7115a0adc6ee5d127e9ede11b89d253bb6350342bca69eb1845a05ec977a1629 | Triage

Submit
Reports

Overview

overview

8

Static

static

3

ROBLOX_MULTI_x64.exe

windows10-2004-x64

8

Sharing

Copy URL Twitter E-mail

General

Target

ROBLOX_MULTI_x64.exe
Size

11KB
Sample

231104-a1lq1abd6t
MD5

4261af7c34b48c77817f52033fb0539f
SHA1

e1e79a7e69cdb35e758591ea98d63c583b2eea26
SHA256

7115a0adc6ee5d127e9ede11b89d253bb6350342bca69eb1845a05ec977a1629
SHA512

876c30f9ccf654aabd70d947b75e80e120ffc5460aafb3d4ebc0bc52253f3ae9f6551d89db42ef0ee37d026ec764328212c280d649c14c90630e78c68817bfa4
SSDEEP

192:AvAdKg7Z5wAe6vpKpyVMmE8lZuuPe3Q5tmUKSJ:0CKg7Delpygvu23DS

Score

8^/10

adware discovery evasion persistence stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ROBLOX_MULTI_x64.exe

Resource

win10v2004-20231025-en

adware discovery evasion persistence stealer trojan

windows10-2004-x64

29 signatures

1800 seconds

Malware Config

Targets

- Target
  
  ROBLOX_MULTI_x64.exe
- Size
  
  11KB
- MD5
  
  4261af7c34b48c77817f52033fb0539f
- SHA1
  
  e1e79a7e69cdb35e758591ea98d63c583b2eea26
- SHA256
  
  7115a0adc6ee5d127e9ede11b89d253bb6350342bca69eb1845a05ec977a1629
- SHA512
  
  876c30f9ccf654aabd70d947b75e80e120ffc5460aafb3d4ebc0bc52253f3ae9f6551d89db42ef0ee37d026ec764328212c280d649c14c90630e78c68817bfa4
- SSDEEP
  
  192:AvAdKg7Z5wAe6vpKpyVMmE8lZuuPe3Q5tmUKSJ:0CKg7Delpygvu23DS
Score

8^/10

adware discovery evasion persistence stealer trojan
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

adwarediscoveryevasionpersistencestealertrojan

© 2018-2025

Terms | Privacy