Discord server being used to host RATs disguised as Roblox hacks

system · 30 May 2021 23:27

Hi all,

A discord server called “free robux hacks” is hosting RCE malware under the guise of “hacks” for the game roblox. Below is the discord invite url & disboard url where the server is advertised.

invite url>> Discord
disboard url>> https://disboard.org/server/846331215254257674

The owner of the server goes under the name @M4TR1X. I called him out via DM and got myself outed from the server however the owner admitted to what he/she was doing. See below.

A partner of mine ran the 2 executables hosted on the server through virus total and came up with the following results:

VirusTotal

Lets take this sucker out.

thunder · 30 May 2021 23:49

He uses an online alias “TimRimBim”
Seems he enjoys GMod a lot.
https://fudgygaming.com/forums/thread.php?tid=9092
https://www.fearlessrp.net/showthread?tid=65041

His voice is in this video: https://www.youtube.com/watch?v=sHfbc6j1EN8

ReconScammers · 30 May 2021 23:55

The rat they use is Quasar, once the stub is executed it drops “C:\Users\admin\AppData\Local\Temp\robuxcrackerfixed.exe” and adds it to startup. Analysis robuxcrackerfixed.exe (MD5: 238848B2229A48F7B6DE0931F58259EA) Suspicious activity - Interactive analysis ANY.RUN

https://www.hybrid-analysis.com/sample/e62a50eff5140d82e83ce1da8b28fe011a6f89fdbcde96838d4a3896f318b37a

The IP address they are using in the rat is 83.128.57.248 with the port 4782 and is not a VPN, what an idiot.

ReconScammers · 31 May 2021 00:09

Looks related but searching his Spotify name on usersearch.org gave me:
Tim Przygodda (@timrimbim) — 3 answers | ASKfm
https://www.reddit.com/user/timrimbim
https://www.tiktok.com/@timrimbim?lang=en
Imgur: The magic of the Internet
https://drewscommunity.com/members/timrimbim.3560/about
Some may not be related but I think the ask.fm is looking at the language.

Also twitch came up with a simple google search Twitch but could not be him.
And also his potential hypixel account https://hypixel.net/members/timrimbim.4632564/about

Considering he’s targeting Roblox hackers and plays GMod Warzone.gg Case#8 - (1)timrimbim - YouTube this might be him hacking in CSGO.

thunder · 31 May 2021 00:18

He has deleted the Discord server now.

BeetleAtom · 31 May 2021 00:21

Before he took down the server i was able to get a dm to him and all he said was cause its funny

ElJefe · 1 June 2021 06:12

ISP to the IP is https://www.caiway.nl/

It seems to be a legit connection but who knows these days, He could’ve rented a VPS but the company it comes back to doesn’t seem to be that at all.

Looks legit.

Busters · 1 June 2021 12:34

IP	83.128.57.248
Country	Netherlands
City	IJsselstein
State	UT
Internet Provider (ISP)	DELTA Fiber Nederland B.V.

no vpn or proxy detected

Busters · 1 June 2021 12:34

Changes the autorun value in the registry

robuxcrackerfixed.exe (PID: 3016)
syst42.exe (PID: 2900) Starts itself from another location
robuxcrackerfixed.exe (PID: 3016)

Executable content was dropped or overwritten

robuxcrackerfixed.exe (PID: 3016)

Creates files in the user directory

robuxcrackerfixed.exe (PID: 3016

exo · 2 June 2021 12:27

fun fact is, i just used dorks in order to find him

i found a whole thread how to make his rat undetectable:
https://cracked.to/Thread-MAKE-ANY-VIRUS-RAT-UNDETECTED-BY-ANTIVIRUS--119370?page=5

https://www.fearlessrp.net/showthread?tid=65041

his age is: Feb 21, 2005 (Age: 16)