Anyhow, the first thing I noticed is account changed their name from Rainstone to [unassigned] and the message is a bit different this time:
Same well done Steam profiles as before:
And the same vector to steal credentials via the Add Friend which requires you to "Sign In":
Before we jump to the malware -- let's check out this domain (steamcommununilty.com) real quick. If you remember from the last blog, this domain was in the list of domains registered with the email@example.com e-mail address. I checked to see if he has added any more domains, but there is still the list of 21 domains from the last time we checked:
3. steamcommunlirty.com <-- This was used in the last blog post
8. steamcommununilty.com <-- This is the new one
'Ol Ivan is keeping plenty busy! Now let's get back to the malware which is the reason for this new post.
The first thing I noticed was they used a new icon in the download prompt:
So they went from the really good looking logo to one that looks more like ass. Oh well.
Here are the file details:
Compiled: Sat, Dec 6 2014, 10:10:22 - 32 Bit .NET EXE
PEiD: Microsoft Visual C# / Basic .NET
DNiD: SmartAssembly v6.X -> RedGate
Redgate's SmartAssembly is .NET obfuscate: http://www.red-gate.com/products/dotnet-development/smartassembly/
Lastly, lets check the compiled date:
TimeDateStamp: 0x5482D60E (Sat Dec 06 05:10:22 2014)
They are still hosting this malware using their Google Docs account. You can download a copy yourself at (defanged):
If time passes and it disappears and you would like a copy, please tweet at me @JC_SoCal and I will get you a copy.
Nothing on VirusTotal for that hash as I write this (I'll upload it once I'm done).
Using Marc Ochsenmeier's tool PEStudio I check the exe file. The version info is COMPLETELY different than the previous malware they were hosting:
Since its .NET and obfuscated, I used de4dot to de-obfuscate the SmartAssembly. Now I can read the .NET code in ilspy easily. and with that ... I am out of time. The rest of the analysis will have to continue later.