HackTool:Win32/NirCmd!AMTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat HackTool:Win32/NirCmd!AMTB

HackTool:Win32/NirCmd!AMTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: HackTool:Win32/NirCmd!AMTB

Classification:

Type:HackTool

Platform:Win32

Family:NirCmd

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!AMTB

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family NirCmd

Summary:

This threat, HackTool:Win32/NirCmd!AMTB, is a concrete detection of a hack tool package. It bundles utilities like NirCmd, NSudoLG (a privilege escalation tool), and 7z.exe, often used for system manipulation, UAC bypass, or other unauthorized activities by attackers.

Severity:

High

VDM Static Detection:

No specific strings found for this threat

YARA Rule:

rule HackTool_Win32_NirCmd_AMTB_2147957491_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "HackTool:Win32/NirCmd!AMTB"
        threat_id = "2147957491"
        type = "HackTool"
        platform = "Win32: Windows 32-bit platform"
        family = "NirCmd"
        severity = "High"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "saked/NSudoLG.exe" ascii //weight: 1
        $x_1_2 = "saked/nircmd.exe" ascii //weight: 1
        $x_1_3 = "saked/cecho.exe" ascii //weight: 1
        $x_1_4 = "saked/same.zip" ascii //weight: 1
        $x_1_5 = "saked/7z.exe" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: random.exe

c6d9ebd578344bca28d911d746064cb017f4e08e9866680746c226412dbad765

09/12/2025

→VirusTotal ↓Download Sample

Filename: c7d1ce183982c56a39a4232ccbb4673ed2ba98e3c50974b3cd3df110f4d7b961

c7d1ce183982c56a39a4232ccbb4673ed2ba98e3c50974b3cd3df110f4d7b961

08/12/2025

→VirusTotal ↓Download Sample

Filename: b1c25c431760f57bb921940305e8278c1d719fe6593545b8c8ccfa45b0c8b133

b1c25c431760f57bb921940305e8278c1d719fe6593545b8c8ccfa45b0c8b133

08/12/2025

→VirusTotal ↓Download Sample

Filename: 955a111cb65378a89c9f745a750ff74839a1431fe9f9225070cb51a9f43474c0

955a111cb65378a89c9f745a750ff74839a1431fe9f9225070cb51a9f43474c0

08/12/2025

→VirusTotal ↓Download Sample

Filename: 7498941c15516027cd24c4dc69d7b07501af41970a6c32a7544a9d648d30b71e

7498941c15516027cd24c4dc69d7b07501af41970a6c32a7544a9d648d30b71e

08/12/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected system, perform a full system scan with updated antivirus software to remove the detected files, and investigate for any signs of compromise, privilege escalation, or further malicious activity using EDR/SIEM tools. Review system logs and user accounts for unauthorized changes.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 16/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

HackTool:Win32/NirCmd!AMTB - Windows Defender Threat Analysis