---------[ Analysis of the Roblox Executor Malware - Solara Executor ]

> 04 Jan 2025
> Author: heap

Recently, somebody in a discord server got hacked and started spamming about a "Roblox Executor" called Solara. You know it is never a good idea to download online cheats, especially when they are free. Well, I am assuming a person with a little knowledge of computers wouldn't fall for something like this... Unless they are a kid who is playing Roblox on their parents' computer. Unfortunately, that is common and people fall for it. And the malware evolves over time, having new features. This malware has been identified as Rhadamanthys stealer. But now with an extra of crypto miner.

This is the discord message that has been sent from a compromised account:

Checking the discord server, there are detailed instructions on how to run the executor. It says "Solara is blocked in Russia". I wonder why. XD

And the website looks like this:

After downloading and extracting the files, we see an executable file and a dynamic library. This DLL seems to be one of the legit DirectX libraries.

The main dropper was written in Go, for several reasons. Due to Golang's compiler, It makes the reversing process harder and mitigates detection. It succeeds to evade VirusTotal scans. A little important detail is that the time stamp was also spoofed to not disclose the compile time. And apparently the binary is signed with a fake self-signed FRAPS certificate.

Opening the binary in IDA, somehow we can only see a part of the main function in the decompiler. So I mostly followed the disassembler. The malware initially sends HTTP GET requests to "facebook.com" and "x.com". I am assuming this is done to make the binary look legit.

Then it iterates through the files in the current directory to check "graphmodule32.dll".

And if not found, exits with the message "All files haven't found".

Apparently, the malware is using a go library called Medusa. It's a framework that provides features like Anti-VM, Anti-Debug and Anti-Memory. Anti-VM searches for certain strings that common virtual machine emulators use in the Disk Device ID list and also checks for the common MAC addresses. Since we are doing a static analysis, it doesn't really bother us.

There are 3 check mechanisms shown in the image below. After checking whether the current environment is a Virtual Machine, the malware proceeds to make another check.

If the executable was run twice, malware must avoid potential collusions. To achieve that, a common method is to create a Mutex Object. By checking the return value of the CreateMutexA, the program knows if the Mutex has been assigned before and terminates the process. In this case, it is Global\3575652c-b847-4n8e-u604-22aa515741boc

After that, our last check is CheckPhysicalDrive. The program tries to open a handle to the symbolic link \\.\PHYSICALDRIVE0 that requires Admin Privileges in normal circumstances. So the program will re-execute itself with administrative rights if the existing privileges are inadequate. User will be prompted depending on the User Account Control settings.

Finishing checks, now the malware begins to operate. Using PowerShell command to exclude %PROGRAMDATA% path from Windows defender so that the malware doesn't get scanned. While executing commands, it hides the window pop-up as well.

After excluding the execution path, the program drops an executable file from GitHub. This function was launched as a thread to the process. So the main function continues without waiting for this function to finish. The URL string data is split into 4 bytes for each character probably because of how go handles strings. Extracting the URL, we get hxxps[://]github[.]com/guiy7iytuiuyiuyi/refactored-fortnight/releases/download/34f47bf0/hlilhkuy[.]rar

The program downloads the archive and name it as %PROGRAMDATA%\driver1.rar. Then extracts it using rardecode library in go using the password 34f47bf0. The executable inside the archive was actually named intera.exe and changed to driver1.exe after the extraction.

When the executable is ready, the program does not proceed and sleeps for 2000000000 Nanoseconds before executing. That is a 2 second duration. Sleep obfuscation is a method to evade shorter sandbox analysis. So that is probably why it was used here.

According to the unpac.me results, It is the same sample that is used back in 2023. So I am not going into details on this. The executable was named CFF Explorer.exe, a tool to gather information about windows portable executables. And the ClamAV identified this as a variant of Rhadamanthys stealer.

It seems to allocate 0x40000 bytes in heap, then copies the code bytes there and execute it. It's an in-memory loader.

This binary is also getting a file from the C2 server hxxps[://]154[.]216[.]19[.]63:7290/0a85ce95cf9a3c9867b03217/bkpne2v4[.]hi47v

Back to the main function, the program continues to launch more threads. And this is the second binary that has been dropped. Initially, it checks if the executable file exists in the said path. And if so, return from the function. It is done to avoid extra work if the file is already placed. Otherwise it increases the chances of getting detected.

And afterwards, it is parsing an another URL.

This time, password of the archive is highmood.

After downloading and extracting the archive, the program schedules a start-up task. So when the computer boots up, the executable will run.

This binary was originally named hellyeah.exe and seems to be obfuscated with VMProtect.

Apparently, it drops a kernel driver to the %TEMP%. And it is most likely a cryptominer. I am going to analyze this kernel driver maybe in another post.

Beside the dropped binaries, there is also a telemetry function that sends computer specific data to the C2 server. Using WMIC (Management Instrumentation Command-line utility) to get the UUID of the computer.

After getting the UUID, the program concatenates it with the string iloveit and base64 encodes the result.

Another URL being parsed afterwards.

Finally, the base64 encoded string has been added to the "reason" variable and sent to the C2 server via HTTP GET request. As you can see, values in the "reason" variable are separated with colon (":"). So the final URL looks like hxxp[://]147[.]45[.]44[.]42:2001?reason=base64('worker599chmel'):base64(UUID + 'iloveit'). (I have to defang it to avoid mis-clicking)

That is all with the go dropper binary. Along with it, we tracked down C2 servers and these companies were associated with this malware:

UPDATE Jan 5: Apparently, developers changed their GitHub links and stripped the debug data of the go binary. Here is the updated intera GitHub Link hxxps[://]github[.]com/k76kj76j6t5j65tl67/fuzzy-octo-couscous/releases/download/gyjktit7/intera[.]rar and the password hdtedjtrirtjhtrfhtrh. They also changed the "graphmodule32.dll" to "roblox.dll" for no particular reason. Two another malware is associated with the same GitHub account that threat actors use. One is Smart Mod Manager and the other one RH 0.8.0. We also managed to extract their mail (probably temporary) [email protected] from the GitHub.

Indications of Compromise (IoC)

Binaries

SHA-1 Filename Detection Description
e54213c8888bb5c43604c0b49c0016f21af6202d Bootstrapper.exe - Go Dropper.
0d54f33de921292b69cfa7206a41baac96468be1 intera.exe Win.Malware.Rhadamanthys The first binary from GitHub.
4084bd5dc99ec2f242ef9fda7f2338cceaed56fe CFF Explorer.exe Win.Malware.Rhadamanthys Unpacked intera binary.
3b47c17310ab356a8a1ef366257ebb192f6749cc hellyeah.exe Trojan.Win64.SilentCryptoMiner The second binary from C2 server.

Strings

IPs & URLs


==[EOF]==

revdiaries.com © 2025