Discord server being used to host RATs disguised as Roblox hacks

Hi all,

A discord server called “free robux hacks” is hosting RCE malware under the guise of “hacks” for the game roblox. Below is the discord invite url & disboard url where the server is advertised.

invite url>> Discord
disboard url>> https://disboard.org/server/846331215254257674

The owner of the server goes under the name @M4TR1X. I called him out via DM and got myself outed from the server however the owner admitted to what he/she was doing. See below.

A partner of mine ran the 2 executables hosted on the server through virus total and came up with the following results:

VirusTotal

VirusTotal

Lets take this sucker out.

He uses an online alias “TimRimBim”
Seems he enjoys GMod a lot.
https://fudgygaming.com/forums/thread.php?tid=9092
https://www.fearlessrp.net/showthread?tid=65041

His voice is in this video: https://www.youtube.com/watch?v=sHfbc6j1EN8

The rat they use is Quasar, once the stub is executed it drops “C:\Users\admin\AppData\Local\Temp\robuxcrackerfixed.exe” and adds it to startup. robuxcrackerfixed.exe (MD5: 238848B2229A48F7B6DE0931F58259EA) - Interactive analysis - ANY.RUN

https://www.hybrid-analysis.com/sample/e62a50eff5140d82e83ce1da8b28fe011a6f89fdbcde96838d4a3896f318b37a

The IP address they are using in the rat is 83.128.57.248 with the port 4782 and is not a VPN, what an idiot.

1 Like

Looks related but searching his Spotify name on usersearch.org gave me:
Tim Przygodda (@timrimbim) — 3 answers | ASKfm
https://www.reddit.com/user/timrimbim
TikTok
Imgur: The magic of the Internet
timrimbim | Drew's Community
Some may not be related but I think the ask.fm is looking at the language.

Also twitch came up with a simple google search Twitch but could not be him.
And also his potential hypixel account https://hypixel.net/members/timrimbim.4632564/about

Considering he’s targeting Roblox hackers and plays GMod https://www.youtube.com/watch?v=sHfbc6j1EN8 this might be him hacking in CSGO.

He has deleted the Discord server now.

1 Like

Before he took down the server i was able to get a dm to him and all he said was cause its funny

ISP to the IP is https://www.caiway.nl/

It seems to be a legit connection but who knows these days, He could’ve rented a VPS but the company it comes back to doesn’t seem to be that at all.

Looks legit.

IP 83.128.57.248
Country Netherlands
City IJsselstein
State UT
Internet Provider (ISP) DELTA Fiber Nederland B.V.

no vpn or proxy detected

Changes the autorun value in the registry

  • robuxcrackerfixed.exe (PID: 3016)

  • syst42.exe (PID: 2900) Starts itself from another location

  • robuxcrackerfixed.exe (PID: 3016)

Executable content was dropped or overwritten

  • robuxcrackerfixed.exe (PID: 3016)

Creates files in the user directory

  • robuxcrackerfixed.exe (PID: 3016

fun fact is, i just used dorks in order to find him

i found a whole thread how to make his rat undetectable:

https://www.fearlessrp.net/showthread?tid=65041

his age is: Feb 21, 2005 (Age: 16)