{
	"id": "619a76d6-6bcb-46e2-9939-fb7dba52bfe3",
	"created_at": "2026-04-06T00:15:47.07555Z",
	"updated_at": "2026-04-10T13:12:33.851764Z",
	"deleted_at": null,
	"sha1_hash": "e2b17cfeeb9adeb5574944225fa318f8ac03e98e",
	"title": "RevDiaries | Analysis of the Roblox Executor Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1774843,
	"plain_text": "RevDiaries | Analysis of the Roblox Executor Malware\r\nBy heapsoverflow\r\nArchived: 2026-04-05 16:44:49 UTC\r\nRecently, somebody in a discord server got hacked and started spamming about a \"Roblox Executor\" called Solara.\r\n(Apparently, it is not the official cheat) You know it is never a good idea to download online cheats, especially when they are\r\nfree. Well, I am assuming a person with a little knowledge of computers wouldn't fall for something like this... Unless they\r\nare a kid who is playing Roblox on their parents' computer. Unfortunately, that is common and people fall for it. And the\r\nmalware evolves over time, having new features. This malware has been identified as Rhadamanthys stealer. But now with\r\nan extra of crypto miner.\r\nThis is the discord message that has been sent from a compromised account:\r\nChecking the discord server, there are detailed instructions on how to run the executor. It says \"Solara is blocked in Russia\".\r\nI wonder why. XD\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 1 of 19\n\nAnd the website looks like this:\r\nAfter downloading and extracting the files, we see an executable file and a dynamic library. This DLL seems to be one of the\r\nlegit DirectX libraries.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 2 of 19\n\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 3 of 19\n\nThe main dropper was written in Go, for several reasons. Due to Golang's compiler, It makes the reversing process harder\r\nand mitigates detection. It succeeds to evade VirusTotal scans. A little important detail is that the time stamp was also\r\nspoofed to not disclose the compile time. And apparently the binary is signed with a fake self-signed FRAPS certificate.\r\nOpening the binary in IDA, somehow we can only see a part of the main function in the decompiler. So I mostly followed\r\nthe disassembler. The malware initially sends HTTP GET requests to \"facebook.com\" and \"x.com\". I am assuming this is\r\ndone to make the binary look legit.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 4 of 19\n\nThen it iterates through the files in the current directory to check \"graphmodule32.dll\".\r\nAnd if not found, exits with the message \"All files haven't found\".\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 5 of 19\n\nApparently, the malware is using a go library called Medusa. It's a framework that provides features like Anti-VM, Anti-Debug and Anti-Memory. Anti-VM searches for certain strings that common virtual machine emulators use in the Disk\r\nDevice ID list and also checks for the common MAC addresses. Since we are doing a static analysis, it doesn't really bother\r\nus.\r\nThere are 3 check mechanisms shown in the image below. After checking whether the current environment is a Virtual\r\nMachine, the malware proceeds to make another check.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 6 of 19\n\nIf the executable was run twice, malware must avoid potential collusions. To achieve that, a common method is to create a\r\nMutex Object. By checking the return value of the CreateMutexA, the program knows if the Mutex has been assigned before\r\nand terminates the process. In this case, it is Global\\3575652c-b847-4n8e-u604-22aa515741boc\r\nAfter that, our last check is CheckPhysicalDrive. The program tries to open a handle to the symbolic link\r\n\\\\.\\PHYSICALDRIVE0 that requires Admin Privileges in normal circumstances. So the program will re-execute itself with\r\nadministrative rights if the existing privileges are inadequate. User will be prompted depending on the User Account Control\r\nsettings.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 7 of 19\n\nFinishing checks, now the malware begins to operate. Using PowerShell command to exclude %PROGRAMDATA% path\r\nfrom Windows defender so that the malware doesn't get scanned. While executing commands, it hides the window pop-up as\r\nwell.\r\nAfter excluding the execution path, the program drops an executable file from GitHub. This function was launched as a\r\nthread to the process. So the main function continues without waiting for this function to finish. The URL string data is split\r\ninto 4 bytes for each character probably because of how go handles strings. Extracting the URL, we get\r\nhxxps[://]github[.]com/guiy7iytuiuyiuyi/refactored-fortnight/releases/download/34f47bf0/hlilhkuy[.]rar\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 8 of 19\n\nThe program downloads the archive and name it as %PROGRAMDATA%\\driver1.rar. Then extracts it using rardecode\r\nlibrary in go using the password 34f47bf0. The executable inside the archive was actually named intera.exe and changed to\r\ndriver1.exe after the extraction.\r\nWhen the executable is ready, the program does not proceed and sleeps for 2000000000 Nanoseconds before executing. That\r\nis a 2 second duration. Sleep obfuscation is a method to evade shorter sandbox analysis. So that is probably why it was used\r\nhere.\r\nAccording to the unpac.me results, It is the same sample that is used back in 2023. So I am not going into details on this.\r\nThe executable was named CFF Explorer.exe, a tool to gather information about windows portable executables. And the\r\nClamAV identified this as a variant of Rhadamanthys stealer.\r\nIt seems to allocate 0x40000 bytes in heap, then copies the code bytes there and execute it. It's an in-memory loader.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 9 of 19\n\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 10 of 19\n\nThis binary is also getting a file from the C2 server\r\nhxxps[://]154[.]216[.]19[.]63:7290/0a85ce95cf9a3c9867b03217/bkpne2v4[.]hi47v\r\nBack to the main function, the program continues to launch more threads. And this is the second binary that has been\r\ndropped. Initially, it checks if the executable file exists in the said path. And if so, return from the function. It is done to\r\navoid extra work if the file is already placed. Otherwise it increases the chances of getting detected.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 11 of 19\n\nAnd afterwards, it is parsing an another URL.\r\nThis time, password of the archive is highmood.\r\nAfter downloading and extracting the archive, the program schedules a start-up task. So when the computer boots up, the\r\nexecutable will run.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 12 of 19\n\nThis binary was originally named hellyeah.exe and seems to be obfuscated with VMProtect.\r\nApparently, it drops a kernel driver to the %TEMP%. And it is most likely a cryptominer. I am going to analyze this kernel\r\ndriver maybe in another post.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 13 of 19\n\nBeside the dropped binaries, there is also a telemetry function that sends computer specific data to the C2 server. Using\r\nWMIC (Management Instrumentation Command-line utility) to get the UUID of the computer.\r\nAfter getting the UUID, the program concatenates it with the string iloveit and base64 encodes the result.\r\nAnother URL being parsed afterwards.\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 14 of 19\n\nFinally, the base64 encoded string has been added to the \"reason\" variable and sent to the C2 server via HTTP GET request.\r\nAs you can see, values in the \"reason\" variable are separated with colon (\":\"). So the final URL looks like\r\nhxxp[://]147[.]45[.]44[.]42:2001?reason=base64('worker599chmel'):base64(UUID + 'iloveit'). (I have to defang it to avoid\r\nmis-clicking)\r\nThat is all with the go dropper binary. Along with it, we tracked down C2 servers and these companies were associated with\r\nthis malware:\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 15 of 19\n\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 16 of 19\n\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 17 of 19\n\nUPDATE Jan 5: Apparently, developers changed their GitHub links and stripped the debug data of the go binary. Here is the\r\nupdated intera GitHub Link hxxps[://]github[.]com/k76kj76j6t5j65tl67/fuzzy-octo-couscous/releases/download/gyjktit7/intera[.]rar and the password hdtedjtrirtjhtrfhtrh. They also changed the\r\n\"graphmodule32.dll\" to \"roblox.dll\" for no particular reason. Two another malware is associated with the same GitHub\r\naccount that threat actors use. One is Smart Mod Manager and the other one RH 0.8.0. We also managed to extract their mail\r\n(probably temporary) reherherh3@gmail.com from the GitHub.\r\nhttps://web.archive.org/web/20250104211611/https://github.com/k76kj76j6t5j65tl67/\r\nhttps://web.archive.org/web/20250104211611/https://github.com/k76kj76j6t5j65tl67/curly-meme/releases/tag/liuliu\r\nhttps://web.archive.org/web/20250104211718/https://github.com/k76kj76j6t5j65tl67/vigilant-barnacle/releases/tag/sfdgdhrthj\r\nhttps://web.archive.org/web/20250104211718/https://github.com/k76kj76j6t5j65tl67/potential-tribble/releases/tag/sdgsdg\r\nhttps://web.archive.org/web/20250104211426/https://github.com/k76kj76j6t5j65tl67/fuzzy-octo-couscous/releases/tag/gyjktit7\r\nIndications of Compromise (IoC)\r\nBinaries\r\nSHA-1 Filename Detection Description\r\ne54213c8888bb5c43604c0b49c0016f21af6202d Bootstrapper.exe -\r\nGo\r\nDropper.\r\n0d54f33de921292b69cfa7206a41baac96468be1 intera.exe Win.Malware.Rhadamanthys\r\nThe first\r\nbinary from\r\nGitHub.\r\n4084bd5dc99ec2f242ef9fda7f2338cceaed56fe CFF\r\nExplorer.exe\r\nWin.Malware.Rhadamanthys Unpacked\r\nintera\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 18 of 19\n\nSHA-1 Filename Detection Description\r\nbinary.\r\n3b47c17310ab356a8a1ef366257ebb192f6749cc hellyeah.exe Trojan.Win64.SilentCryptoMiner\r\nThe second\r\nbinary from\r\nC2 server.\r\nStrings\r\nGlobal\\3575652c-b847-4n8e-u604-22aa515741boc\r\nworker599chmel\r\nhighmood\r\n34f47bf0\r\nhdtedjtrirtjhtrfhtrh\r\nIPs \u0026 URLs\r\nhxxps[://]devsolara[.]com/download/Solara[.]zip\r\nhxxps[://]discord[.]gg/SSysqfRE\r\nhxxps[://]github[.]com/guiy7iytuiuyiuyi/refactored-fortnight/releases/download/34f47bf0/hlilhkuy[.]rar\r\nhxxps[://]github[.]com/k76kj76j6t5j65tl67/fuzzy-octo-couscous/releases/download/gyjktit7/intera[.]rar\r\nhxxp[://]147[.]45[.]44[.]42:1488/moa/Tricky[.]rar\r\nhxxp[://]147[.]45[.]44[.]42:2001?\r\nreason=d29ya2VyNTk5Y2htZWw=:MUQxRkIwQkItMjFCOS00RkMwLUIwMTctQTREQURBMjMxRTE3aWxvdmVpdA\r\nhxxps[://]154[.]216[.]19[.]63:7290/0a85ce95cf9a3c9867b03217/bkpne2v4[.]hi47v\r\nSource: https://revdiaries.com/post/solara-malware-analysis\r\nhttps://revdiaries.com/post/solara-malware-analysis\r\nPage 19 of 19\n\n  https://revdiaries.com/post/solara-malware-analysis  \nThen it iterates through the files in the current directory to check \"graphmodule32.dll\".\nAnd if not found, exits with the message \"All files haven't found\". \n   Page 5 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://revdiaries.com/post/solara-malware-analysis"
	],
	"report_names": [
		"solara-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434547,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2b17cfeeb9adeb5574944225fa318f8ac03e98e.pdf",
		"text": "https://archive.orkl.eu/e2b17cfeeb9adeb5574944225fa318f8ac03e98e.txt",
		"img": "https://archive.orkl.eu/e2b17cfeeb9adeb5574944225fa318f8ac03e98e.jpg"
	}
}