A forum for reverse engineering, OS internals and malware analysis 

SteamStealer

Forum for analysis and discussion about malware.

SteamStealer

 #24668  by master131
 Fri Dec 19, 2014 1:58 pm
If you're an active user/gamer on Steam, you've probably encountered at least one person who has run one of these SteamStealer trojans, spamming around chat and groups with supposed "image" URLs which redirect to files. Here are a few samples I've collected, along with their deobfuscated counterparts where applicable. I've renamed the files to DLL so I don't accidentally run them somehow, they're originally executables. :)
Attachments
password: infected
(899.46 KiB) Downloaded 88 times
password: infected
(447.5 KiB) Downloaded 80 times
password: infected
(200.11 KiB) Downloaded 76 times

Re: SteamStealer

 #24689  by master131
 Sun Dec 21, 2014 3:49 pm
Another sample, obfuscated with Confuser; deobfuscated version included.
Attachments
password: infected
(229.99 KiB) Downloaded 80 times

Re: SteamStealer

 #24690  by master131
 Sun Dec 21, 2014 3:54 pm
Also, just realised that the first attachment (Simple ESP) is not a SteamStealer trojan, woops. :? Nevertheless, it still affects/targets Steam.

Re: SteamStealer

 #24701  by master131
 Mon Dec 22, 2014 9:49 am
Alrighties, more samples. :D They're either obfuscated with Confuser or ConfuserEx, once again, deobfuscated counterparts are included for reference.
Attachments
password: infected
(484 KiB) Downloaded 78 times

Re: SteamStealer

 #24740  by master131
 Thu Dec 25, 2014 10:02 am
Merry Christmas to everyone. More samples I collected yesterday, ones that do not come with a deobfuscated version are using a custom crypter which uses a library containing a RunPE function to load the SteamStealer into the same process.
Attachments
password: infected
(1.06 MiB) Downloaded 78 times
 Return to “Malware”