{
	"id": "6a6af161-b2cb-44b3-87f7-f788578e6534",
	"created_at": "2026-04-10T03:22:05.874296Z",
	"updated_at": "2026-04-10T03:22:19.671434Z",
	"deleted_at": null,
	"sha1_hash": "74524fae078f764eb8a53d4418fbcf724aad6313",
	"title": "IoCs/Broadbased/frat.md at master · jeFF0Falltrades/IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60206,
	"plain_text": "IoCs/Broadbased/frat.md at master · jeFF0Falltrades/IoCs\r\nBy jeFF0Falltrades\r\nArchived: 2026-04-10 03:07:55 UTC\r\nNote: I have not seen much coverage of this malware family.\r\nThe name 'FRat' was derived from research by @James_inthe_box, seen in the linked Tweet thread below.\r\nIf you have more information on this threat, please contact me on Twitter\r\nA RAT employing Node.js, Sails, and Socket.IO to collect information on a target.\r\nReporting\r\nhttps://twitter.com/jeFF0Falltrades/status/1270709679375646720 (H/T @James_inthe_box)\r\nhttps://twitter.com/_re_fox/status/1210623985832153088 (H/T @_re_fox)\r\nSnort/Suricata\r\nhttps://twitter.com/James_inthe_box/status/1270804510957428736 (H/T @James_inthe_box)\r\nYARA\r\nrule frat_loader {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n ref = \"https://twitter.com/jeFF0Falltrades/status/1270709679375646720\"\r\n strings:\r\n $str_report_0 = \"$ReportDone = Get-BDE\" wide ascii\r\n $str_report_1 = \"$Report = Get-BDE\" wide ascii\r\n $str_img_0= \"$ImgURL = Get-BDE\" wide ascii\r\n $str_img_1 = \"Write-Host 'No Image'\" wide ascii\r\n $str_img_2 = \"$goinf + \\\"getimageerror\\\"\" wide ascii\r\n $str_link = \"$eLink = Get-BDE\" wide ascii\r\n $str_tmp_0 = \"$Shortcut.WorkingDirectory = $TemplatesFolder\" wide ascii\r\n $str_tmp_1 = \"TemplatesFolder = [Environment]::GetFolderPath\" wide ascii\r\n $str_tmp_2 = \"$vbout = $($TemplatesFolder)\" wide ascii\r\n $str_shurtcut = \"Get-Shurtcut\" wide ascii\r\n $str_info_0 = \"info=LoadFirstError\" wide ascii\r\n $str_info_1 = \"info=LoadSecondError\" wide ascii\r\n $str_info_2 = \"getimagedone?msg\" wide ascii\r\n $str_info_3 = \"donemanuel?id\" wide ascii\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md\r\nPage 1 of 3\n\n$str_info_4 = \"getDone?msg\" wide ascii\r\n $str_info_5 = \"getManualDone?msg\" wide ascii\r\n condition:\r\n 3 of them\r\n}\r\nrule frat_executable {\r\n meta:\r\n author = \"jeFF0Falltrades\"\r\n ref = \"https://twitter.com/jeFF0Falltrades/status/1270709679375646720\"\r\n strings:\r\n $str_path_0 = \"FRat\\\\\\\\Short-Port\" wide ascii\r\n $str_path_1 = \"FRatv8\\\\\\\\Door\\\\\\\\Stub\" wide ascii\r\n $str_path_2 = \"snapshot\\\\\\\\Stub\\\\\\\\V1.js\" wide ascii\r\n $str_sails = \"sails.io\" wide ascii\r\n $str_crypto = \"CRYPTOGAMS by \u003cappro@openssl.org\u003e\" wide ascii\r\n $str_socketio = \"socket.io-client\" wide ascii\r\n condition:\r\n 3 of them\r\n}\r\nSample Hashes\r\nFRat Loader Scripts\r\ndc948f4aacc765b1fbdd58372bb847750fcf08544841ef4a44454da8e3b46bae\r\n1fa16740010c3608870f4b14ccc33cd58417648d0e26a417b0e125bc4671e70a\r\ne1a982ab68b5fd14c6723eab266d371184d395ad8e22a9d3cd93ba1c9c228458\r\nFRat Executables\r\nb330cd9151ebb66615ef6c16ab60b41dd312356505ee10a02f85bccfedda3948\r\n0aa12e18ff73617f4c12a82dc35980ec1edbb9e0fdadfaa8dcf964c70ccfbe7e\r\ndd011c1e7417131018d25543880d96c0c1ff44a6c4454b9020a183b69da80b9f\r\na9552d16e9c6c1a2ceb9d8ae52725cbcdac331908c37f253299d399e12c63018\r\n804f30400752e1bfaf21b2f37fffb99c34876372b95181aca98dbb04efe19368\r\n0f25d3cf1a783e4e0d70fba2fa0b87e2ed74bff26a4da6890dac36ba99a72726\r\n1345900b66f803046730cd9c3a4465777a28e004f8de6b19f9e8ce948397f57a\r\nSample C2\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md\r\nPage 2 of 3\n\ngo[.]ehades[.]best\r\ngo[.]ehades[.]best:8443/socket.io/?__sails_io_sdk_version=1.2.1\u0026__sails_io_sdk_platform=node\u0026__sails_io_sdk_lang\r\ne[.]hemera[.]best\r\nv[.]hemera[.]best\r\nparavan[.]duckdns[.]org\r\ndownload[.]xn--screensht-nsd[.]net\r\ntravma.duckdns[.]org\r\nSource: https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md\r\nhttps://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md"
	],
	"report_names": [
		"frat.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775791325,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/74524fae078f764eb8a53d4418fbcf724aad6313.pdf",
		"text": "https://archive.orkl.eu/74524fae078f764eb8a53d4418fbcf724aad6313.txt",
		"img": "https://archive.orkl.eu/74524fae078f764eb8a53d4418fbcf724aad6313.jpg"
	}
}