Discord server being used to host RATs disguised as Roblox hacks

Malware Discord
,
1

Hi all,

A discord server called “free robux hacks” is hosting RCE malware under the guise of “hacks” for the game roblox. Below is the discord invite url & disboard url where the server is advertised.

invite url>> Discord
disboard url>> https://disboard.org/server/846331215254257674

The owner of the server goes under the name @M4TR1X. I called him out via DM and got myself outed from the server however the owner admitted to what he/she was doing. See below.

m4tr1x
m4tr1x768×443 39.6 KB

A partner of mine ran the 2 executables hosted on the server through virus total and came up with the following results:

VirusTotal

VirusTotal

Lets take this sucker out.

2

He uses an online alias “TimRimBim”
Seems he enjoys GMod a lot.
https://fudgygaming.com/forums/thread.php?tid=9092
https://www.fearlessrp.net/showthread?tid=65041

https://open.spotify.com/user/i35uxpvjrq9az2gebjedg5ome

His voice is in this video: https://www.youtube.com/watch?v=sHfbc6j1EN8

3

The rat they use is Quasar, once the stub is executed it drops “C:\Users\admin\AppData\Local\Temp\robuxcrackerfixed.exe” and adds it to startup. Analysis robuxcrackerfixed.exe (MD5: 238848B2229A48F7B6DE0931F58259EA) Suspicious activity - Interactive analysis ANY.RUN

The IP address they are using in the rat is 83.128.57.248 with the port 4782 and is not a VPN, what an idiot.

1 Like
4

Looks related but searching his Spotify name on usersearch.org gave me:
https://ask.fm/timrimbim
https://www.reddit.com/user/timrimbim
TikTok - Make Your Day
https://imgur.com/user/timrimbim/about
https://drewscommunity.com/members/timrimbim.3560/about
Some may not be related but I think the ask.fm is looking at the language.

Also twitch came up with a simple google search Twitch but could not be him.
And also his potential hypixel account https://hypixel.net/members/timrimbim.4632564/about

Considering he’s targeting Roblox hackers and plays GMod https://www.youtube.com/watch?v=sHfbc6j1EN8 this might be him hacking in CSGO.

5

He has deleted the Discord server now.

1 Like
6

Before he took down the server i was able to get a dm to him and all he said was cause its funny

7

ISP to the IP is https://www.caiway.nl/

It seems to be a legit connection but who knows these days, He could’ve rented a VPS but the company it comes back to doesn’t seem to be that at all.

Looks legit.

9
IP 83.128.57.248
Country Netherlands
City IJsselstein
State UT
Internet Provider (ISP) DELTA Fiber Nederland B.V.

no vpn or proxy detected

10

Changes the autorun value in the registry

  • robuxcrackerfixed.exe (PID: 3016)

  • syst42.exe (PID: 2900) Starts itself from another location

  • robuxcrackerfixed.exe (PID: 3016)

Executable content was dropped or overwritten

  • robuxcrackerfixed.exe (PID: 3016)

Creates files in the user directory

  • robuxcrackerfixed.exe (PID: 3016
11

fun fact is, i just used dorks in order to find him

i found a whole thread how to make his rat undetectable:

https://www.fearlessrp.net/showthread?tid=65041

his age is: Feb 21, 2005 (Age: 16)