user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat HackTool:Win32/NirCmd!AMTB
HackTool:Win32/NirCmd!AMTB - Windows Defender threat signature analysis

HackTool:Win32/NirCmd!AMTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: HackTool:Win32/NirCmd!AMTB
Classification:
Type:HackTool
Platform:Win32
Family:NirCmd
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!AMTB
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Hack Tool - Tool used to exploit vulnerabilities for 32-bit Windows platform, family NirCmd

Summary:

This threat, HackTool:Win32/NirCmd!AMTB, is a concrete detection of a hack tool package. It bundles utilities like NirCmd, NSudoLG (a privilege escalation tool), and 7z.exe, often used for system manipulation, UAC bypass, or other unauthorized activities by attackers.

Severity:
High
VDM Static Detection:
No specific strings found for this threat
YARA Rule:
rule HackTool_Win32_NirCmd_AMTB_2147957491_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "HackTool:Win32/NirCmd!AMTB"
        threat_id = "2147957491"
        type = "HackTool"
        platform = "Win32: Windows 32-bit platform"
        family = "NirCmd"
        severity = "High"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "5"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "saked/NSudoLG.exe" ascii //weight: 1
        $x_1_2 = "saked/nircmd.exe" ascii //weight: 1
        $x_1_3 = "saked/cecho.exe" ascii //weight: 1
        $x_1_4 = "saked/same.zip" ascii //weight: 1
        $x_1_5 = "saked/7z.exe" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: c3c16ece51c57b9c192e950ab83ad9ab
77ea8a229e540af84e423dc8f10e2da1776601899383746973a48035e2d0c233
03/01/2026
VirusTotalDownload Sample
Filename: c3e208878e1e3e9238b72a3c6b2b744f
e1ea71880e21f80747050acb9c632ac75c1ef48ead0441555e3d0f3a5d00ef98
03/01/2026
VirusTotalDownload Sample
Filename: c3f77554c8b216a610ac7525d6e20fb1
9c56898b035cdc2aaf781fb28688acfe64cf1d9738d3d57eb4547b75c5f99985
03/01/2026
VirusTotalDownload Sample
Filename: c55b53142db0a49d0dd00c3ee4ff5cff
1f76d34ec64f5d5ef08b9c2422e7b2d80aad6e86b89aa5b4c7e53d2e7e024598
03/01/2026
VirusTotalDownload Sample
Filename: c5e50a87785270ef016cbd8556e0f3a5
d4f10aa18edd016468938f3673cf54797ebdaa1915a9d003158f8be140c5a863
03/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a full system scan with updated antivirus software to remove the detected files, and investigate for any signs of compromise, privilege escalation, or further malicious activity using EDR/SIEM tools. Review system logs and user accounts for unauthorized changes.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 16/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$