Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Stimilina
Trojan:Win32/Stimilina is a password-stealing trojan that specifically targets credentials for the Steam gaming platform. The malware establishes persistence via the registry's 'Run' key, captures screenshots, and exfiltrates stolen data to hardcoded IP addresses and email accounts. Its primary goal is to compromise user gaming accounts for financial gain or resale.
Relevant strings associated with this threat: - 185.28.20.99 (PEHSTR_EXT) - 31.220.16.110 (PEHSTR_EXT) - 185.28.20.83 (PEHSTR_EXT) - 31.220.16.28 (PEHSTR_EXT) - @gmail.com (PEHSTR_EXT) - jrrxQiSIZ4RTmKq@mail.ru (PEHSTR_EXT) - hezgovy1vuxf0@mail.ru (PEHSTR_EXT) - stealerbyframe@mail.ru (PEHSTR_EXT) - mrframe59@gmail.com (PEHSTR_EXT) - stilletmajloy228@mail.ru (PEHSTR_EXT) - kparnak@mail.ru (PEHSTR_EXT) - avangard.mansur@mail.ru (PEHSTR_EXT) - mansur2@mail.ua (PEHSTR_EXT) - stealer228@mail.ua (PEHSTR_EXT) - Vulfbrut@mail.ru (PEHSTR_EXT) - dota2tourname@mail.ru (PEHSTR_EXT) - aaassseedf@mail.ru (PEHSTR_EXT) - loloyfvfyv@mail.ru (PEHSTR_EXT) - radik.taraska@mail.ru (PEHSTR_EXT) - dmuvka@mail.ru (PEHSTR_EXT) - Software\Microsoft\Windows\CurrentVersion\Run\ (PEHSTR_EXT) - screenshot_ (PEHSTR_EXT) - .exe (PEHSTR_EXT) - iconcachedb.exe (PEHSTR_EXT) - @gmail.com (PEHSTR_EXT) - steam.exe" "%1" (PEHSTR_EXT) - \SteamAppData.vdf (PEHSTR_EXT) - \loginusers.vdf (PEHSTR_EXT) - \Steam Core\.src visur\ (PEHSTR_EXT) - config/SteamAppData.vdf (PEHSTR) - /market/eligibilitycheck/?goto= (PEHSTR) - /ParseInv?id= (PEHSTR) - Alex\documents\ (PEHSTR) - /half_life_3/index.php (PEHSTR) - SOFTWARE\Valve\Steam (PEHSTR_EXT) - /SteamAppData.vdf (PEHSTR_EXT) - Login to steam faled. (PEHSTR_EXT) - ssfn*.* (PEHSTR_EXT) - \Steam2.exe (PEHSTR_EXT) - 195.3.207.69/gate.php (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
12464f68bb7e04a257ba9577929a5f1e9020e9b9a895dbec88bce4a4a247a6751. Isolate the affected machine from the network. 2. Perform a full system scan with an updated antivirus tool to remove the threat. 3. Immediately change the password for your Steam account and any other critical online accounts. 4. Enable two-factor authentication (2FA) on all important services, especially Steam.