{
	"id": "1ddb11f6-8387-4c01-b0a7-14a706d525c7",
	"created_at": "2026-04-06T00:11:25.863948Z",
	"updated_at": "2026-04-10T03:20:30.613971Z",
	"deleted_at": null,
	"sha1_hash": "17915a2bed6a4a91d5eff411f7fc948225202b40",
	"title": "An Exhaustively-Analyzed IDB for FlawedGrace — Möbius Strip Reverse Engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45824,
	"plain_text": "An Exhaustively-Analyzed IDB for FlawedGrace — Möbius Strip\r\nReverse Engineering\r\nBy Rolf Rolles\r\nPublished: 2021-03-02 · Archived: 2026-04-05 14:19:37 UTC\r\nThis blog entry announces the release of an exhaustive analysis of FlawedGrace. You can find the IDB for the\r\nmain executable, and for the 64-bit password stealer module, here. The sha1sum for the main executable is\r\n9bb72ae1dc6c49806064992e0850dc8cb02571ed, and the md5sum is bc91e2c139369a1ae219a11cbd9a243b.\r\nLike the previous entry in this series on ComRAT v4, I did this analysis as part of my preparation for an upcoming\r\nclass on C++ reverse engineering. The analysis took about a month, and made me enamored with FlawedGrace's\r\narchitecture. I have personally never analyzed (nor read the source for) a program with such a sophisticated\r\nnetworking component. Were I ever to need a high-performance, robust, and flexible networking infrastructure, I'd\r\nprobably find myself cribbing from FlawedGrace. This family is also notable for its custom, complex virtual\r\nfilesystem used for configuration management and C2 communications. I would like to eventually write a treatise\r\nabout all of the C++ malware family analyses that I performing during my research for the class, but that endeavor\r\nwas distracting me from work on my course, and hence will have to wait.\r\n(Note that if you are interested in the forthcoming C++ training class, it probably will be available in Q3/Q4 2021.\r\nMore generally, remote public classes (where individual students can sign up) are temporarily suspended; remote\r\nprivate classes (multiple students on behalf of the same organization) are currently available. If you would like to\r\nbe notified when public classes become available, or when the C++ course is ready, please sign up on our no-spam, very low-volume, course notification mailing list. (Click the button that says \"Provide your email to be\r\nnotified of public course availability\".) )\r\n(Note that I am looking for a fifth and final family (beyond ComRAT, FlawedGrace, XAgent, and Kelihos) to\r\nround out my analysis of C++ malware families. If you have suggestions -- and samples, or hashes I can download\r\nthrough Hybrid-Analysis -- please send me an email at rolf@ my domain.)\r\nAbout the IDB\r\nHere are some screenshots. First, a comparison of the unanalyzed executable versus the analyzed one:\r\nAbout the Analysis\r\nLike the previous analysis of ComRAT v4, this analysis was conducted purely statically. Like the previous, I have\r\nreverse engineered every function in the binary that is not part of the C++ standard library, and some of those that\r\nare. Like the previous, all analysis was conducted in Hex-Rays, so you will not find anything particularly\r\ninteresting in the plain disassembly listing. Unlike the previous, this binary had RTTI, meaning that I was given\r\nthe names and inheritance relationships of classes with virtual functions.\r\nhttps://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace\r\nPage 1 of 3\n\nEach C++ program that I devote significant time to analyzing seems to present me with unique challenges. With\r\nComRAT, those were scale and usage of modern additions to the STL that had been previously unfamiliar to me.\r\nWith XAgent, it was forcing myself to muddle through the subtleties of how MSVC implements multiple\r\ninheritance. For FlawedGrace, those challenges were:\r\nExtensive use of virtual functions and inheritance, beyond anything I've analyzed previously. Tracing the\r\nflow of data from point A to point B often involved around a dozen different object types and virtual\r\nfunction calls, sometimes more. You can see an example of this in the database notepad, where I describe\r\nthe RDP tunneling implementation.\r\nA type reconstruction burden that seemed to never end. FlawedGrace has one of the highest ratios of\r\ncustom types to program size of anything I've analyzed. In total, I manually reconstructed 178 custom data\r\ntypes across 454 programmer-written functions, which you will find in the Local Types window.\r\nHaving to reverse engineer a complex virtual file system statically, with no sample data. You can find the\r\nrelevant code in the functions window, under the folder path Modalities\\Standalone\\Virtual File System. I\r\nsuspect this was written by a different team than the networking component, given the difference in coding\r\nstyles: i.e., the VFS was written in plain C, with some features that mimic VTables.\r\nHaving to confront, as a user, the challenges that reverse engineering tools have with x86/Windows\r\nprograms (in contrast to x64) with regards to stack pointer analysis and 64-bit integers.\r\nHaving to brush up on my network programming skills. For example, I had forgotten what the “Nagle\r\nalgorithm” was. It’s clear that the server-side component is derived from the same codebase. However, the\r\nserver portion of the code was not present in the binary, so I could not analyze it.\r\nFlawedGrace makes proficient use of C++ features and the STL, and its authors are experts in concurrent\r\nprogramming and networking. However, it is mostly written in an older style than ComRAT was; for example, it\r\ndoes not use \u003cmemory\u003e. Here is a list of the STL data types used, in descending frequency of usage:\r\n\u003catomic\u003e\r\nthread\r\nlist\u003cT\u003e\r\nmap\u003cK,V\u003e\r\ndeque\u003cT\u003e\r\nset\u003cT\u003e\r\nvector\u003cT\u003e\r\nI hope you enjoy the IDB.\r\nhttps://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace\r\nPage 2 of 3\n\nSource: https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace\r\nhttps://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace"
	],
	"report_names": [
		"an-exhaustively-analyzed-idb-for-flawedgrace"
	],
	"threat_actors": [],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17915a2bed6a4a91d5eff411f7fc948225202b40.pdf",
		"text": "https://archive.orkl.eu/17915a2bed6a4a91d5eff411f7fc948225202b40.txt",
		"img": "https://archive.orkl.eu/17915a2bed6a4a91d5eff411f7fc948225202b40.jpg"
	}
}