036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

SteamtoolsSetup.exe

windows10-2004-x64

8

SteamtoolsSetup.exe

windows11-21h2-x64

8

Resubmissions

14/08/2024, 12:35

240814-pshrpssdpb 8

14/08/2024, 12:23

240814-pkklbssamh 8

Sharing

General

Target

SteamtoolsSetup.exe
Size

1.7MB
Sample

240814-pshrpssdpb
MD5

dd410c316152077eb8a683ed981fc787
SHA1

360b90cd99dd9ead20b21e50c73a3d0fe10123c1
SHA256

036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b
SHA512

81f4dceebe93a89b239076937df31bf28542b23ed8e383ca9b30cbdcd89b3d8683fc8fff9c78d74c1ced281e766cb852b54b6c5b5640b6cb0224b66c747d8657
SSDEEP

24576:nkcCSfG0yWS7woCNAi1GoCaLI4/gPGHOV1VVW4Qn652aPOrjB9:kcCSe0yT7wooAi1GhWI4oPGHOVVWvcC

Score

8^/10

steam defense_evasion discovery execution persistence phishing

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

SteamtoolsSetup.exe

Resource

win10v2004-20240802-en

steam defense_evasion discovery execution persistence phishing

windows10-2004-x64

34 signatures

1800 seconds

Behavioral task

behavioral2

Sample

SteamtoolsSetup.exe

Resource

win11-20240802-en

steam defense_evasion discovery persistence phishing

windows11-21h2-x64

19 signatures

1800 seconds

Malware Config

Targets

- Target
  
  SteamtoolsSetup.exe
- Size
  
  1.7MB
- MD5
  
  dd410c316152077eb8a683ed981fc787
- SHA1
  
  360b90cd99dd9ead20b21e50c73a3d0fe10123c1
- SHA256
  
  036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b
- SHA512
  
  81f4dceebe93a89b239076937df31bf28542b23ed8e383ca9b30cbdcd89b3d8683fc8fff9c78d74c1ced281e766cb852b54b6c5b5640b6cb0224b66c747d8657
- SSDEEP
  
  24576:nkcCSfG0yWS7woCNAi1GoCaLI4/gPGHOV1VVW4Qn652aPOrjB9:kcCSe0yT7wooAi1GhWI4oPGHOVVWvcC
Score

8^/10

steam defense_evasion discovery execution persistence phishing
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Detected potential entity reuse from brand steam.
  phishing steam
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

steamdefense_evasiondiscoveryexecutionpersistencephishing

behavioral2

steamdefense_evasiondiscoverypersistencephishing

© 2018-2025

Terms | Privacy