Trojan:Win32/Amadey.MA!MTB - Windows Defender Threat Analysis

Trojan:Win32/Amadey.MA is a potent Win32 Trojan that functions as a botnet loader, information stealer, and dropper for other malware. This variant is specifically identified as having 'clipper' capabilities, designed to hijack the clipboard to replace cryptocurrency wallet addresses and potentially other sensitive data. The detection leverages machine learning behavioral analysis combined with specific string heuristics to confirm its malicious nature.

Relevant strings associated with this threat:
 - CLIPPERDLL.dll (PEHSTR_EXT)
 - 4CClipperDLL@@QAEAAV0@ABV0@@Z (PEHSTR_EXT)
 - ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z (PEHSTR_EXT)
 - D:\Mktmp\Amadey\Release\Amadey.pdb (PEHSTR_EXT)

rule Trojan_Win32_Amadey_MA_2147836228_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Amadey.MA!MTB"
        threat_id = "2147836228"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Amadey"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "10"
        strings_accuracy = "High"
    strings:
        $x_5_1 = "CLIPPERDLL.dll" ascii //weight: 5
        $x_2_2 = "4CClipperDLL@@QAEAAV0@ABV0@@Z" ascii //weight: 2
        $x_2_3 = "??4CClipperDLL@@QAEAAV0@$$QAV0@@Z" ascii //weight: 2
        $x_1_4 = "GetClipboardData" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the infected system from the network. Perform a full system scan with updated antivirus software (e.g., Windows Defender) to quarantine and remove all identified malicious files. Investigate for persistence mechanisms (e.g., registry entries, scheduled tasks) and remove them. Reset any compromised user credentials, especially if crypto theft is suspected, and monitor network activity for command and control (C2) communications.