user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Amadey!rfn
Trojan:Win64/Amadey!rfn - Windows Defender threat signature analysis

Trojan:Win64/Amadey!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Amadey!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Amadey

Summary:

Trojan:Win64/Amadey!rfn is a dangerous info-stealer and malware loader known for compromising Windows systems. It extensively targets sensitive data, including credentials from web browsers (Chrome, Firefox, Opera), FTP clients (FileZilla, WinSCP), and cryptocurrency wallets (Exodus, Electrum, ArmoryQt), alongside clipboard monitoring capabilities for cryptocurrency theft. This threat facilitates data exfiltration, leading to significant financial and privacy risks.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - scr=up (PEHSTR_EXT)
 - x%.2x%.2x%.2x%.2x%.2x%.2x (PEHSTR_EXT)
 - Content-Type: application/octet-stream (PEHSTR_EXT)
 - Content-Type: multipart/form-data (PEHSTR_EXT)
 - \FileZilla\sitemanager.xml (PEHSTR_EXT)
 - \.purple\accounts.xml (PEHSTR_EXT)
 - \Wcx_ftp.ini (PEHSTR_EXT)
 - \winscp.ini (PEHSTR_EXT)
 - D:\Mktmp\NL1\Release\NL1.pdb (PEHSTR_EXT)
 - GetComputerNameW (PEHSTR_EXT)
 - rundll32.exe (PEHSTR_EXT)
 - Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - CLIPPERDLL.dll (PEHSTR_EXT)
 - 4CClipperDLL@@QAEAAV0@ABV0@@Z (PEHSTR_EXT)
 - ??4CClipperDLL@@QAEAAV0@$$QAV0@@Z (PEHSTR_EXT)
 - D:\Mktmp\Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - jmXjsf (PEHSTR_EXT)
 - \Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \Opera Software\Opera Stable\Login Data (PEHSTR_EXT)
 - \Mozilla\Firefox\Profiles\ (PEHSTR_EXT)
 - \logins.json (PEHSTR_EXT)
 - Exodus\exodus.wallet\ (PEHSTR_EXT)
 - electrum_data\wallets (PEHSTR_EXT)
 - Taskkill /IM ArmoryQt.exe /F (PEHSTR_EXT)
 - Dogecoin\ (PEHSTR_EXT)
 - STEALERDLL.dll (PEHSTR_EXT)
 - Amadey.pdb (PEHSTR_EXT)
 - nbveek.exe (PEHSTR_EXT)
 - :\TEMP\ (PEHSTR_EXT)
 - %\ghaaer.exe (PEHSTR_EXT)
 - D:\Mktmp\Amadey\StealerDLL (PEHSTR_EXT)
 - \Microsoft\Edge\User Data\Default\Login Data (PEHSTR_EXT)
 - \Chedot\User Data\Default\Login Data (PEHSTR_EXT)
 - \CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Monero\wallets\ (PEHSTR_EXT)
 - logins.json (PEHSTR_EXT)
 - TEMP\pixelsee-installer-tmp (PEHSTR_EXT)
 - MediaGet\mediaget.exe (PEHSTR_EXT)
 - \Amadey\Release\Amadey.pdb (PEHSTR_EXT)
 - xmscoree.dll (PEHSTR_EXT)
 - Geometri_Odev.Properties (PEHSTR_EXT)
 - aj|/w3aUIX (PEHSTR_EXT)
 - .vmp0 (PEHSTR_EXT)
 - .vmp1 (PEHSTR_EXT)
 - .vmp2 (PEHSTR_EXT)
 - softbonesomfings.pdb (PEHSTR_EXT)
 - \TorBrowser\Data\Browser\profile.default (PEHSTR_EXT)
 - JjsrPl== (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - Venomous.Properties.Resources (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - NzAzMTAyMzU5NTlaMDIxEjAQBgNVBAMMCU9SX0syRDlLTzEcMBoGA1UECgwTT3Jl (PEHSTR_EXT)
 - Oi8vcGtpLWNybC5zeW1hdXRoLmNvbS9vZmZsaW5lY2EvVGhlSW5zdGl0dXRlb2ZF (PEHSTR_EXT)
 - program files\mozilla firefox (PEHSTR_EXT)
 - program files\mozilla thunderbird (PEHSTR_EXT)
 - purple\accounts.xml (PEHSTR_EXT)
 - CentBrowser\User Data\Default\Login Data (PEHSTR_EXT)
 - Sputnik\User Data\Default\Login Data (PEHSTR_EXT)
 - powershell -Command Compress-Archive -Path (PEHSTR_EXT)
 - FileZilla\sitemanager.xml (PEHSTR_EXT)
 - ovrflw.exe (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - \\.\Global\oreansx64 (PEHSTR_EXT)
 - DownloaderApp.am2.bin (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - DownloaderApp. (PEHSTR_EXT)
 - 2z1690.exe (PEHSTR_EXT)
 - 1d55e9.exe (PEHSTR_EXT)
 - hater/nircmd.exe (PEHSTR_EXT)
 - /c schtasks /create /tn " (PEHSTR_EXT)
 - <Hidden>true</Hidden> (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
d3b926411d12631bda77b5c80f96239585a5c805e20c58f70566d38b0180992b
04/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system from the network. Conduct a full system scan with updated antivirus to remove the malware. Crucially, change all passwords for accounts accessed from the compromised machine (especially browsers, FTP, and cryptocurrency wallets) and enable multi-factor authentication. Monitor financial accounts for suspicious activity and consider a full system re-image to ensure complete eradication.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$