A forum for reverse engineering, OS internals and malware analysis 

SteamStealer malware.

Forum for analysis and discussion about malware.

SteamStealer malware.

 #31269  by kd77
 Fri Feb 16, 2018 11:46 am
Distributed via Steam chat, hxxp://screenjpeg.tech/pictures291.jpg.

Looks like the malware swaps steam trade links to the crooks account to steal steam items, the original file name was "pictures291.scr".

Interesting strings.
Code: Select all
0x380ea95 (118): D:\asd\php\steam_complex\New_steal\new_steal_no_proxy\14ver -original(pubg+??????????)\SteamStealer\obj\Release\vv.pdb
0x2880274 (120): rare,mythical,legendary,immortal,arcana,ancient,tool,unusual
0x2880308 (120): rare,mythical,legendary,immortal,arcana,ancient,tool,unusual
Drops into directory C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe and injects into RegAsm.exe
Attachments
infected
(602.24 KiB) Downloaded 38 times

Re: SteamStealer malware.

 #31278  by Fedor22
 Mon Feb 19, 2018 1:16 pm
Another SteamStealer sample with Dota 2 items icon (Trojan.MSIL.Steamilik)
Created in: "AppData/Local/Temp". Changes the autorun value in the registry ("HKEY_CURRENT_USER") and dropped "RegAsm.exe" file ("C:/Windows\Microsoft.NET\Framework\v2.0.50727").
After all this shows a fake error:
Image
VT: https://www.virustotal.com/en/file/dce1 ... /analysis/
Attachments
(591.46 KiB) Downloaded 24 times
 Return to “Malware”