SafeMode - Analysis: www.roblox.com.ml

Captura Visual

Informações de Detecção

https://www.roblox.com.ml/users/7685240777/profile

Detected Brand

Roblox

Country

International

Confiança

100%

HTTP Status

200

Report ID

26ecd1f3-31f…

Analyzed

2026-02-06 00:11

Hashes de Conteúdo (Similaridade HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1C973857292502437617B79DAF065771AA2D3D70FCA8246E1A2F8939A0FD6CE1FC1740E
CONTENT ssdeep	1536:nLWXWn9rjZY+PC8cCZpYuOTeeVZ57Hb7HD7H/7Hy7Hv7H37HE7H37Hn7HF7H37H3:LWXWBZYRX+yuOj777j7f7S7P7X7k7X7t

Hashes Visuais (Similaridade de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	b8471371c398e5bc
VISUAL aHash	0000d3ffc3c3dfff
VISUAL dHash	e8c8a63016063032
VISUAL wHash	0000c3dfc3c3cfdf
VISUAL colorHash	072010080c0
VISUAL cropResistant	e8c8a63016063032

Análise de Código

Risk Score 100/100

Nível de Ameaça ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Ameaça: Falsificação
• Alvo: Usuários do Roblox
• Método: Falsificação de domínio e mímica visual
• Exfil: Potencialmente credenciais ou informações da conta
• Indicadores: Domínio incompatível, semelhança visual.
• Risco: ALTO

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://www.roblox.com/catalog/2510233257/null
/catalog
https://www.roblox.com/catalog/10647852134/null
https://www.roblox.com/catalog/607785314/null
https://www.roblox.com/catalog/10638267973/null
https://www.roblox.com/catalog/12995014400/null
https://www.roblox.com/catalog/12995018829/null
/catalog/110032943081438
https://www.roblox.com/catalog/2510230574/null
https://www.roblox.com/catalog/12995017412/null
/catalog/9245862280
/catalog/86499666
https://www.roblox.com/catalog/2510238627/null
https://www.roblox.com/catalog/2510235063/null
/catalog/86499698
https://www.roblox.com/catalog/12995020128/null
https://www.roblox.com/catalog/607702162/null
https://www.roblox.com.ml/catalog?CatalogContext=1&Keyword=
/catalog/11240754151
https://www.roblox.com.ml/info/blog?locale=en_us
https://www.roblox.com/catalog/2510242378/null
https://www.roblox.com.ml/api/exfiltrate
/catalog/86499716
https://www.roblox.com/catalog/301811432/null
https://www.roblox.com/catalog/2510240941/null
/login?returnUrl=4802815018602778
https://www.roblox.com/catalog/2510236649/null
https://www.roblox.com/catalog/12995015868/null
/catalog/15563391961

📡 API Calls Detected

GET
babylonjs
https://ro.blox.com/Ebh5?
https://help.roblox.com/hc/articles/30428367965460
POST
https://apis.
get

📤 Form Action Targets

/search

📊 Detalhamento da Pontuação de Risco

Total Risk Score

90/100

Contributing Factors

Suspicious Domain

Uses a .ml domain instead of the legitimate .com.

Domain Age

Unknown domain age raises suspicion

Visual Similarity

Mimics the appearance of the Roblox user profile page.

🔬 Análise Integral de Ameaças

Tipo de Ameaça

Banking Credential Harvester

Alvo

Roblox users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltração

HTTP POST to backend

Avaliação de Risco

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
275 obfuscation techniques

🏢 Análise de Falsificação de Marca

Impersonated Brand

Roblox

Official Website

roblox.com

Fake Service

User profile

⚔️ Metodologia de Ataque

Primary Method: Credential Harvesting

The site is designed to trick users into entering their Roblox login credentials. This is achieved through a convincing visual impersonation of the Roblox website.

🌐 Indicadores de Compromisso de Infraestrutura

🦠 Malicious Files

Main File

https://www.roblox.com.ml/js/EnvironmentUrls.js

File Size

Functions: sendData()

📊 Diagrama de Fluxo de Ataque

User fills <input name='username'> → sendData() → fetch('https://www.roblox.com.ml/api/exfiltrate') → credentials sent

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Total Code Size

3,6 MB

🔗 API Endpoints Detected

Other

95

🔐 Obfuscation Detected

: None
: Light
: Heavy
: None
: None
: Light
: None
: None
: None
: None
: Light
: Light
: None
: Light
: None
: Heavy
: None
: Heavy
: Heavy
: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

User fills <input name='username'> → sendData() → fetch('https://www.roblox.com.ml/api/exfiltrate') → credentials sent

🎯 Malicious Files Identified

Main Drainer

https://www.roblox.com.ml/js/EnvironmentUrls.js

File Size

45KB

Malicious Functions

sendData()

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Roblox

https://rblx.foo/s/www_roblox_user_41594980

Abr 17, 2026

Roblox

https://www.roblox.com.ni/users/4159498056/profile

Abr 17, 2026

Scan History for www.roblox.com.ml

Found 10 other scans for this domain

http://www.roblox.com.ml/ ? Mai 22, 2026 10:09

https://www.roblox.com.ml/users/123719461542/profi... ? Mai 21, 2026 22:20

http://www.roblox.com.ml/users/323223411351/profil... ? Mai 21, 2026 22:16

https://www.roblox.com.ml/users/263822628765/profi... ? Mai 21, 2026 22:09

https://www.roblox.com.ml/users/265428692761/profi... ? Mai 20, 2026 22:15

https://www.roblox.com.ml/users/152133768449/profi... ? Mai 20, 2026 22:15

https://www.roblox.com.ml/users/244379621728/profi... ? Mai 20, 2026 22:13

https://www.roblox.com.ml/users/262662861612/profi... ? Mai 20, 2026 10:13

http://www.roblox.com.ml/users/121255723347/profil... ? Mai 19, 2026 22:23

https://www.roblox.com.ml/users/413899391385/profi... ? Mai 18, 2026 22:19