user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Amadey.AMD!MTB
Trojan:Win64/Amadey.AMD!MTB - Windows Defender threat signature analysis

Trojan:Win64/Amadey.AMD!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Amadey.AMD!MTB
Classification:
Type:Trojan
Platform:Win64
Family:Amadey
Detection Type:Concrete
Known malware family with identified signatures
Variant:AMD
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Amadey

Summary:

Trojan:Win64/Amadey.AMD!MTB is a concrete detection of the Amadey botnet loader, a sophisticated Trojan. It employs various techniques including process injection/hooking, scheduled tasks, BITS jobs, and the use of legitimate Windows utilities (mshta, regsvr32, rundll32, PowerShell) to establish persistence and facilitate command-and-control communication, often to deliver further malicious payloads.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
YARA Rule:
rule Trojan_Win64_Amadey_AMD_2147954412_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Trojan:Win64/Amadey.AMD!MTB"
        threat_id = "2147954412"
        type = "Trojan"
        platform = "Win64: Windows 64-bit platform"
        family = "Amadey"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "3"
        strings_accuracy = "High"
    strings:
        $x_2_1 = {48 f7 e9 48 01 ca 48 d1 fa 48 89 cb 48 c1 f9 3f 48 29 ca 48 85 d2 0f 8e a4 00 00 00 48 8b 44 24 68 48 89 d1 48 89 c6 48}  //weight: 2, accuracy: High
        $x_1_2 = {48 89 44 24 18 48 8b 10 48 8d 59 ff 48 89 1c 24 48 8b 1a ff d3 48 8b 44 24 08 48 89 44 24 10 48 8b 4c 24 18 48 8b 11 48 8b 4c 24 30 48 83 c1 fe}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
c08dcea8a617c425eae853beffe21c8b073365e1cd1139a33f5581712775a539
28/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system to prevent further compromise. Conduct a full, deep scan using updated security software to remove all malicious components. Review and remove any suspicious scheduled tasks, services, or persistence mechanisms created by the malware. For critical systems or persistent threats, consider re-imaging the affected endpoint.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 27/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$