       | mov                 byte ptr [ebp - 0x1b80], 0
            //   c68581e4ffff00       | mov                 byte ptr [ebp - 0x1b7f], 0
            //   c68582e4ffff00       | mov                 byte ptr [ebp - 0x1b7e], 0
            //   c68583e4ffff00       | mov                 byte ptr [ebp - 0x1b7d], 0
            //   c68584e4ffff00       | mov                 byte ptr [ebp - 0x1b7c], 0

        $sequence_8 = { 8b4e04 8b45e8 8d0441 eb06 8b4604 0345e8 8945d8 }
            // n = 7, score = 200
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8d0441               | lea                 eax, [ecx + eax*2]
            //   eb06                 | jmp                 8
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   0345e8               | add                 eax, dword ptr [ebp - 0x18]
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax

        $sequence_9 = { 0fb6c0 330c85e0d74500 0fb6c2 330c85e0d34500 338f90000000 8b879c000000 33d9 }
            // n = 7, score = 200
            //   0fb6c0               | movzx               eax, al
            //   330c85e0d74500       | xor                 ecx, dword ptr [eax*4 + 0x45d7e0]
            //   0fb6c2               | movzx               eax, dl
            //   330c85e0d34500       | xor                 ecx, dword ptr [eax*4 + 0x45d3e0]
            //   338f90000000         | xor                 ecx, dword ptr [edi + 0x90]
            //   8b879c000000         | mov                 eax, dword ptr [edi + 0x9c]
            //   33d9                 | xor                 ebx, ecx

    condition:
        7 of them and filesize < 966656
}

Download all Yara Rules

FlawedGrace Propose Change

References

Yara Rules

FlawedGrace