Accepted 76561198025405042

Scammer: | steamname: Potato™
| steamID32: STEAM_0:0:32569657
| steamID64: http://steamcommunity.com/profiles/76561198025405042
| customURL:
| steamrep: http://steamrep.com/profiles/76561198025405042

Victim: | steamname: [+TE+] Numbers!?
| steamID32: STEAM_0:1:61649090
| steamID64: http://steamcommunity.com/profiles/76561198083563909
| customURL:
| steamrep: http://steamrep.com/profiles/76561198083563909

This person was acting very suspicious from the beginning.... I knew something want right and then it all clicked and I hate him! This user started off by asking to offer IRL money for my Unusual Scorching Coppers Hard top. He then continues to explain about how his steam was "glitchy" and "slow" so he then asked for my Skype details. As I am not this foolish I denied him access to this private information. He then told me he had been scammed by someone off outpost ( not giving a name to me ) . He said Steam would give him all the items back in 3 days. He then sent me a link to a dropbox file of what he said was a picture of his inventory before he was scammed. Obviously I am aware of these phishing idiots these days. I then continued to inspect the file using google chrome. Meanwhile I told my friend of this suspicious behaviour. My friend then inspected the link and said the file on it ( which i didn't download ) was actually a RATS file that can hi jack a computer.He says it makes you become infected, essentially making you part of someone's botnet and they can do anything whilst you are part of it. I found it very strange how he then couldn't log on to outpost.
I think this is an obvious attempt at scamming or hacking me out of my items.
Here are pictures of the chat logs. Clearly he is acting very strangely and the link is containing this weird software. He went offline after this.

Might be more proof of the infected link below!

A .scr file is a screensaver file however it works the exact same way as a EXE (.exe files) and a COM (.com files) so people can change their file from .exe to .scr or .com and their file will still have the exact same functions.

A windows print screen is taken in PNG (.png files).

When I first uploaded these 2 files to VirusTotal (A popular file scanner who distributes the files to AV companys) they had already been scanned before!
This would not be the first time that this user has sent out these files.
At the moment they are only detected by 2/46 AV companys because he has used a "Crypter" sold on the black market (E.G: Hackforums.net Leakforums.org Trojanforge.com etc).
Within about 1-2 weeks most of these AV companys will have detected the files and when that user realises that they have been detected, he will click the update button for his "Crypter" and then re-crypt those files so that they will be undetected again.

I have run these in a sandboxed VM and when these files are executed (Double click them) they load into memory. They use a Ring3 rootkit or some seriously heavy persistence because no matter what you can not kill them in memory and they even run when in safemode.

Virustotal links:
https://www.virustotal.com/en/file/...f9443173daf41110e05414d8/analysis/1374001036/

https://www.virustotal.com/en/file/...f9443173daf41110e05414d8/analysis/1374000990/

Just letting you know this guy was marked- thanks for the report.