File name: | RobloxPlayerLauncher.rar |
Full analysis: | https://app.any.run/tasks/15c47392-f814-46fe-814f-a008b619842a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 14, 2018, 11:01:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 72F4F4896B1698AF86F04651B8390197 |
SHA1: | F74CBA99A3B8E69947072FDB4086EEFEE5AA6B7A |
SHA256: | 2BB52418E9EC444EFEFF78234A36836FF2F373033E4ECA860D0ED2BC86547073 |
SSDEEP: | 98304:NVgYSenC1tMyFLKPmliOGlc8/Bkwg7OxgHjqbM1jgFVcRpj4PmIUK:NVgYSeC1tMqWP7O+dBkwgaxgDq2jgFfp |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3568 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3860 | "C:\Users\admin\Desktop\RobloxPlayerLauncher\RobloxPlayerLauncher.exe" | C:\Users\admin\Desktop\RobloxPlayerLauncher\RobloxPlayerLauncher.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3256 | "C:\Windows\System32\schtasks.exe" /create /tn alg /tr "C:\Users\admin\AppData\Roaming\wpnpinst\CheckNetIsolation.exe" /sc minute /mo 1 /F | C:\Windows\System32\schtasks.exe | — | RobloxPlayerLauncher.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2484 | "C:\Users\admin\AppData\Local\Temp\emp.exe" | C:\Users\admin\AppData\Local\Temp\emp.exe | RobloxPlayerLauncher.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Win32 Cabinet Self-Extractor Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3340 | "C:\Users\admin\AppData\Local\Temp\inm.exe" | C:\Users\admin\AppData\Local\Temp\inm.exe | RobloxPlayerLauncher.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2604 | "C:\Users\admin\AppData\Local\Temp\lim.exe" | C:\Users\admin\AppData\Local\Temp\lim.exe | RobloxPlayerLauncher.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3744 | "C:\Users\admin\AppData\Local\Temp\nja.exe" | C:\Users\admin\AppData\Local\Temp\nja.exe | RobloxPlayerLauncher.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2728 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\EMPRESA.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\EMPRESA.exe | emp.exe | |
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 | ||||
3124 | "C:\Users\admin\AppData\Local\Temp\wou.exe" | C:\Users\admin\AppData\Local\Temp\wou.exe | — | RobloxPlayerLauncher.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3028 | "C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe" | C:\Users\admin\AppData\Local\Temp\RobloxPlayerLauncher.exe | RobloxPlayerLauncher.exe | |
User: admin Company: Roblox Corporation Integrity Level: HIGH Description: Roblox Exit code: 0 Version: 1, 6, 3, 166809 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3568.31054\RobloxPlayerLauncher\Bunifu_UI_v1.5.3.dll | — | |
MD5:— | SHA256:— | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3568.31054\RobloxPlayerLauncher\Depression.exe | — | |
MD5:— | SHA256:— | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3568.31054\RobloxPlayerLauncher\Newtonsoft.Json.dll | — | |
MD5:— | SHA256:— | |||
3568 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3568.31054\RobloxPlayerLauncher\RobloxPlayerLauncher.exe | — | |
MD5:— | SHA256:— | |||
3564 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Temp\XX--XX--XX.txt | binary | |
MD5:80C322B088B28BE37E41AE3DF0B5D330 | SHA256:8A5B122A47A861DB0971E92894DBF0DF5395C4100775437A34A181649181B1D3 | |||
2484 | emp.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\EMPRESA.exe | executable | |
MD5:CB01817E70589CFE4F970455BB6046DF | SHA256:5AD9DD29247485A357A931E1ED63C161E8A399E132AC5A42C82412B4AFCC3FEB | |||
2728 | EMPRESA.exe | C:\Users\admin\AppData\Local\QNENUQBFKGYRQKU\SystemProcess.exe | executable | |
MD5:CB01817E70589CFE4F970455BB6046DF | SHA256:5AD9DD29247485A357A931E1ED63C161E8A399E132AC5A42C82412B4AFCC3FEB | |||
3028 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\WindowsBootstrapperSettings[1] | text | |
MD5:96D4DE88A0EF567A3F30CF131A71D6D9 | SHA256:57FE9734C9C4CF4448C34E1E6F93FFE98949D9D7BE507E79AC2F3B339F2EC5CE | |||
2804 | wou.exe | C:\Users\admin\AppData\Local\Temp\5BB.tmp\5BC.tmp\5BD.vbs | binary | |
MD5:43D7FB8AEEEBFAD3C79DD7A8569901C3 | SHA256:B04B7ACED940CD08CA23EFB939214D7F7463CAA35C5ACC4CF21D332F0D6DAC6B | |||
3860 | RobloxPlayerLauncher.exe | C:\Users\admin\AppData\Local\Temp\wou.exe | executable | |
MD5:EA1DA64E8AC197DC4D4C1F3C39DC9EA6 | SHA256:C28F840F358219502EB3CF6FE66457760BD6780BB6027EEB3DEADDF2DEE8B6D7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3028 | RobloxPlayerLauncher.exe | GET | 200 | 209.206.41.21:80 | http://versioncompatibility.api.roblox.com/GetCurrentClientVersionUpload/?apiKey=76e5a40c-3ae1-4028-9f10-7c62520bd94f&binaryType=WindowsPlayer | US | text | 26 b | whitelisted |
3028 | RobloxPlayerLauncher.exe | POST | 200 | 209.206.41.228:80 | http://www.roblox.com/game/report-stats?name=ClientBootstrapperDetailed_Duration&value=5829 | US | — | — | whitelisted |
3028 | RobloxPlayerLauncher.exe | GET | 200 | 205.234.175.102:80 | http://setup.rbxcdn.com/version-d38201d3e9f24c12-RobloxPlayerLauncher.exe | US | executable | 1.12 Mb | whitelisted |
3028 | RobloxPlayerLauncher.exe | POST | 200 | 209.206.41.152:80 | http://ephemeralcounters.api.roblox.com/v1.0/MultiIncrement/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | — | — | whitelisted |
3028 | RobloxPlayerLauncher.exe | GET | 200 | 209.206.41.146:80 | http://clientsettings.api.roblox.com/Setting/QuietGet/WindowsBootstrapperSettings/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | text | 2.10 Kb | malicious |
3696 | RobloxPlayerLauncher.exe | GET | 200 | 209.206.41.146:80 | http://clientsettings.api.roblox.com/Setting/QuietGet/WindowsBootstrapperSettings/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | text | 2.10 Kb | malicious |
2248 | RBX-0882A6A7.tmp | GET | 200 | 209.206.41.146:80 | http://clientsettings.api.roblox.com/Setting/QuietGet/WindowsBootstrapperSettings/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | text | 2.10 Kb | malicious |
3028 | RobloxPlayerLauncher.exe | GET | 200 | 209.206.41.228:80 | http://www.roblox.com/Game/JoinRate.ashx?c=ClientBootstrapperDetailed&r=Success&d=5829&platform=Win32 | US | — | — | whitelisted |
3028 | RobloxPlayerLauncher.exe | POST | 200 | 209.206.41.152:80 | http://ephemeralcounters.api.roblox.com/v1.0/MultiIncrement/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | — | — | whitelisted |
3028 | RobloxPlayerLauncher.exe | POST | 200 | 209.206.41.152:80 | http://ephemeralcounters.api.roblox.com/v1.0/MultiIncrement/?apiKey=76E5A40C-3AE1-4028-9F10-7C62520BD94F | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2248 | RBX-0882A6A7.tmp | 209.206.41.146:80 | clientsettings.api.roblox.com | Roblox | US | unknown |
3028 | RobloxPlayerLauncher.exe | 209.206.41.228:80 | www.roblox.com | Roblox | US | unknown |
2248 | RBX-0882A6A7.tmp | 209.206.41.21:443 | versioncompatibility.api.roblox.com | Roblox | US | suspicious |
3028 | RobloxPlayerLauncher.exe | 209.206.41.21:80 | versioncompatibility.api.roblox.com | Roblox | US | suspicious |
3028 | RobloxPlayerLauncher.exe | 205.234.175.102:80 | setup.rbxcdn.com | CacheNetworks, Inc. | US | suspicious |
2156 | QPGYPHUVT.exe | 80.188.53.27:5555 | xmr.bohemianpool.com | O2 Czech Republic, a.s. | CZ | suspicious |
3748 | RobloxPlayerLauncher.exe | 88.5.62.76:1978 | redloca.hopto.org | Telefonica De Espana | ES | malicious |
3028 | RobloxPlayerLauncher.exe | 209.206.41.152:80 | ephemeralcounters.api.roblox.com | Roblox | US | suspicious |
3028 | RobloxPlayerLauncher.exe | 209.206.41.146:80 | clientsettings.api.roblox.com | Roblox | US | unknown |
3460 | wscript.exe | 88.5.62.76:1000 | redloca.hopto.org | Telefonica De Espana | ES | malicious |
Domain | IP | Reputation |
---|---|---|
clientsettings.api.roblox.com |
| malicious |
ephemeralcounters.api.roblox.com |
| whitelisted |
versioncompatibility.api.roblox.com |
| whitelisted |
xmr.bohemianpool.com |
| suspicious |
setup.roblox.com |
| shared |
www.roblox.com |
| whitelisted |
setup.rbxcdn.com |
| whitelisted |
redloca.hopto.org |
| unknown |
s3.amazonaws.com |
| shared |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2156 | QPGYPHUVT.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
2156 | QPGYPHUVT.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
2156 | QPGYPHUVT.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
2156 | QPGYPHUVT.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
3028 | RobloxPlayerLauncher.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3028 | RobloxPlayerLauncher.exe | Misc activity | ET INFO EXE - Served Inline HTTP |
3696 | RobloxPlayerLauncher.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3696 | RobloxPlayerLauncher.exe | Misc activity | ET INFO EXE - Served Inline HTTP |
2264 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] njRAT.Gen RAT outbound connection |
2264 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Bladabindi/njRAT CnC Command (ll) |