Analysis Date2018-05-01 11:36:23
MD5001ee50adbae8edbadd283d565c2f44c
SHA1330f0be3e5dd9cdbda02d9f1d501a8066e51181d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: c612dca62b7bce083baa51c78022eb5f sha1: fdfff739040a402929a62650787fe076b267fd5e size: 185344
Section.rsrc md5: cd664f3c1488b6d589248ff2a87d240f sha1: 546c53dc9af75567e0d1487b0914f645a9bd7e72 size: 53248
Section.reloc md5: 1a7fc1c09c7e051b9287ad6677376058 sha1: 09984a809b73d14660291f3fdd0a0997b1aa138c size: 512
Section5ShnQPfH md5: b5a48e3d9145c6eb7704fa6a43c7f89b sha1: 826be4155b66e41cd737209ad37922621f466e08 size: 39424
Timestamp2014-08-22 14:12:22
VersionLegalCopyright: Copyright (C) 2014 Valve Corporation
Assembly Version: 3.0.0.1
InternalName: steamwebhelper.exe
FileVersion: 3.0.0.01
CompanyName: Valve Corporation
Comments: Steam Client WebHelper
ProductName: Steam Client WebHelper
ProductVersion: 3.0.0.01
FileDescription: Steam Client WebHelper
OriginalFilename: steamwebhelper.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash0a986864ab93eed07f347211fe585103ede6cb7e
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AV360 SafeTrojan.GenericKD.1819514
AVAd-AwareTrojan.GenericKD.1819514
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.CULN-0345
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.GenericKD.1819514
AVCA (E-Trust Ino)Win32/Tnega.JHRaYFC
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-811653
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1819514
AVEset (nod32)MSIL/PSW.Steam.DL
AVFortinetW32/Diss.DT!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1819514
AVGrisoft (avg)Luhe.Fiha.A
AVIkarusTrojan.MSIL.PSW
AVK7Password-Stealer ( 004a05bc1 )
AVKasperskyTrojan.Win32.Diss.dt
AVMalwareBytesSpyware.OnlineGames
AVMcafeeRDN/Generic PWS.y!bbs
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1819514
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Zbot
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Agent.ahroc

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\330f0be3e5dd9cdbda02d9f1d501a8066e51181d.exe

Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\330f0be3e5dd9cdbda02d9f1d501a8066e51181d.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\330f0be3e5dd9cdbda02d9f1d501a8066e51181d.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\330f0be3e5dd9cdbda02d9f1d501a8066e51181d.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
.
.................................................
..H
..8
.

000004b0
1s%P
3.0.0.01
3.0.0.1
Assembly Version
Broken file
Comments
CompanyName
Copyright (C) 2014 Valve Corporation
COR_ENABLE_PROFILING
COR_PROFILER
Debugger detected (Managed)
FileDescription
FileVersion
InternalName
Js2P
LegalCopyright
Loop broken
Module error
OriginalFilename
ProductName
ProductVersion
Profiler detected
ssPP
Steam Client WebHelper
steamwebhelper.exe
StringFileInfo
Translation
<Unknown>
Valve Corporation
VarFileInfo
VS_VERSION_INFO
]}$!	[
02M]:~
0P!,iDx
]0@Qa	Gw		i
1hmsi;
1=;S$H
/|@1Zv
^2@v&4
3.0.0.01
 3gm|?>
3Qr#2P%
3~^Y776
4&6mHv	W_
/4Cfj&
_4iC:<99
{4VT(|:
>[&!5;<
5^bYK,
@5PfGb
6!.^^)
6:3omf
;|6	-9
6bH~ 6n
6E9t9K
\6L4n/
6lj.PC
7b[l(3
7Cu"rb
*#" 7=M
:|7o3t|
.7'%]WA2@VM?
$ 8JoLZ
8PD}pH
8X\1FX
\96Y?gJ
9Li5a 
9qYv@b
AddRange
add_ResourceResolve
AfdmpK
aH1U{5
*A~I]	
A_JFL_
Amount
<Amount>k__BackingField
AppDomain
<Appid>k__BackingField
?AP]qD
ArgumentNullException
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Attribute
AYS!1J
;%B	1a
%b<4>5
B5ShnQPfH
b-_c37^'
bcKUy3?
BC.q6A
BinaryReader
BitConverter
bja5VE
BlockCopy
b]nMOf
Boolean
;b*]p\
Bs.U>'
Buffer
B?ZI(&
bZP);w
Callvirt
Capture
Castclass
.cctor
ciCY|"
C~J<@`
c-,km(J
Classid
<Classid>k__BackingField
CloseHandle
+<cN]O
Combine
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Component
CompressionMode
ComputeHash
ComVisibleAttribute
Concat
ConfusedByAttribute
Confuser v1.9.0.0
Console
ConstructorInfo
Contains
Convert
Cookie
CookieCollection
CookieContainer
$Copyright (C) 2014 Valve Corporation
_CorExeMain
Cpd<Oel*
Create
CreateDecryptor
CreateDelegate
CreateDirectory
CreateEncryptor
CreateSubKey
CryptoStream
CryptoStreamMode
C} +T$
CurrentUser
}c]W6+U3&lOG
cWvOAxQB
d25 Lf
D7S]en
db/8gp
Debugger
DecompressionMethods
DeflateStream
Delegate
DeriveBytes
Deserialize
?DgKI	
!D{'h$v
Dictionary`2
Directory
DirectoryInfo
Dispose
*dJwzC
!dkg^0
DownloadString
dRoL@O
DsHUcA
d^s-~Z,
dwSize
DynamicMethod
,*e2Y!
E@@:dW&p
ef@tDp
E~H4uj
;>EkwWz,
Encoding
EndsWith
Enumerable
Enumerator
Environment
Eq}g0^
EscapeDataString
eu,>0#
Exception
Exists
f(0*Q[
FailFast
F	cD~g
fI6I5A
FieldInfo
FileAccess
f?;J,J
flNewProtect
]F`mc==EwX
Format
FrameworkDisplayName
FromBase64String
Func`2
/	fvwS
[g!9.b
get_Amount
get_Appid
get_ASCII
get_Assembly
GetBytes
get_Chars
get_Classid
get_Cookies
get_Count
get_Current
GetCurrent
get_CurrentDomain
GetCurrentMethod
GetCurrentProcess
get_CurrentThread
get_DeclaringType
GetDirectoryName
GetEnumerator
GetEnvironmentVariable
GetExecutingAssembly
GetFieldFromHandle
get_FieldType
get_FileName
GetFiles
get_FullyQualifiedName
get_Headers
GetHINSTANCE
get_Id
get_ID
GetILGenerator
get_Instanceid
get_Is64BitOperatingSystem
get_IsAlive
get_IsArray
get_IsAttached
get_IsInterface
get_IsStatic
get_Item
get_IV
get_Key
get_KeySize
get_Length
get_MainModule
GetManifestResourceNames
GetManifestResourceStream
get_Market_Name
get_Message
get_MetadataToken
get_Module
get_Modules
get_Name
GetParameters
get_ParameterType
get_Pos
get_Position
GetProcessesByName
GetRandomFileName
GetRequestStream
get_Response
GetResponse
GetResponseStream
get_ReturnType
get_RgDescriptions
get_RgInventory
get_StatusCode
GetString
get_Success
GetSystemInfo
get_Tradable
get_Type
GetTypeFromHandle
get_UTF8
get_Value
)/g|fg0
gggggg
gggggggg
ggggggggg
gggggggggg
gj^Beu
g(OrT#
GroupBy
gs#>K=
gTvQ;a
`G UXWG
>h0B_k
HA74J.
HashAlgorithm
HC![CV
!hcM*$
Hg@u:'w&'
hI0b.c
\)h/Ig^
H mp>&a
hObject
HPA)Bk
HttpStatusCode
HttpWebRequest
HttpWebResponse
h;vSdxSG
I(&0nN
I3RWPm
I5p$1N+\
ICryptoTransform
IDisposable
<ID>k__BackingField
IEnumerable`1
IEnumerator
(IG*,:
IGrouping`2
ILGenerator
IndexOf
Instanceid
<Instanceid>k__BackingField
IntPtr
Inventory
Invoke
i^#p)	
IsDebuggerPresent
IsInRole
IsLogging
IsNullOrEmpty
ItemInfo
J5z.wA2f
J	8oz"
jAS5O~B
JavaScriptSerializer
jD4dJ<x
#*j[E$-e
;	J	S	[	
jxPEVP
<jy=y+-[
JZCm'c
$|k8)3kl
!K9 [g
kernel32.dll
KeyValuePair`2
 kkc- 
K]Oxnx
K.+SKzl
K%W,(w
KY<;0;
~kY(h3S
Ldarg_S
List`1
lmc%3k"o
LocalMachine
lpAddress
lpflOldProtect
@:~ ls~;
LU+P}ysQ
lwQX/9
m8e}uw
Market_Name
<Market_Name>k__BackingField
Marshal
MatchCollection
Matches
_MCW\*
MemberInfo
MEMORY_BASIC_INFORMATION
MemoryStream
MethodBase
MethodInfo
Microsoft.Win32
Module
<Module>
MoFT"=
MoveNext
m.OZpp6
mscoree.dll
mscorlib
MulticastDelegate
M~y9lC
n@&8Sf^
NameValueCollection
.NET Framework 4
.NETFramework,Version=v4.0
Newobj
Nj)=K?
ntdll.dll
NtQueryInformationProcess
NtSetInformationProcess
Nzwf-M
O\?{1@
O`A!tS
Object
ok; ])
#OL gR
oLQ\%G
o}`&N*&i
OpCode
OpCodes
OpenProcess
op_Equality
op_Explicit
op_Inequality
OR47%m
oTCCdar
OutputDebugString
oVE_>S
ParameterInfo
ParameterizedThreadStart
pCYwS+
}<P$-E
PO0FX9
poG0Wv
<Pos>k__BackingField
%PqfW>yD
Process
ProcessHandle
ProcessInformation
ProcessInformationClass
ProcessInformationLength
ProcessModule
ProcessModuleCollection
 P_XP 
`q$e8\O
`qfqkE
QkSn/"
_qxReRA$
qy$I5C
R7q@ O
Random
RB~,@.E
ReadByte
ReadBytes
ReadInt32
ReadLine
ReadOnlyCollectionBase
ReadProcessMemory
ReadToEnd
ReadUInt16
ReadUInt32
ReadUInt64
RegexOptions
Registry
RegistryKey
ReleaseMutex
@.reloc
Remove
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
ResolveEventArgs
ResolveEventHandler
ResolveMethod
ResolveSignature
ReturnLength
Rfc2898DeriveBytes
RgDescriptions
<RgDescriptions>k__BackingField
RgInventory
<RgInventory>k__BackingField
RGZ{zY7h
RijndaelManaged
RMqcYVY
>RN%;w
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeTypeHandle
-rXHYy
S,-$[:
S6m4+COA;
Sc$5Gp`
sCDtul
S}CUKR
SDST;c
    </security>
    <security>
SeekOrigin
Select
sender
set_Accept
set_Amount
set_Appid
set_AutomaticDecompression
set_Classid
set_ContentType
set_CookieContainer
set_Domain
set_ID
set_Instanceid
set_IsBackground
set_Item
set_IV
set_Key
set_Market_Name
set_Method
set_Pos
set_Position
set_Referer
set_RgDescriptions
set_RgInventory
set_Success
set_Tradable
set_Type
set_UserAgent
SetValue
^s"E#U
sfavid
SHA256
SHA512
SizeOf
SjS[+P9
]S[kPE
Sn_8R)
SrSX{PUS
Ss3_WR
^S\#SKB
S\sRqR
S{sX#P
-START-EAAAAPZUUmtZdxp+kzkDbZUTMhUSae29mWxjdjHwDj+LNMEjxlN57n2OsgHejBvekfuoLoZw0miLgfJKgMFAUHIetb8MR0sG+ID54BA9ydm7KPKyie5XDASXQFnRYkE47SdEhxfduKKoxpQSigMOanst2d+NJjl2CwHdDqeL6FoVuYRbACjr8KCdDkS2JvkzVmqa10fxa2Z8Q+dnG5rMFE5z3loE1sIiVqXNQ/qYM6AXC7RXU2Svh10jFSt2bSUTvWTO07Sbi5yhZ6Nr1XJYzYwPO7xc2XJ0/FWo8Vb471+i8kblnwoDa4FLv7Yeav+8lGIfilpDueLp6zQVSmzoEGPzhLfdx60istmv3bfvrIiMFn0BuAuNwof/sgZ++b2CGjADQoReuYQNcpy51LpZ1k75UYJgWrdePgCbdZJOi7XCzZQW8tC09JKM6klm1/dIU3Od5g==-END-
Steam Client WebHelper
steamwebhelper
steamwebhelper.exe
Stream
StreamReader
StreamWriter
String
StringReader
#Strings
Substring
Success
<Success>k__BackingField
SuppressIldasmAttribute
#S<VemJ.
SymmetricAlgorithm
System
System.Collections
System.Collections.Generic
System.Collections.Specialized
System.ComponentModel
System.Core
System.Diagnostics
SystemException
System.IO
System.IO.Compression
System.Linq
System.Net
System.Reflection
System.Reflection.Emit
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.Versioning
System.Security.Cryptography
System.Security.Principal
System.Text
System.Text.RegularExpressions
System.Threading
System.Web.Extensions
System.Web.Script.Serialization
#SZKR[
{&t/+}
t] 4ns
T7*r[R
!T9bud
TargetFrameworkAttribute
`Tc6'c5$uM>
;teBu-
TextReader
TextWriter
!This program cannot be run in DOS mode.
thread
Thread
ThreadStart
TimeSpan
t.Im<nT
TJ8'3q
T^jK^b
tn&? S
ToArray
ToBase64String
ToInt32
ToList
ToLower
ToPointer
ToString
ToUInt32
ToUInt64
Tradable
<Tradable>k__BackingField
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TryGetValue
T	Tguf
<Type>k__BackingField
^;.{_U
$U5P~~h
?u9Xj$qfET
UInt32
UInt64
U!MazZ-R
UnauthorizedAccessException
UnmanagedMemoryStream
UploadFile
uwZDTY
 UxZYb>$
v4.0.30319
{V8BA`?fn
v9).V?=8V
(V9>x^n
ValueType
Valve Corporation
:{v}$c?
$V gL8
vidsfa
VirtualProtect
VirtualQueryEx
 vn)W 
vV9%[d4@k
VWCGf~
vwr%1{
=}VWsH-
VX	LnZ
V^yMmn
w2M%zk
WaitForExit
WaitHandle
WaitOne
w_Dy`f
WebClient
WebException
WebHeaderCollection
WebRequest
WebResponse
wfs3t+
WindowsBuiltInRole
WindowsIdentity
WindowsPrincipal
*Wn{Mo
WrapNonExceptionThrows
WriteAllBytes
WriteLine
W`/UCUVZ
>WWAX`U
wZ8w)'<Jn
[[[*=X
X/3erA
xb\#]\-
{xbY]B63
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X}q?/\
XR>6[-
XsCx4d
XSz %#*
 x+TCao
+}^^xV
+#XXa 
XzQZb.
Y:6AR]c
Y_6D?E
Y8-hKA^>4uYQ
`*YaoB
YDp8:{	
yf`!n("	m
yhA>S{<
Y^jZv}
YN6+5j
yp\<03
y,,ZI,
ZCY7P/
_}ZD;3
?zry0:
zwSho*
 z,yF bh
zZOeL|