Popup - https://www.sendspace.com/file/u2rkpy
Associated YouTube Account - https://www.youtube.com/channel/UCGFmpdJzyi7kzkfaJ4Zvy7A
Program contains a phishing trojan - https://www.virustotal.com/gui/file/00359381a68aff0d4beca671934e1e2c2ba432b4b0cbb6c1c81ef41d92c7c4c1/detection
tldr: Yep, its malware. Did you report it to sendspace? Their ToS says nothing about malware but does about harmful content in general.
If you unpack the RAR, you get another RAR, and unpacking that gives the actual EXE file (the executable program).
Putting the STEAM\ MONEY.exe file into VirusTotal yields 50/70 systems flagged instead of just 1. File formats like .zip, .rar, and .tar.gz are just archives that contain the actual program, so its usually a good idea to unpack and analyze the actual program instead of the entire package. Just a useful tip for checking stuff on platforms like VirusTotal.
https://www.virustotal.com/gui/file/767859b49bec2bac15d5470586202f92031296ec4177ec2f3d73daf28e5cc610/detection
<amateur-analysis-from-someone-who-doesnt-know-what theyre-doing>
Unfortunately, I didn't realize this so I started analyzing it myself, and it is definitely suspicous. There multiple calls to IsProcessorFeaturePresent (redirects to the Import Address Table at 0x462e73) and IsDebuggerPresent (IAT accessed directly at 0x44bcd1, 0x44d6e8, and 0x45451a). The use at 0x44d6e8 seems legitimate, but there is a reference to an error message about CAtlBaseModule, which implies that this project uses Microsoft's Active Template Library (or ATL). I did a little bit of testing, and found that ATL executables don't normally hook IsDebuggerPresent, except in some weird stuff with Azure (Microsoft's cloud computing division). It's entirely possible that these calls are entirely normal, but these kinds of checks are usually used for malware to determine if its running inside somekind of a sandbox or analysis environment.
</amateur-analysis-from-someone-who-doesnt-know-what-theyre-doing>
I'm not at all an expert in Windows reverse engineering, so these calls could be completely benign. Then I decided to double-check it on VirusTotal and I guess I didn't need spend all that time learning about ATL.
Did you report this to sendspace?
It doesn't mention anything about malware there or on their ToS, but it does say that in section 5.7 of the ToS that:
"Whether lawful or unlawful, sendspace reserves the right to determine what is harmful to its Users, operations or reputation, including any activities that restrict or inhibit any other user from using and enjoying the Service or the Internet. If you wish to report a violation of our Terms of Use, you can do so via our contact form on this site."
I was going to report it, but I wanted to make sure you hadn't done so already.