user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Amadey.AMD!MTB
Trojan:Win64/Amadey.AMD!MTB - Windows Defender threat signature analysis

Trojan:Win64/Amadey.AMD!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Amadey.AMD!MTB
Classification:
Type:Trojan
Platform:Win64
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Variant:AMD
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Amadey

Summary:

Trojan:Win64/Amadey.AMD!MTB is a concrete detection of the Amadey botnet loader, a sophisticated Trojan. It employs various techniques including process injection/hooking, scheduled tasks, BITS jobs, and the use of legitimate Windows utilities (mshta, regsvr32, rundll32, PowerShell) to establish persistence and facilitate command-and-control communication, often to deliver further malicious payloads.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win64_Amadey_AMD_2147954412_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Amadey.AMD!MTB"
        threat_id = "2147954412"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Amadey"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_2_1 = {48 f7 e9 48 01 ca 48 d1 fa 48 89 cb 48 c1 f9 3f 48 29 ca 48 85 d2 0f 8e a4 00 00 00 48 8b 44 24 68 48 89 d1 48 89 c6 48}  //weight: 2, accuracy: High
        $x_1_2 = {48 89 44 24 18 48 8b 10 48 8d 59 ff 48 89 1c 24 48 8b 1a ff d3 48 8b 44 24 08 48 89 44 24 10 48 8b 4c 24 18 48 8b 11 48 8b 4c 24 30 48 83 c1 fe}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: cred64.dll
a410c89db9140ed9dff55bff00b0338fbdffcc709490782c7b28e8a10c11eb3b
31/03/2026
VirusTotalDownload Sample
2e40c440729bb43a4c5e8ba6bcc07b406c59ebcd40f4fc8ca4ab405f721c32dc
27/03/2026
VirusTotalDownload Sample
c08dcea8a617c425eae853beffe21c8b073365e1cd1139a33f5581712775a539
28/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system to prevent further compromise. Conduct a full, deep scan using updated security software to remove all malicious components. Review and remove any suspicious scheduled tasks, services, or persistence mechanisms created by the malware. For critical systems or persistent threats, consider re-imaging the affected endpoint.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 27/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$