user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Amadey!pz
Trojan:Win32/Amadey!pz - Windows Defender threat signature analysis

Trojan:Win32/Amadey!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Amadey!pz
Classification:
Type:Trojan
Platform:Win32
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Amadey

Summary:

Trojan:Win32/Amadey!pz is a multi-functional information stealer designed to exfiltrate sensitive data. It targets credentials stored in web browsers (Chrome, Firefox, Opera), FTP clients (FileZilla, WinSCP), and cryptocurrency wallets (Exodus, Electrum), and may also hijack clipboard data to redirect transactions.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - scr=up (PEHSTR_EXT)
 - x%.2x%.2x%.2x%.2x%.2x%.2x (PEHSTR_EXT)
 - Content-Type: application/octet-stream (PEHSTR_EXT)
 - Content-Type: multipart/form-data (PEHSTR_EXT)
 - \FileZilla\sitemanager.xml (PEHSTR_EXT)
 - \.purple\accounts.xml (PEHSTR_EXT)
 - \Wcx_ftp.ini (PEHSTR_EXT)
 - \winscp.ini (PEHSTR_EXT)
 - D:\Mktmp\NL1\Release\NL1.pdb (PEHSTR_EXT)
 - GetComputerNameW (PEHSTR_EXT)
 - rundll32.exe (PEHSTR_EXT)
 - Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - CLIPPERDLL.dll (PEHSTR_EXT)
 - 4CClipperDLL@@QAEAAV0@ABV0@@Z (PEHSTR_EXT)
 - ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z (PEHSTR_EXT)
 - D:\Mktmp\Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - jmXjsf (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \Opera Software\Opera Stable\Login Data (PEHSTR_EXT)
 - \Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - Exodus\exodus.wallet\ (PEHSTR_EXT)
 - electrum_data\wallets (PEHSTR_EXT)
 - Taskkill /IM ArmoryQt.exe /F (PEHSTR_EXT)
 - Dogecoin\ (PEHSTR_EXT)
 - STEALERDLL.dll (PEHSTR_EXT)
 - Amadey.pdb (PEHSTR_EXT)
 - nbveek.exe (PEHSTR_EXT)
 - :\TEMP\ (PEHSTR_EXT)
 - %\ghaaer.exe (PEHSTR_EXT)
 - D:\Mktmp\Amadey\StealerDLL (PEHSTR_EXT)
 - \Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - \Chedot\User Data\Default\Login Data (PEHSTR_EXT)
 - \CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Monero\wallets\ (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
 - TEMP\pixelsee-installer-tmp (PEHSTR_EXT)
 - MediaGet\mediaget.exe (PEHSTR_EXT)
 - \Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - xmscoree.dll (PEHSTR_EXT)
 - Geometri_Odev.Properties (PEHSTR_EXT)
 - aj|/w3aUIX (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - .vmp1 (PEHSTR_EXT)
 - .vmp2 (PEHSTR_EXT)
 - softbonesomfings.pdb (PEHSTR_EXT)
 - \TorBrowser\Data\Browser\profile.default (PEHSTR_EXT)
 - JjsrPl== (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - Venomous.Properties.Resources (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - NzAzMTAyMzU5NTlaMDIxEjAQBgNVBAMMCU9SX0syRDlLTzEcMBoGA1UECgwTT3Jl (PEHSTR_EXT)
 - Oi8vcGtpLWNybC5zeW1hdXRoLmNvbS9vZmZsaW5lY2EvVGhlSW5zdGl0dXRlb2ZF (PEHSTR_EXT)
 - program files\mozilla firefox (PEHSTR_EXT)
 - program files\mozilla thunderbird (PEHSTR_EXT)
 - purple\accounts.xml (PEHSTR_EXT)
 - CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Sputnik\User Data\Default\Login Data (PEHSTR_EXT)
 - powershell -Command Compress-Archive -Path (PEHSTR_EXT)
 - FileZilla\sitemanager.xml (PEHSTR_EXT)
 - ovrflw.exe (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - \\.\Global\oreansx64 (PEHSTR_EXT)
 - DownloaderApp.am2.bin (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - DownloaderApp. (PEHSTR_EXT)
 - 2z1690.exe (PEHSTR_EXT)
 - 1d55e9.exe (PEHSTR_EXT)
 - hater/nircmd.exe (PEHSTR_EXT)
 - /c schtasks /create /tn " (PEHSTR_EXT)
 - <Hidden>true</Hidden> (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 913458F663A7184ACB6A84FF94321E77.exe
5ca1927268e6b858428cb9c68c30699c377ea95f2879d4de6428f6fb03793ba9
16/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected machine from the network. Run a full, updated antivirus scan to remove all malicious components; consider re-imaging the device for full certainty. From a separate, clean device, change all passwords for accounts accessed from the infected machine and monitor financial accounts for unauthorized activity.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$