← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Breaking Down FF-Rat Malware
WHITE AlienVault 2017-07-19 Modified: 2017-07-19
102
IOCs
HIGH VOLUME
FF-RAT is a family of malware used in a number of targeted attacks over at least the last five years. It is by no means a new threat, but it is still actively used and developed and worthy of a breakdown in an effort to defend against it.
Indicators of Compromise (102)
All FileHash-SHA256 URL hostname domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 6c65b5b05d3ebf0f7bff0478cca5745cd15d4508f035a079aa09bb89e6697c3a 2017-07-19
FileHash-SHA256 dd827f5395697c6db92f6dfcc0c3ff932f878a18f092255e301d649cb110a707 2017-07-19
URL http://www.rooter.tk/998998998.xml 2017-07-19
URL http://www.rooter.tk/calc.exe 2017-07-19
URL http://www.rooter.tk/my.swf 2017-07-19
hostname www.rooter.tk 2017-07-19
domain aunetdns.com 2017-07-19
domain svhost.org 2017-07-19
FileHash-SHA256 0358c0461792a8f15811c57c9fb870cce00dcf8c5be8bf590bdc2dde2ddcb4a2 2017-07-19
FileHash-SHA256 039e9036dea6a7609be87eb83cf0738137a8ed3cfb46a611a9cb4b06bec14775 2017-07-19
FileHash-SHA256 06fb73deb589e0da55786ac83410af3444355a653fec34d0bf0b17203446b1d5 2017-07-19
FileHash-SHA256 0cb3b3f5408fe40c7f3dd323272be662335c4b979fbb766be4aa6fc2c84cc6f2 2017-07-19
FileHash-SHA256 0e0b579501abc8f7d2e41b14c76188267f1cecbbcbc2c78b845c5aa6d328731b 2017-07-19
FileHash-SHA256 0e804464f1669674b83e6605d8c4617d8d2b6efb36532c71b654b61e5c71b8f9 2017-07-19
FileHash-SHA256 112531bf280b8354b3a41f1f0edc2afa5fe51f65429b813ec536d744b4b67ae5 2017-07-19
FileHash-SHA256 16312d26c39965ce0cbc8567f11add5d5fbdcc11a8a4364fea9b4f7e3416b0e4 2017-07-19
FileHash-SHA256 21961087cc10a4666a263ba3841ba571837181b0288de533fe9f114e8269e7b9 2017-07-19
FileHash-SHA256 24d7c59076df6b6e710e80e708513f0d95a23869b5ea43772b5af9db92786b51 2017-07-19
FileHash-SHA256 306a5298793eef46c53fc1cc27aa5851120e186e9891445c309fc8410e1a1b24 2017-07-19
FileHash-SHA256 39f488e65d8bdbe04a87a19452f8291a9870de54c2850ffe8f4140e7c0f00475 2017-07-19
FileHash-SHA256 3e1e11c9551b9c26fd9e7e379206a506172fccc73dadf60f930f3ca1d1ba1077 2017-07-19
FileHash-SHA256 41249d078f11ee3d5e07809a50689f29b784b1484681d519ad703af7b7f25584 2017-07-19
FileHash-SHA256 4ca190d05c0f4a729a3e370453e2a00fc9ca7282539faeb794af358db5f62046 2017-07-19
FileHash-SHA256 53147eb4709db10e835a9cea62dc52276eba14d54f7c26709c4948734aca19fd 2017-07-19
FileHash-SHA256 58116f5c0dacfd7d70a9e57e6328e7105667bb14032dee6f905c271560767beb 2017-07-19
FileHash-SHA256 5918335629a3afba3d8a384b59d574327f0f583998ac2ece4ab84a98b65d6233 2017-07-19
FileHash-SHA256 5b3a0fccfd1f652bbf71b9f7757a38e5db0d0ed5a377a821e5e5bf886461e924 2017-07-19
FileHash-SHA256 610d80bf2f1f335a539684c329f87721ef5b7362a22e263709bbe3f18494095a 2017-07-19
FileHash-SHA256 618b6782809b9aba05fb8f99568bf6f89cc9ef8f9a5f8a86f1cb76670e215405 2017-07-19
FileHash-SHA256 62acdc9dbb35c16c770f97c1cd3d65bc1848e60fad8e9828758c12fdc0bc8a64 2017-07-19
FileHash-SHA256 632519ca40720d180205bb8405a1bc3888f69899f59dec53a2eaf06f08a3d86e 2017-07-19
FileHash-SHA256 691bc271b1724c5dc8c6dde185b49a465e73ec18380ef900732ea93637add24b 2017-07-19
FileHash-SHA256 6e262ede79284eb4111abae6a6dcfe713db94184f87c6904ec6729e477fb11ba 2017-07-19
FileHash-SHA256 7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e 2017-07-19
FileHash-SHA256 7ed4fcb7733620b7d3fe0bce2351907723fdef373f053a865d12aeba3fbe0722 2017-07-19
FileHash-SHA256 842e7d030221e10804af926b783fa5c75eee009ac74cc22c6d1e6507c53ad453 2017-07-19
FileHash-SHA256 87d5f1e504d02d31741a4d175699fd82f88ab7441d9908dd4f2eebd28b1b36eb 2017-07-19
FileHash-SHA256 8a0d4b1421b91471c3dc65187d77707ab20fd19185da57fd4cf568ed4bab6951 2017-07-19
FileHash-SHA256 8a37114b3290a1a34101ac4877bedec6e57eb0c4642cd1ce4cdfe71bde23b426 2017-07-19
FileHash-SHA256 8bf4086470f233fe040a017ac5df4913a2bf38b8c55916e20a2379dc60163003 2017-07-19
FileHash-SHA256 8c44625e027db0a1d8cfad60da9102e092f7ec69c638dc0bf5ff97665e449fd1 2017-07-19
FileHash-SHA256 8ef257058cbb22fbab54837dc0af1bdd93c2a6bae18ca4a26e0a436656e591e1 2017-07-19
FileHash-SHA256 903aa33253fd8ceecb6fe8d7a9076a650f318433939480d8bd44f2ba240977f1 2017-07-19
FileHash-SHA256 908cff61e49a89443c11f56bb822fb0139967031052e1f456aa3ba80f2e9612c 2017-07-19
FileHash-SHA256 919407d7394d59e1e45f936a4d9ec76f8b75560e53ba25bf4acffe8fb401b7f6 2017-07-19
FileHash-SHA256 97ddbf427bf887237b1a9c7c0dd85c8f64390f4ebe2ca0d1fc0a292fb4fcc71a 2017-07-19
FileHash-SHA256 98ced0cbe7fdb09810d9b2ded5d0b73ec9659afe179c1d911edab373ae630ece 2017-07-19
FileHash-SHA256 99b43b190b62c5d997288fbff7c7ae2b224bd2007a40f44558460b280d5c74f7 2017-07-19
FileHash-SHA256 9c1f358f4500d605b25a6df2a20ab7ef05ffbc0474c626f54dbf0f0073fe539c 2017-07-19
FileHash-SHA256 9cdaad7554b1b39fdaf0e5f0ad41e7006d36e0f9791dc9c1cf3d50b73f6ca907 2017-07-19
FileHash-SHA256 9de5ee57d9ca1800a442d3f53e43b22807b411ff1839c1a242e21254c3b40a49 2017-07-19
FileHash-SHA256 9e8578e0ea406f987f0e227810408bec29864a237c0a745d374971618b35affe 2017-07-19
FileHash-SHA256 a84929a9be9ae8c65d8b09c38ba3f73a63ca4f6be1a7e7ad84f4407e847d842b 2017-07-19
FileHash-SHA256 ae6c390ff56a6e83442e0758e7fb15e6a64b96bc022de6e56d2cfd44e7094667 2017-07-19
FileHash-SHA256 aecaad397351c6466e0b5d16caeb318bf3afd2946bc8c5fa21bdfce02924c74e 2017-07-19
FileHash-SHA256 b01e5b5ea94a39eb3a80339987c68ae4cb8b90e68f9c794d01d6c3ac1fb8759f 2017-07-19
FileHash-SHA256 b73f67a1dd39f943bf447d5399dd6577a05db3c1f0bf91e01faee4bf38975aee 2017-07-19
FileHash-SHA256 be1a753a8daa380797743f67bdd3dfb8fe348401a68aafff9b97695c8929f140 2017-07-19
FileHash-SHA256 c9feedc43d4d2de56a819d7056a24b71c74368b055ddedaa10a4aac22b9c1cce 2017-07-19
FileHash-SHA256 ceb3afb539ab43e04ea27e9b378505483e6b03a8df5d7c9786e1efb948201c80 2017-07-19
FileHash-SHA256 cf0e852a828e8bdbb9c77a7df32e31dddd1f6b3b7890c2bd80c3c02b5587b42b 2017-07-19
FileHash-SHA256 d4e80e1208ba43272f368d0eca38f0467d70745a42aba4d4ac7e333a64201790 2017-07-19
FileHash-SHA256 d524bedfb8514dc76b1aa778d865caebc76e27be3773ed3d7df8de9c44a1e22b 2017-07-19
FileHash-SHA256 df32a0d6156a94c2eeedf8f6072baf75f92ccccff4a6d1519b07b906eaa3c9b2 2017-07-19
FileHash-SHA256 e1f564c466e60ddba8fa437241ee109a2fb012c929a56d7feef65b67af4b407e 2017-07-19
FileHash-SHA256 e3d867439d08db7e622a99dc55bb33018b40d18c7ba6d322f4c0e010b62d4706 2017-07-19
FileHash-SHA256 ea0062ba2d26d6c3948e93a01c12ed413327e1e428f25495844b14dff3de7c9c 2017-07-19
FileHash-SHA256 ead6378fcf5fd35a15d9dfa0089834edf636de9eed73e66ff37ca8f42f1c5f2c 2017-07-19
FileHash-SHA256 f194b96317b38512f71bc3cbd070fcd19dba49be92eacf430376c54bfd8fe15c 2017-07-19
FileHash-SHA256 f6739b7a2e48dcd505e017f53f3ae85b535f4839b7363929097eaf0937799843 2017-07-19
FileHash-SHA256 fec88f4baad17942edf29c1f0a6036d1f30bd7435380247bdcd55f2b7e163a1a 2017-07-19
FileHash-SHA256 fee2749d2f88cadb77faede6da6fabcf23d01e6c39ae1b74bd29ac02ccead1cc 2017-07-19
FileHash-SHA256 ff68bbc1f0eb49b75b940e873bf9f4710b9f566b34fa0543238f9d2a739fd27c 2017-07-19
FileHash-SHA256 ff96d09e3fe618a296dc5b4425224831dbb49877be054276da5baefcc52e0f53 2017-07-19
hostname capstone.homeftp.net 2017-07-19
hostname cxman.wicp.net 2017-07-19
hostname dns-1.verifysign.org 2017-07-19
hostname dns.gogogogoogle.com 2017-07-19
hostname dns1-1.verifysign.org 2017-07-19
hostname fan001.yahoolive.us 2017-07-19
hostname ftpseck.ftp21.net 2017-07-19
hostname game.googlecustomservice.com 2017-07-19
hostname game.googlesoftservice.net 2017-07-19
hostname huangxiaoxian.3utilities.com 2017-07-19
hostname info.playdr2.com 2017-07-19
hostname latecoere.blogdns.com 2017-07-19
hostname linuxdns.sytes.net 2017-07-19
hostname login.gamepoer7.com 2017-07-19
hostname pcal2.dwy.cc 2017-07-19
hostname pcal2.yahoolive.us 2017-07-19
hostname pf.playdr2.com 2017-07-19
hostname pplove.bounceme.net 2017-07-19
hostname qemail.gotdns.com 2017-07-19
hostname rp.gamepoer7.com 2017-07-19
hostname tk.u2xu2.com 2017-07-19
hostname update.gogogogoogle.com 2017-07-19
hostname welcome.dnsd.info 2017-07-19
hostname welcometohome.strangled.net 2017-07-19
hostname wucy08.eicp.net 2017-07-19
hostname www.tibetonline.info 2017-07-19
hostname www.vxea.com 2017-07-19
hostname zz.alltosec.com 2017-07-19
References (2)
↗ https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html ↗ https://www.symantec.com/security_response/writeup.jsp?docid=2015-061714-4059-99