Overview
overview
10Static
static
10RBXIDLE.Se....0.exe
windows7-x64
8RBXIDLE.Se....0.exe
windows10-2004-x64
8$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3RBXIDLE.exe
windows7-x64
8RBXIDLE.exe
windows10-2004-x64
8resources/...te.cmd
windows7-x64
1resources/...te.cmd
windows10-2004-x64
1resources/...te.vbs
windows7-x64
1resources/...te.vbs
windows10-2004-x64
1resources/...on.dll
windows7-x64
1resources/...on.dll
windows10-2004-x64
1resources/...do.exe
windows7-x64
1resources/...do.exe
windows10-2004-x64
1resources/...sw.exe
windows7-x64
1resources/...sw.exe
windows10-2004-x64
1resources/...ies.js
windows7-x64
3resources/...ies.js
windows10-2004-x64
3resources/...cmd.js
windows7-x64
3resources/...cmd.js
windows10-2004-x64
3resources/...mon.js
windows7-x64
3resources/...mon.js
windows10-2004-x64
3resources/...log.js
windows7-x64
3resources/...log.js
windows10-2004-x64
3General
-
Target
RBXIDLE.Setup.3.0.0.exe
-
Size
144.1MB
-
Sample
241117-twm8tayjdm
-
MD5
f7cd23293d037af068d7b4552f8bcee3
-
SHA1
32485a4bb72cb1646a3028836378015cbcde2180
-
SHA256
6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3
-
SHA512
f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa
-
SSDEEP
3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw
Behavioral task
behavioral1
Sample
RBXIDLE.Setup.3.0.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RBXIDLE.Setup.3.0.0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
RBXIDLE.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
RBXIDLE.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.cmd
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.cmd
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.vbs
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/Sudowin.Common.dll
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/Sudowin.Common.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/sudo.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/sudo.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/winsw/winsw.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/node-windows/bin/winsw/winsw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/binaries.js
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/binaries.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/cmd.js
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/cmd.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/daemon.js
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/daemon.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/eventlog.js
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
resources/app.asar.unpacked/node_modules/node-windows/lib/eventlog.js
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
RBXIDLE.Setup.3.0.0.exe
-
Size
144.1MB
-
MD5
f7cd23293d037af068d7b4552f8bcee3
-
SHA1
32485a4bb72cb1646a3028836378015cbcde2180
-
SHA256
6d567d0959ae8c664714535ee960910c49e5f61971858fa396e9edb19688c1b3
-
SHA512
f31091dd3f6c86e39fd861e35a5213ce9fcec676a8e7f33abb71fb8c48a5ca648127bf07ecfe249aaa9e039281689b789407340f4c7476a6f1bfb721b63978aa
-
SSDEEP
3145728:JPFNsCo0L7fiLGL5n6PT6Lr0UOkyJQweGopgu9CzxxNEQFSvyrzkfC0T6:1FN4SUu0UOkyJQp7pH9krNQvYgfw
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
$PLUGINSDIR/SpiderBanner.dll
-
Size
9KB
-
MD5
17309e33b596ba3a5693b4d3e85cf8d7
-
SHA1
7d361836cf53df42021c7f2b148aec9458818c01
-
SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
-
SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
-
SSDEEP
192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
Score3/10 -
-
-
Target
$PLUGINSDIR/StdUtils.dll
-
Size
100KB
-
MD5
c6a6e03f77c313b267498515488c5740
-
SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15
-
SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
-
SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
SSDEEP
3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score3/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
-
SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457
-
SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
-
SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
SSDEEP
192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score3/10 -
-
-
Target
$PLUGINSDIR/WinShell.dll
-
Size
3KB
-
MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56
-
SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c
-
SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
-
SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
Score3/10 -
-
-
Target
LICENSES.chromium.html
-
Size
5.2MB
-
MD5
27206d29e7a2d80ee16f7f02ee89fb0f
-
SHA1
3cf857751158907166f87ed03f74b40621e883ef
-
SHA256
2282bc8fe1798971d5726d2138eda308244fa713f0061534b8d9fbe9453d59ab
-
SHA512
390c490f7ff6337ee701bd7fc866354ef1b821d490c54648459c382ba63c1e8c92229e1b089a3bd0b701042b7fa9c6d2431079fd263e2d6754523fce200840e2
-
SSDEEP
12288:/7etnqnVnMnBnunQ9RBvjYJEi400/Q599b769B9UOE6MwMGucMEbHDuX0YnpWQZO:sFEc5FeWSPZza8yUMmfSHCHWJ4pps
Score3/10 -
-
-
Target
RBXIDLE.exe
-
Size
134.1MB
-
MD5
92d241ee2322192f628a7c0ca5c48f48
-
SHA1
60e19cb221c868c750601ecaf88309dcad32d886
-
SHA256
93d3e9ee4cca55a9287418e12eba8929bc471aa37ec213147f7bd8dc0896f98f
-
SHA512
8ff9dd69f699d7d538b12e03564a04d1f31aaabc00cf2895a33bd8edf6e7864f888dd065c74ea6de9376da96a44c566b1b59d328c6e7c9dbc91ff03cfee3e75c
-
SSDEEP
1572864:UUIbvHBgU0Tj91hRhmsMj9ZcZW0SUqDQ:UcUw+AGE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.cmd
-
Size
80B
-
MD5
6bf15504007e72e8fd4d069962bb6bb1
-
SHA1
2962bc672541698e23d97b2c9b4d67726662d2df
-
SHA256
d3d046aa4e54c8e1aafdb95b0d65aa73731a7fa76df3bd582c26244dcebb97eb
-
SHA512
8905d00be73d651bc3537f7fb441d84874aac8497da3da474bb1f3d71c688372aafbc1ce078024832369907494fd9990d362fcd7e58717278d13be5f2a67f142
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/bin/elevate/elevate.vbs
-
Size
334B
-
MD5
e5103df4ae6351428735d9c7e8f1a8cd
-
SHA1
0fdd4a6bd924c0fff1c0f9b95c6120f3271b4026
-
SHA256
f7ab6e0f5ce0b0da4169083f6d8832dbe4ead414ae1f450fc75f873490c00b7f
-
SHA512
e876664e37b90662c017f3092e96a832004e73a7773cab97f61e531f69b96a2848720223e29307c56eb688804327f05fe93cbf38d0d0cc803af6a06952cfc9d1
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/Sudowin.Common.dll
-
Size
20KB
-
MD5
71a3ccef13df30b88d681714fe0386fa
-
SHA1
e717d0d9890f11f15e5f4ff62d91b43a188760e2
-
SHA256
ab3f0d95abc0041c4413a52f42447d4a49f2f09b746b78c297449880206cb844
-
SHA512
60f65d428dbc560dcfff5218dcc938a8a3f5a723c6017277f2dbf5ca0fc9c1ccd551ead227831a5dc4c251d8da30737149d49d86b8fede3b933e4da69328d450
-
SSDEEP
96:hDFBwPfHy3S2xncBrtx9WQN8m2sam8vnC8DKnDvaqYqiVaVYZ3lkb1qqAKiVu4Jh:K/QWtzWfmhKC8ODvaXdVaV4+pz4/y
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/bin/sudowin/sudo.exe
-
Size
20KB
-
MD5
98cfa945795d9185d64518a8b7ab38bf
-
SHA1
64de54cd41ab3be000406785ec9f1ff9bac8f57f
-
SHA256
922754cfe2c6cfe1dceeaedb74fc00367e9613afd0ad8c9e42ec80a81d04d49b
-
SHA512
12a0d9af0c4c43804f6c244ca3b212a5ff3c694d990b9336a922975bba1a0f31b9e06fb1934bc9a4164c7d090f796ae9c62cc670e9fc4021d7e7eeaaa0641932
-
SSDEEP
96:74RH/g8jFSw6euTpHAvybfxFa/zn+UwuVA8rTskEn1W1WuZB5MYYd2J1ltgQbFgB:74RTFv69UyLa6UXTizY0Qbu
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/bin/winsw/winsw.exe
-
Size
58KB
-
MD5
e0eef2861571b63a45ee59d802ccfa8c
-
SHA1
f6fd98de7e17971be2a8eec4aa89e70bb26d1b7e
-
SHA256
5859b114d96800a2b98ef9d19eaa573a786a422dad324547ef25be181389df01
-
SHA512
10164a85ac67e7b481be5f0abe7734dd27252fdd7ecb7855423cae230cc1c54ce8652e85f2571050ccfd50975a2c53db74185031b551ef2c46ceba8b4cef0553
-
SSDEEP
768:dbLoXR9wSKYrHLHYrvL7yUUeUdfKTwEsWQFNMDmtUG0pb4Pe:dAXR9wSK6b8j2UUNCTSWQFsGwb4Pe
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/lib/binaries.js
-
Size
2KB
-
MD5
ac96898f4bd4aea3e3715a772c2c544e
-
SHA1
d5f63220b5bf777028441e50dbc09811ca08c71d
-
SHA256
a5b358388413c68f8a4c649fdb8e50c52c443bec19a792678011da72c323c1db
-
SHA512
23299ab747fd15ad86986d96bd2dd4ae0111d1db8c98460bb28c4085d6b8701de83368f8d5142c1d988e8eb1d2b0ae30965799f63ea8e198ddac130a32d7d3ec
Score3/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/lib/cmd.js
-
Size
2KB
-
MD5
dcfc8a89f25bdd54fe00476d5c66c669
-
SHA1
696d36e2904176a3ca7d13555762068829651b5e
-
SHA256
3886e90275c107043768d5713dbb522a622a6cbbc6bd7d240bab126c459ec576
-
SHA512
8c588dec102b587a23a338f25dc435f71ce34964af844174414a73836128a3467a86dfef2e7cacf177422099b0750dd94168b48cc39f62244e17c25dc26afb71
Score3/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/lib/daemon.js
-
Size
24KB
-
MD5
6149760c1dd670fd1cdd7592326199c9
-
SHA1
be413fdcf6a89985119ac2549034981d7f055af6
-
SHA256
56c2e2d712ed2f692255cd8a15328d32ca3b877b91130cd83ec5f46235513cb1
-
SHA512
c6975004281ff434200377c7c9f9198182c20771cbea4ba2e81a9e8c9bdbc6c03f87a0e64474cb8f04a1682d86086625343ac0b0dd559f57e6685cd413dce8c6
-
SSDEEP
768:0WQLaL6CNTPPT1THTKT7GTneKKTiToVDTeLJ+JGrpTmT0n4CquTqcLs/FLuLGpYp:0WQLaL6CNTPPT1THTKT6T4TiT6TeLJ+0
Score3/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/node-windows/lib/eventlog.js
-
Size
6KB
-
MD5
0fc62adc34dc81a5f9fc3a298aa78eaf
-
SHA1
4b79d9a54bfa5e4d37c251ef70bd3b81cb3e5d81
-
SHA256
ac0eab52e15690398c630200e7000a1d291a863bca9709456f27b92c11cd81de
-
SHA512
02700df4c79c715849b4ee7fcdbc48e1dee7d5b96131af3f627fac55619e094a687d1e50d4efdb55ab471085848e44caf2d3d50da988a5dc5abecbd7c0967eba
-
SSDEEP
192:HeTm/XkXoiMQDtYnLSwyaXW+Y4LImWqYcyWKYuZDWsY6YW/Y/jg:HGsUSQZYnLt7/YSdpYJ3YGDNY3yYLg
Score3/10 -
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Window
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1