user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Amadey.AMD!MTB
Trojan:Win32/Amadey.AMD!MTB - Windows Defender threat signature analysis

Trojan:Win32/Amadey.AMD!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Amadey.AMD!MTB
Classification:
Type:Trojan
Platform:Win32
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Variant:AMD
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Amadey

Summary:

Trojan:Win32/Amadey.AMD!MTB is a concrete detection of Amadey, a sophisticated Win32 trojan and botnet loader. It employs extensive process hooking, leverages system utilities for persistence (scheduled tasks, BITS, regsvr32/rundll32), and is designed to download and execute additional malicious payloads, posing a significant risk for further compromise and data exfiltration.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_Amadey_AMD_2147893178_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Amadey.AMD!MTB"
        threat_id = "2147893178"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Amadey"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {6a 00 8d 4d e8 51 50 56 ff 75 b4 ff d3 8d 45 ec 50 ff 75 ec 56 57}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
1475a3bb4ec2d699b19fcc965c7a133dd253fa1e7aa1aed1eb85604315f34882
01/02/2026
VirusTotalDownload Sample
043411ec48a610695668589c877e96b333b1a7b2ba07304ab0776339edf61cc1
01/02/2026
VirusTotalDownload Sample
b65e358f50489d16259f50dc37d3f997990b699980798aa5430877603717ec5d
31/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system. Perform a full scan with updated security software to remove the threat and any dropped payloads. Thoroughly investigate for persistence mechanisms, C2 communication, and potential data exfiltration or credential compromise, then patch all systems.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 31/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$