PWS:MSIL/RedLine.GG!MTB — RedLine Removal Guide

by Robert Bailey
September 5, 2023

The PWS:MSIL/RedLine.GG!MTB detection, is a sign that your computer has a problem. Giving it a go may end up with really bad consequences. This malware aims at stealing different types of data from your computer.

RedLine practices a lot of tricks to dodge anti-malware software detection, and uses secured connections to exfiltrate data. The activity of this malware usually results in losing access to your social media accounts, and exposing your identity. Moreover, some samples can also deliver other malicious programs to the system.

PWS:MSIL/RedLine.GG!MTB Detection Overview

The PWS:MSIL/RedLine.GG!MTB detection you can see in the lower right side is shown to you by Microsoft Defender. That anti-malware software is pretty good at scanning, however, prone to be generally unreliable. It is prone to malware invasions, it has a glitchy user interface and problematic malware clearing capabilities. Therefore, the pop-up which states concerning the RedLine is rather just an alert that Defender has actually recognized it. To remove it, you will likely need to make use of a separate anti-malware program.

PWS:MSIL/RedLine.GG!MTB found

Microsoft Defender: “PWS:MSIL/RedLine.GG!MTB”

Having PWS:MSIL/RedLine.GG!MTB malware in your system is a bad thing from any point of view. The most troublesome issue is that you will not find anything wrong. Key quality of any spyware is being as secretive as possible. Some RedLine samples are also able to perform self-removal after grabbing all the valuable data present on the PC. Then, it will be almost impossible to recover the flow of events and understand how your accounts were hacked. Variants of spyware that aim at long-term action can aim at the specific folder in the system or file type. Then, files grabbed in such a way will be put for sale on the Darknet – at one of its numerous forums with leaked data.

Spyware Summary:

Name RedLine Spyware
Detection PWS:MSIL/RedLine.GG!MTB
Damage Steal personal data contained in the attacked system.
Fix Tool See If Your System Has Been Affected by RedLine Spyware

Redline.GG!MTB Behaviour

Click to expand
  • Executable code extraction. Cybercriminals often use binary packers to hinder the malicious code from reverse-engineered by malware analysts. A packer is a tool that compresses, encrypts, and modifies a malicious file’s format. Sometimes packers can be used for legitimate ends, for example, to protect a program against cracking or copying.
  • Creates RWX memory. There is a security trick with memory regions that allows an attacker to fill a buffer with a shellcode and then execute it. Filling a buffer with shellcode isn’t a big deal, it’s just data. The problem arises when the attacker is able to control the instruction pointer (EIP), usually by corrupting a function’s stack frame using a stack-based buffer overflow, and then changing the flow of execution by assigning this pointer to the address of the shellcode.
  • Unconventionial language used in binary resources: Maori;
  • The binary likely contains encrypted or compressed data. In this case, encryption is a way of hiding virus’ code from antiviruses and virus’ analysts.
  • The executable is compressed using UPX;
  • Network activity detected but not expressed in API logs. Microsoft built an API solution right into its Windows operating system it reveals network activity for all apps and programs that ran on the computer in the past 30-days. This malware hides network activity.
  • Anomalous binary characteristics. This is a way of hiding virus’ code from antiviruses and virus’ analysts.

File Info

Click to expand
crc32: C5FC10B3md5: 07fd76a48f5ccd8e98ffc64936fdaf9bname: 07FD76A48F5CCD8E98FFC64936FDAF9B.mlwsha1: a67e4de87cfd50ab72263f19b07d2f8dddcd2d3bsha256: b2150830c4f7af2133d1ce2c9279ae3021b49b610011ef546662ff18a7a15770sha512: d10cdfc6b8900bf36c7a5d88cde36ac8d0ff677c6e3f7ee33b63c0747e5c54305df3c5764e52c2e4f0f1284dfc750b124f7237bdcbf16c6f601e33ace54615b7ssdeep: 6144:2o/kTmtMB9YfOvVCbcAgmXJ1ii+sa85YgJjk3CuWOTaCDmM8ceFQwzBcDd5y4jU:2oiB9Y2vVCym5wi75BJjeJxaCDX8N/Otype: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

Version Info:

InternalSurname: vebuk.ekcProd: 1.2.4FileVersions: 1.0.5.9LegalCo: Copyri (C) 2019, pirmudationco

Alternative Detection Names

Click to expand
GridinSoft Trojan.Ransom.Gen
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.45472634
FireEye Generic.mg.07fd76a48f5ccd8e
ALYac Trojan.GenericKD.45472634
Cylance Unsafe
AegisLab Trojan.Multi.Generic.4!c
Sangfor Malware
K7AntiVirus Trojan ( 005762a71 )
BitDefender Trojan.GenericKD.45472634
K7GW Trojan ( 005762a71 )
CrowdStrike win/malicious_confidence_100% (D)
Cyren W32/Trojan.EHSM-5348
Symantec ML.Attribute.HighConfidence
APEX Malicious
Kaspersky Backdoor.Win32.Agent.mytylt
ViRobot Trojan.Win32.Z.Zenpack.372736
Rising Trojan.Kryptik!8.8 (TFE:5:aECDp9gAllR)
Ad-Aware Trojan.GenericKD.45472634
Emsisoft Trojan.Crypt (A)
Comodo Malware@#1ejczz3exkppq
F-Secure Trojan.TR/Crypt.Agent.jznij
DrWeb Trojan.DownLoader36.35173
TrendMicro TROJ_FRS.0NA104AF21
McAfee-GW-Edition BehavesLike.Win32.RansomGandCrab.fc
Sophos Mal/Generic-S
SentinelOne Static AI – Malicious PE
Avira TR/Crypt.Agent.jznij
MAX malware (ai score=86)
Kingsoft Win32.Hack.Agent.(kcloud)
Microsoft PWS:MSIL/RedLine.GG!MTB
Gridinsoft Trojan.Win32.Packed.oa
Arcabit Trojan.Generic.D2B5DB7A
ZoneAlarm Backdoor.Win32.Agent.mytylt
GData Trojan.GenericKD.45472634
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Agent.R363063
Acronis suspicious
McAfee GenericRXNI-UK!07FD76A48F5C
VBA32 Trojan.Azorult
Malwarebytes Trojan.MalPack.GS
Panda Trj/GdSda.A
ESET-NOD32 a variant of Win32/Kryptik.HIUS
TrendMicro-HouseCall TROJ_FRS.0NA104AF21
Tencent Win32.Backdoor.Agent.Ijd
Ikarus Trojan.Win32.Krypt
Fortinet W32/Kryptik.GWXD!tr
BitDefenderTheta Gen:NN.ZexaF.34760.wmGfa0HeLwhG
Paloalto generic.ml
Qihoo-360 Generic/HEUR/QVM11.1.9F9B.Malware.Gen

Is PWS:MSIL/RedLine.GG!MTB dangerous?

As I have pointed out earlier, any malware is harmful. And PWS:MSIL/RedLine.GG!MTB is not even close to distracting you rather than harming. The most deceptive characteristic of RedLine is the fact you cannot see its activity by any means, other than with the use of anti-malware software scanning. And while you are in the dark, fraudsters who delivered their malware to your system are starting to count the money. Darknet offers a lot of opportunities to sell spyware logs for a hefty sum – especially when these logs are new. And you’d better not imagine what will happen to your accounts when other rascals will put their hands on your credentials.

However, things may have much faster flow. In some cases, crooks are deploying their virus precisely to the user they are trying to steal from. Spyware is invaluable when it comes to collecting login credentials, and some samples aim precisely at banking accounts or crypto wallets. One may say, giving spyware a run equals to sending all your money to fraudsters.

How did I get this virus?

It is hard to trace the origins of malware on your computer. Nowadays, things are mixed up, and spreading ways chosen by adware 5 years ago may be utilized by spyware these days. But if we abstract from the exact distribution way and will think of why it has success, the reply will be pretty uncomplicated – low level of cybersecurity awareness. Individuals press on ads on strange sites, open the pop-ups they get in their browsers, call the “Microsoft tech support” believing that the scary banner that says about malware is true. It is very important to know what is legit – to prevent misunderstandings when attempting to figure out a virus.

Microsoft tech support scam

The example of Microsoft Tech support scam banner

Nowadays, there are two of the most common methods of malware spreading – bait e-mails and also injection into a hacked program. While the first one is not so easy to stay away from – you must know a lot to recognize a counterfeit – the second one is easy to address: just don’t utilize hacked applications. Torrent-trackers and other providers of “totally free” applications (which are, actually, paid, but with a disabled license checking) are really a giveaway point of malware. And PWS:MSIL/RedLine.GG!MTB is simply one of them.

About the author

Robert Bailey

Security engineer focused on malware behavior, removal workflows, and Windows hardening. Robert reviews threat articles for practical accuracy, checking detection names, symptoms, and cleanup steps before publication.

View all posts

Leave a Comment