MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b
SHA3-384 hash: 1b13ec65efa987f338d1874be96da2a90c3e9b0049242c26212e1f7326c3b55697e233ab0e60446babbe49125a5ed1fd
SHA1 hash: 3bf18e373edc4cb2ba769bd2ff7c3472ff45a380
MD5 hash: c69955672f2b80088dd3326307f593bc
humanhash: winner-social-jersey-red
File name:RobloxPlayerInstaller.exe
Download: download sample
File size:90'005'778 bytes
First seen:2025-06-07 12:49:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d79dd35f147f0bd91cc18a6615fcfa5d (1 x BumbleBee, 1 x LummaStealer, 1 x CoinMiner)
ssdeep 1572864:Y4iIfVZjEaGxWttkDj7pbCeI+FwF3Kn3sjB70sNwSyiu3gBzfCAS87aPO:3iIfV2attk0eI+FHmB70sMoIC+m
TLSH T16A182321764AC53ADA6A41B15A2CDE9B61797FB10B7254CBB3CC3D6E0BB44C21332E17
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 3cf8e4ccccdee0c0 (2 x njrat, 2 x LummaStealer, 1 x DCRat)
Reporter aachum
Tags:CoinMiner exe


Avatar
iamaachum
https://www.youtube.com/watch?v=ZKCK3Vzj1U8 => https://roxblox.netlify.app/ => https://rapidgator.net/file/f7c5002eba66604b86ec8dc1cf7d0f30/RobloxPlayerInstaller.rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
998
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RobloxPlayerInstaller.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 12:52:36 UTC
Tags:
advancedinstaller python telegram loader evasion discord stealer miner winring0x64-sys vuln-driver
Link:
https://app.any.run/tasks/d2dedc25-1b0d-404e-a1ab-87a1bbc8fe35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6844361607b5e8c1cfe55ea5
Tags:
dropper shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Possible injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint installer lolbin microsoft_visual_cc msiexec overlay overlay packed packer_detected runonce
Link:
https://www.filescan.io/uploads/684435a6171e01f95938fd3f/reports/6be2d626-b10b-4b51-a7dd-cafac404ad62/overview
Verdict:
Malicious
Labled as:
Downloader.Satacom
Link:
https://www.hybrid-analysis.com/sample/8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708858
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Command shell drops VBS files
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1708858 Sample: RobloxPlayerInstaller.exe Startdate: 07/06/2025 Architecture: WINDOWS Score: 100 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Sigma detected: WScript or CScript Dropper 2->71 73 4 other signatures 2->73 10 wscript.exe 1 2->10         started        13 msiexec.exe 89 52 2->13         started        16 RobloxPlayerInstaller.exe 27 2->16         started        process3 file4 91 Wscript starts Powershell (via cmd or directly) 10->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->93 95 Suspicious execution chain found 10->95 18 cmd.exe 3 3 10->18         started        51 C:\Windows\Installer\MSI8BE2.tmp, PE32 13->51 dropped 53 C:\Users\user\...\RobloxPlayerInstaller.exe, PE32 13->53 dropped 55 C:\Users\user\AppData\Local\...\Update.vbs, ASCII 13->55 dropped 63 9 other files (2 malicious) 13->63 dropped 97 Drops executables to the windows directory (C:\Windows) and starts them 13->97 22 MSI8BE2.tmp 13->22         started        24 msiexec.exe 13->24         started        26 msiexec.exe 13->26         started        57 C:\Users\user\AppData\Local\...\shi6622.tmp, PE32+ 16->57 dropped 59 C:\Users\user\AppData\Local\...\MSI67DB.tmp, PE32 16->59 dropped 61 C:\Users\user\AppData\Local\...\MSI67AC.tmp, PE32 16->61 dropped 65 2 other files (none is malicious) 16->65 dropped 28 msiexec.exe 4 16->28         started        signatures5 process6 file7 49 C:\Users\user\AppData\Local\...\getadmin.vbs, ASCII 18->49 dropped 75 Suspicious powershell command line found 18->75 77 Wscript starts Powershell (via cmd or directly) 18->77 79 Potential malicious VBS script found (suspicious strings) 18->79 81 2 other signatures 18->81 30 wscript.exe 2 1 18->30         started        33 conhost.exe 18->33         started        35 cacls.exe 1 18->35         started        signatures8 process9 signatures10 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 30->99 37 cmd.exe 1 30->37         started        process11 signatures12 83 Suspicious powershell command line found 37->83 85 Wscript starts Powershell (via cmd or directly) 37->85 87 Adds a directory exclusion to Windows Defender 37->87 40 powershell.exe 37->40         started        43 conhost.exe 37->43         started        45 cacls.exe 37->45         started        process13 signatures14 89 Loading BitLocker PowerShell Module 40->89 47 WmiPrvSE.exe 40->47         started        process15
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-06-07 12:50:53 UTC
File Type:
PE (Exe)
Extracted files:
89
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4dd3djlj3mherz2nzugvuow3l6chp36gfqe62n6b6pxkd5habfq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250607-p3bq5sal7w/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0387a48e-6fde-49ac-9d4b-d05d59c442c3
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8f063d8d2b4ed872473a6e686ad1d6dafc23bf7e31604f69be0f9f750fa7004b

(this sample)

  
Link
https://tria.ge/250607-px6dkassas/behavioral1
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:highestAvailable)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW

Comments