user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PWS:MSIL/Polazert.GA!MTB
PWS:MSIL/Polazert.GA!MTB - Windows Defender threat signature analysis

PWS:MSIL/Polazert.GA!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PWS:MSIL/Polazert.GA!MTB
Classification:
Type:PWS
Platform:MSIL
Family:Polazert
Detection Type:Concrete
Known malware family with identified signatures
Variant:GA
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Password Stealer - Steals credentials and sensitive information for .NET (Microsoft Intermediate Language) platform, family Polazert

Summary:

This is a highly malicious .NET (MSIL) password stealer from the Polazert family. It uses machine learning behavioral analysis to detect and target a wide range of sensitive user data, including cryptocurrency wallet files, web browser credentials (form history, login data from Chrome/Firefox), and Remote Desktop Protocol (RDP) login information for exfiltration.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - http:// (PEHSTR_EXT)
 - *.rdp (PEHSTR_EXT)
 - \default.rdp (PEHSTR_EXT)
 - formhistory.sqlite (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
YARA Rule:
rule PWS_MSIL_Polazert_GA_2147793890_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "PWS:MSIL/Polazert.GA!MTB"
        threat_id = "2147793890"
        type = "PWS"
        platform = "MSIL: .NET intermediate language scripts"
        family = "Polazert"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "9"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "http://" ascii //weight: 1
        $x_1_2 = "Wallet" ascii //weight: 1
        $x_1_3 = "Electrum" ascii //weight: 1
        $x_1_4 = "Ethereum" ascii //weight: 1
        $x_1_5 = "Exodus" ascii //weight: 1
        $x_1_6 = "OpenVPN" ascii //weight: 1
        $x_1_7 = "*.rdp" ascii //weight: 1
        $x_1_8 = "\\default.rdp" ascii //weight: 1
        $x_1_9 = "os_crypt" ascii //weight: 1
        $x_1_10 = "encrypted_key" ascii //weight: 1
        $x_1_11 = "formhistory.sqlite" ascii //weight: 1
        $x_1_12 = "logins.json" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (9 of ($x*))
}
Known malware which is associated with this threat:
Filename: fb2653749d3afd1a4fa1aa8f3dfe04ce158856291f0295a5c6a25b89f8de266e
fb2653749d3afd1a4fa1aa8f3dfe04ce158856291f0295a5c6a25b89f8de266e
24/01/2026
VirusTotalDownload Sample
f9378f177fa7b0a58f0568e9d2696750069ad6e901445d873ec732109f5c00c1
16/01/2026
VirusTotalDownload Sample
bf62e839259c19fe22cf36689126e60d5d29865d886fc2dd219c14a9ec7268fd
08/01/2026
VirusTotalDownload Sample
Filename: SecuriteInfo.com.Trojan.PWS.Discord.614.14478.281
3c6f13e4de2ce49f07dd814cdb46048ba326574cc738fb7b592ad77db29c595e
07/01/2026
VirusTotalDownload Sample
f78238db552a2bcab1a68fcf3df9fbae50bba3c44d3bda6b7dddcfc007eee046
06/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a full antivirus scan, and change all potentially compromised credentials (browser-saved, RDP, cryptocurrency wallets). Enable multi-factor authentication (MFA) on all critical accounts and consider a system re-image to ensure complete removal and prevent further compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 23/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$