{"id":27689,"date":"2024-10-17T09:43:49","date_gmt":"2024-10-17T09:43:49","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=27689"},"modified":"2024-11-03T00:22:36","modified_gmt":"2024-11-03T00:22:36","slug":"trojan-win32-stealer-mtb","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/trojan-win32-stealer-mtb\/","title":{"rendered":"Trojan:Win32\/Stealer!MTB Virus"},"content":{"rendered":"<p><strong>Trojan:Win32\/Stealer!MTB<\/strong> is a detection that indicates the presence of an infostealer on your system. Despite being generic, it still shows enough information to make basic conclusions, but this does not tell you there&#8217;s a probability of this detection being a false positive. In this post, I will explain how to understand whether something threatens your system and how to remove the malware.<\/p>\n<h2>Trojan:Win32\/Stealer!MTB Overview<\/h2>\n<p>Trojan:Win32\/Stealer!MTB is a generic Microsoft Defender detection that, as its name says, belongs to <a href=\"https:\/\/gridinsoft.com\/blogs\/infostealer-malware-top\/\">the infostealer malware type<\/a>. In summary, this type of malware specializes in stealing information from the target system. Since the detection is generic, it can be applied <strong>to any infostealer<\/strong>, so I will describe them here in general terms and then go into more detail with a specific example.<\/p>\n<figure id=\"attachment_27698\" aria-describedby=\"caption-attachment-27698\" style=\"width: 476px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/Trojan-Win32StealerMTB-detection.webp\" alt=\"Trojan:Win32\/Stealer!MTB Detection screenshot\" width=\"476\" height=\"350\" class=\"size-full wp-image-27698\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/Trojan-Win32StealerMTB-detection.webp 476w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/Trojan-Win32StealerMTB-detection-300x221.webp 300w\" sizes=\"auto, (max-width: 476px) 100vw, 476px\" \/><figcaption id=\"caption-attachment-27698\" class=\"wp-caption-text\">Trojan:Win32\/Stealer!MTB Detection popup<\/figcaption><\/figure>\n<p>As for the data that this malware can steal, <strong>any sensitive info<\/strong> stored on the system is at risk. Infostealer primarily steals login data stored in browsers (encrypted and unencrypted). In addition, it steals user\/profile data of local email clients. Trojan Stealer is spreading in a variety of ways. But most often it spreads via compromised <a href=\"https:\/\/gridinsoft.com\/crack\">pirated software<\/a> and as malicious email attachments.<\/p>\n<figure id=\"attachment_27706\" aria-describedby=\"caption-attachment-27706\" style=\"width: 961px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/stealer-mtb-reddit.jpg\" alt=\"Trojan:Win32\/Stealer!MTB Reddit\" width=\"961\" height=\"686\" class=\"size-full wp-image-27706\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/stealer-mtb-reddit.jpg 961w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/stealer-mtb-reddit-300x214.jpg 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/stealer-mtb-reddit-768x548.jpg 768w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/stealer-mtb-reddit-860x614.jpg 860w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><figcaption id=\"caption-attachment-27706\" class=\"wp-caption-text\">Reddit post regarding the Trojan:Win32\/Stealer!MTB<\/figcaption><\/figure>\n<h3>Key Characteristics<\/h3>\n<table>\n<tr>\n<td>Trojan Virus<\/td>\n<td> Disguised as legitimate software to trick users into executing it.<\/td>\n<\/tr>\n<tr>\n<td>Information Stealing<\/td>\n<td> Focuses on extracting personal data such as usernames, passwords, credit card numbers, and other confidential information.<\/td>\n<\/tr>\n<tr>\n<td>Stealth Operations<\/td>\n<td> Operates in the background without the user&#8217;s knowledge.<\/td>\n<\/tr>\n<tr>\n<td>Potential Malware Download<\/td>\n<td> May download additional malicious software onto the infected system.<\/td>\n<\/tr>\n<\/table>\n<h3>Understanding the Name<\/h3>\n<ul>\n<li><strong>Trojan<\/strong>: Refers to malware that tricks users into loading and executing it on their systems.<\/li>\n<li><strong>Win32<\/strong>: Indicates that it targets 32-bit Windows operating systems.<\/li>\n<li><strong>Stealer<\/strong>: Specifies that the primary function is to steal data.<\/li>\n<li><strong>!MTB<\/strong>: A specific identifier used by Microsoft to classify and track the threat.<\/li>\n<\/ul>\n<h2>Technical Analysis<\/h2>\n<p>Let&#8217;s now take a look at how Trojan Stealer behaves in an infected system, <a href=\"https:\/\/www.virustotal.com\/gui\/file\/3f7e041e466f779ea61696d2b932da57ce525fefe11972c8a7a489b1a2a9e38e\/behavior\" target=\"_blank\" rel=\"noopener nofollow\">using one of the samples<\/a>. Since this is a generic detection, a short time after detection its name will likely be changed to a more specific threat type. For simplicity, I have divided the entire process into several steps.<\/p>\n<h3>Initialization and Privilege Escalation<\/h3>\n<p>Like most malware, the first thing the stealer does is check to see if another instance of the malware is running. To do this, it runs an executable file and executes PowerShell commands:<\/p>\n<p><code style=\"font-size: 14px\"> %SAMPLEPATH%\\3f7e041e466f779ea61696d2b932da57ce525fefe11972c8a7a489b1a2a9e38e.exe<br \/>\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe<\/code><\/p>\n<p>Trojan Stealer then checks for special mutexes and if none are found, it creates them. Mutex is a special piece of code that  <strong>prevents multiple instances of the program (or malware, in this case) from running<\/strong> on the system. So, if the malware has already been launched, it creates a special mutex. If not, the current instance does the following:<\/p>\n<p><code style=\"font-size: 14px\"> \\Sessions\\1\\BaseNamedObjects\\Global\\RasPbFile<br \/>\n\\Sessions\\1\\BaseNamedObjects\\Global\\SyncRootManager<br \/>\n\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex<br \/>\n\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex<\/code><\/p>\n<p>To ensure that it is running on a live system and not a virtual environment, it performs the following check for system protection status.<\/p>\n<p><code style=\"font-size: 14px\"> HKCU\\Software\\Microsoft\\Internet Explorer\\Security<br \/>\nHKCU\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck<br \/>\nC:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2102.4-0\\X86\\MsMpLics.dll<\/code><\/p>\n<p>In this way, the malware checks the status of Microsoft Defender and tries to disable it. Next, the malware attempts to gain persistence in the system so that it can run on every system startup. To do this, it uses the legitimate schtasks.exe process and adds itself to autorun:<\/p>\n<p><code style=\"font-size: 14px\"> C:\\Windows\\System32\\Tasks\\Updates<br \/>\nC:\\Windows\\System32\\Tasks\\Updates\\oobbtR<\/code><\/p>\n<h3>Payload and Data Collection<\/h3>\n<p>In the next step, the malware duplicates its files and configs <strong>to the AppData folder<\/strong>. This location is not normally visible to a user, hence there\u2019s much less risk of the user raising an alarm or deleting the files. Typically for malicious programs, the file names are obscure and unintelligible.<\/p>\n<p><code style=\"font-size: 14px\"> %USERPROFILE%\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dhhkkyeh.5dh.ps1<br \/>\n%USERPROFILE%\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ypq04irl.mrv.psm1<br \/>\n%USERPROFILE%\\AppData\\Local\\Temp\\tmp8901.tmp<br \/>\n%USERPROFILE%\\AppData\\Roaming\\oobbtR.exe<br \/>\n%USERPROFILE%\\AppData\\Local\\Temp\\tmpF5CB.tmp<\/code><\/p>\n<p>Next, the threat performs its main task, which is to collect data. In summary, it checks installed browsers, email clients, and other places on the system that may contain login credentials. To elaborate, these are the following locations:<\/p>\n<p><code style=\"font-size: 14px\"> C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data<br \/>\nC:\\Users\\user\\AppData\\Local\\Microsoft\\Credentials\\<br \/>\nC:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data<br \/>\nC:\\Users\\user\\AppData\\Roaming\\8pecxstudios\\Cyberfox\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Comodo\\IceDragon\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Flock\\Browser\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\K-Meleon\\profiles.ini C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Credentials\\<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Mozilla\\SeaMonkey\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\NETGATE Technologies\\BlackHawk\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Postbox\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Thunderbird\\profiles.ini<br \/>\nC:\\Users\\user\\AppData\\Roaming\\Waterfox\\profiles.ini<\/code><\/p>\n<p>The malware compresses all collected data into an archive and saves it in a temporary folder. This way, it will be impossible to detect the data transfer, as the file simply mixes up with the rest of network traffic. But to avoid detection of abnormal package transfer from security software, <strong>the malware also uses encrypted connections<\/strong> when it comes to communications with the command server.<\/p>\n<h3>Data Exfiltration<\/h3>\n<p>The last step in the malware cycle is to send the collected data to the attacker&#8217;s <a href=\"https:\/\/gridinsoft.com\/command-and-control\">command and control (C2) server<\/a>. But before all that, the malware checks the external IP address of the system through the api.ipify.org service. It&#8217;s probably needed to add to a system fingerprint, the set of data that distinguishes one infected system from another. The malware uses Telegram as a command server, specifically calling for a part of Telegram API to send messages via URLs.<\/p>\n<p><code style=\"font-size: 14px\"> https:\/\/api.telegram.org\/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM\/sendMessage<\/code><\/p>\n<p>On the hacker\u2019s side, this looks like a conversation with a bot that regularly sends back the logs from victim PCs. It is now a rather popular practice to use Telegram as a C2 server, though the exact model of how this works may change after the recent events around the messenger.<\/p>\n<h2>How To Remove Trojan:Win32\/Stealer!MTB?<\/h2>\n<p>To get rid of the Stealer, the best option will be performing an anti-malware scan. Gridinsoft Anti-Malware will be an optimal solution for that task: its multi-component detection system will swiftly delete any malicious elements, regardless of their origin. Below, you can see the detailed guide on how to perform the scanning and remove the threats afterwards.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp\" alt=\"GridinSoft Anti-Malware main screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22665\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-main-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.<\/p>\n<div style=\"text-align:center\"><a href=\"\/download\/antimalware\" class=\"btn border-black\" rel=\"nofollow\">Download Anti-Malware<\/a><\/div>\n<p>After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click \"Advanced mode\" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp\" alt=\"Scan results screen\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22666\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-result-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n<p>Click \"Clean Now\" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.<\/p>\n<img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp\" alt=\"Removal finished\" width=\"886\" height=\"689\" class=\"aligncenter size-full wp-image-22667\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean.webp 886w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-300x233.webp 300w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/antimalware-clean-768x597.webp 768w\" sizes=\"auto, (max-width: 886px) 100vw, 886px\" \/>\n","protected":false},"excerpt":{"rendered":"<p>Trojan:Win32\/Stealer!MTB is a detection that indicates the presence of an infostealer on your system. Despite being generic, it still shows enough information to make basic conclusions, but this does not tell you there&#8217;s a probability of this detection being a false positive. In this post, I will explain how to understand whether something threatens your [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":27700,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[48,1360,24,223],"class_list":{"0":"post-27689","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-spyware","9":"tag-stealer","10":"tag-trojan","11":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/10\/Trojan-Win32StealerMTB.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=27689"}],"version-history":[{"count":20,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27689\/revisions"}],"predecessor-version":[{"id":28061,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/27689\/revisions\/28061"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/27700"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=27689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=27689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=27689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}