Question Steamunlocked malware?

[likeastar20]

Hello there. I have not much time this weekend. But just from checking this file vs the original version's entry point, it is clearly patched. The patched code is unreadable because it manipulates the stack pointer. The original NvStTest in contrast is clearly readable. This patch alone is reason enough to declare it as malware because it is a modification that has nothing to do there and the file hasn't been signed by the publisher. @SkeletalDemise is very spot on with observations and analysis.

Spoiler: some images from binary diffing

Entry point of clean NvStTest:

View attachment 278370

Entry point of manipulated NvStTest (cannot be decompiled):

View attachment 278371

BinDiff of both files

View attachment 278368

Diff for both files of PortEx, black byteplot on the left means same code/data. It is mostly the code near the entry point and some resources and the (missing) certificate that have been changed.

View attachment 278369

If this was a legitimate software update, you would expect something different:

1. not only entry point code changes
2. certificate would be there
3. code would be readable
4. many functions with small differences due to recompilation (this file was not recompiled, some of the sections even have the same hash)

This blacksoul rule detects msvcp140.dll. I would not take it seriously.

Do you think it is related to any of the linked articles by @SkeletalDemise? I'm interested in what family this malware belongs to, and do you think this malware is difficult to analyze? Because 3 vendors have said the file is clean previously. Initially, BD said it is clean, but now they deemed it malicious.

 

[struppigel]

Do you think it is related to any of the linked articles by @SkeletalDemise? I'm interested in what family this malware belongs to, and do you think this malware is difficult to analyze? Because 3 vendors have said the file is clean previously. Initially, BD said it is clean, but now they deemed it malicious.

I don't see a relation to these articles and I understood them as just being examples how malware abuses legitimate files.
I do not know what malware family this is because I did not really analyse it yet.

Yes, it is difficult to analyse because of many anti reversing mechanisms used. This might need several days of work which is why I am probably not doing it in my free time. But it is not difficult to see that the file has been malicously patched and it should have been picked up by analysts. The patch is at the entry point which is the very first thing an analyst looks at when opening the file in a disassembler. Finding the original file for comparison is also easy enough to do with VT access, which all major AV companies will hopefully provide to analysts. However, it is indeed likely that no human analyst ever saw the file when it was declared clean.