badrabbit | hxxps://github[.]com/FoRuxGaming/RobloxCheats/blob/main/%5BFoRux%20Gaming%5DLucidity%20Cheats[.]txt | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

https://github.com/F...

windows11-21h2-x64

Sharing

General

Target

https://github.com/FoRuxGaming/RobloxCheats/blob/main/%5BFoRux%20Gaming%5DLucidity%20Cheats.txt
Sample

250212-ftvm8azkar

Score

10^/10

badrabbit google microsoft defense_evasion discovery execution motw phishing ransomware themida trojan

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

https://github.com/FoRuxGaming/RobloxCheats/blob/main/%5BFoRux%20Gaming%5DLucidity%20Cheats.txt

Resource

win11-20250211-en

badrabbit google microsoft defense_evasion discovery execution motw phishing ransomware themida trojan

windows11-21h2-x64

35 signatures

900 seconds

Malware Config

Targets

- Target
  
  https://github.com/FoRuxGaming/RobloxCheats/blob/main/%5BFoRux%20Gaming%5DLucidity%20Cheats.txt
Score

10^/10

badrabbit google microsoft defense_evasion discovery execution motw phishing ransomware themida trojan
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Badrabbit family
  badrabbit
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Detected potential entity reuse from brand GOOGLE.
  phishing google
- Detected potential entity reuse from brand MICROSOFT.
  phishing microsoft
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

badrabbitgooglemicrosoftdefense_evasiondiscoveryexecutionmotwphishingransomwarethemidatrojan

© 2018-2025

Terms | Privacy