user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Amadey!rfn
Trojan:Win32/Amadey!rfn - Windows Defender threat signature analysis

Trojan:Win32/Amadey!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Amadey!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Amadey

Summary:

Trojan:Win32/Amadey!rfn is a sophisticated information stealer known to target a wide array of sensitive user data. It actively exfiltrates browser credentials (Chrome, Firefox, Opera), FTP client login details, and cryptocurrency wallet information, alongside performing clipboard monitoring for crypto addresses.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - scr=up (PEHSTR_EXT)
 - x%.2x%.2x%.2x%.2x%.2x%.2x (PEHSTR_EXT)
 - Content-Type: application/octet-stream (PEHSTR_EXT)
 - Content-Type: multipart/form-data (PEHSTR_EXT)
 - \FileZilla\sitemanager.xml (PEHSTR_EXT)
 - \.purple\accounts.xml (PEHSTR_EXT)
 - \Wcx_ftp.ini (PEHSTR_EXT)
 - \winscp.ini (PEHSTR_EXT)
 - D:\Mktmp\NL1\Release\NL1.pdb (PEHSTR_EXT)
 - GetComputerNameW (PEHSTR_EXT)
 - rundll32.exe (PEHSTR_EXT)
 - Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - CLIPPERDLL.dll (PEHSTR_EXT)
 - 4CClipperDLL@@QAEAAV0@ABV0@@Z (PEHSTR_EXT)
 - ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z (PEHSTR_EXT)
 - D:\Mktmp\Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - jmXjsf (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \Opera Software\Opera Stable\Login Data (PEHSTR_EXT)
 - \Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - Exodus\exodus.wallet\ (PEHSTR_EXT)
 - electrum_data\wallets (PEHSTR_EXT)
 - Taskkill /IM ArmoryQt.exe /F (PEHSTR_EXT)
 - Dogecoin\ (PEHSTR_EXT)
 - STEALERDLL.dll (PEHSTR_EXT)
 - Amadey.pdb (PEHSTR_EXT)
 - nbveek.exe (PEHSTR_EXT)
 - :\TEMP\ (PEHSTR_EXT)
 - %\ghaaer.exe (PEHSTR_EXT)
 - D:\Mktmp\Amadey\StealerDLL (PEHSTR_EXT)
 - \Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - \Chedot\User Data\Default\Login Data (PEHSTR_EXT)
 - \CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Monero\wallets\ (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
 - TEMP\pixelsee-installer-tmp (PEHSTR_EXT)
 - MediaGet\mediaget.exe (PEHSTR_EXT)
 - \Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - xmscoree.dll (PEHSTR_EXT)
 - Geometri_Odev.Properties (PEHSTR_EXT)
 - aj|/w3aUIX (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - .vmp1 (PEHSTR_EXT)
 - .vmp2 (PEHSTR_EXT)
 - softbonesomfings.pdb (PEHSTR_EXT)
 - \TorBrowser\Data\Browser\profile.default (PEHSTR_EXT)
 - JjsrPl== (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - Venomous.Properties.Resources (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - NzAzMTAyMzU5NTlaMDIxEjAQBgNVBAMMCU9SX0syRDlLTzEcMBoGA1UECgwTT3Jl (PEHSTR_EXT)
 - Oi8vcGtpLWNybC5zeW1hdXRoLmNvbS9vZmZsaW5lY2EvVGhlSW5zdGl0dXRlb2ZF (PEHSTR_EXT)
 - program files\mozilla firefox (PEHSTR_EXT)
 - program files\mozilla thunderbird (PEHSTR_EXT)
 - purple\accounts.xml (PEHSTR_EXT)
 - CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Sputnik\User Data\Default\Login Data (PEHSTR_EXT)
 - powershell -Command Compress-Archive -Path (PEHSTR_EXT)
 - FileZilla\sitemanager.xml (PEHSTR_EXT)
 - ovrflw.exe (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - \\.\Global\oreansx64 (PEHSTR_EXT)
 - DownloaderApp.am2.bin (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - DownloaderApp. (PEHSTR_EXT)
 - 2z1690.exe (PEHSTR_EXT)
 - 1d55e9.exe (PEHSTR_EXT)
 - hater/nircmd.exe (PEHSTR_EXT)
 - /c schtasks /create /tn " (PEHSTR_EXT)
 - <Hidden>true</Hidden> (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 9ff0ed219c56fb95f58e739e9eece082606da8556a9fccf344409daeae2a4eb7
9ff0ed219c56fb95f58e739e9eece082606da8556a9fccf344409daeae2a4eb7
08/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected device to prevent further data exfiltration. Perform a full system scan with updated antivirus software to ensure complete removal. Promptly change all compromised credentials (browser, FTP, cryptocurrency accounts) from a trusted, clean system and enable multi-factor authentication where available.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$