Home / malware Infostealer.Stimaler
First posted on 19 May 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Stimaler.
Explanation :
The Trojan may arrive through a fake mod for the game Grand Theft Auto V.
When the Trojan is executed, it creates the following file: %Temp%\Fade.exe
Next, the Trojan creates the following folders: %Temp%\Data%Temp%\Logs
The Trojan then creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe", "[PATH TO MALWARE]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\\Run\"Shell" = "[PATH TO MALWARE]"
Next, the Trojan modifies the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Fade
The Trojan then connects to the following remote location: apcrypt.duckdns.org
Next, the Trojan creates the following mutex: Fade0940F8E3DDD94B028B2C2A12BA4AB969
The Trojan then scans the computer to check for the following circumstances: If the user profile running the threat is "antonie" and the computer name includes "BRBRB" If the computer is a virtual machineIf the computer is running an antivirus products
The Trojan may then perform the following actions from the user's Steam account: Steal Steam itemsGather information such as the wallet balance amount and friends listAccept and deny trade offersAdd friends
The Trojan may also log keystrokes.Last update 19 May 2015