user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Amadey.Z
Trojan:Win32/Amadey.Z - Windows Defender threat signature analysis

Trojan:Win32/Amadey.Z - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Amadey.Z
Classification:
Type:Trojan
Platform:Win32
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Variant:Z
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Amadey

Summary:

Trojan:Win32/Amadey.Z is a botnet trojan that steals information, such as user credentials, and can download and execute other malware onto the compromised system. It uses various techniques for execution and persistence, including PowerShell, Scheduled Tasks, and API hooking, making it a severe threat to system integrity and data confidentiality.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win32_Amadey_Z_2147941857_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win32/Amadey.Z!MTB"
        threat_id = "2147941857"
        type = "Trojan"
        platform = "Win32: Windows 32-bit platform"
        family = "Amadey"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_CMDHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_1_1 = ".EntryPoint.Invoke($" wide //weight: 1
        $x_1_2 = "[Char](" wide //weight: 1
        $x_1_3 = ".GetValue(" wide //weight: 1
        $x_1_4 = "[Reflection.Assembly]::Load" wide //weight: 1
        $x_1_5 = "Runtime.InteropServices.Marshal]" wide //weight: 1
        $x_1_6 = "split" wide //weight: 1
        $x_1_7 = ".GetMethod(" wide //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: 09932B0C0A29627C764A41C599DD325F.exe
4154a81334fa6da1113851f6e4d167de1fbf4ceaa49a8c87df5ebd9d707574c2
21/11/2025
VirusTotalDownload Sample
Filename: 2025-11-12cc851d214467277e4622d21ab303becaama.exe
60298bf861607375b48e7eb097a3a0721ed24e540e8823e06a3c539bb3667124
13/11/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected machine from the network. Run a full antivirus scan to remove all malicious components. Since this is an information-stealing trojan, all passwords and credentials used on the system should be considered compromised and reset immediately. For full remediation, re-imaging the system from a known-good backup is strongly recommended.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 13/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$