HackTool.Win64.NimPlant.A

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any information-stealing capability.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Propagation

This Hacking Tool does not have any propagation routine.

Rootkit Capabilities

This Hacking Tool does not have rootkit capabilities.

Information Theft

This Hacking Tool does not have any information-stealing capability.

NOTES:

This Hacking Tool accepts the following parameters:

• Command arguments shown as [required] {optional}.
• Commands with (GUI) can be run without parameters through the web interface.
  • cancel → Cancel all pending tasks.
  • cat → [filename] Print a file's contents to the screen.
  • cd → [directory] Change the working directory.
  • clear → Clear the screen.
  • cp → [source] [destination] Copy a file or directory.
  • curl → [url] Get a webpage remotely and return the results.
  • download → [remotefilepath] {localfilepath} Download a file from NimPlant's disk to the NimPlant server.
  • env → Get environment variables.
  • execute-assembly (GUI) → {BYPASSAMSI=0} {BLOCKETW=0} [localfilepath] {arguments} Execute .NET assembly from memory. AMSI/ETW patched by default. Loads the CLR.
  • exit → Exit the server, killing all NimPlants.
  • getAv → List Antivirus / EDR products on target using WMI.
  • getDom → Get the domain the target is joined to.
  • getLocalAdm → List local administrators on the target using WMI.
  • getpid → Show process ID of the currently selected NimPlant.
  • getprocname → Show process name of the currently selected NimPlant.
  • help → {command} Show this help menu or command-specific help.
  • hostname → Show hostname of the currently selected NimPlant.
  • inline-execute (GUI) → [localfilepath] [entrypoint] {arg1 type1 arg2 type2..} Execute Beacon Object Files (BOF) from memory.
  • ipconfig → List IP address information of the currently selected NimPlant.
  • kill → Kill the currently selected NimPlant.
  • list → Show list of active NimPlants.
  • listall → Show list of all NimPlants.
  • ls → {path} List files and folders in a certain directory. Lists current directory by default.
  • mkdir → [directory] Create a directory (and its parent directories if required).
  • mv → [source] [destination] Move a file or directory.
  • nimplant → Show info about the currently selected NimPlant.
  • osbuild → Show operating system build information for the currently selected NimPlant.
  • powershell → {BYPASSAMSI=0} {BLOCKETW=0} [command] Execute a PowerShell command in an unmanaged runspace. Loads the CLR.
  • ps → List running processes on the target. Indicates current process.
  • pwd → Get the current working directory.
  • reg → [query|add] [path] {key} {value} Query or modify the registry. New values will be added as REG_SZ.
  • rm → [file] Remove a file or directory.
  • run → [binary] {arguments} Run a binary from disk. Returns output but blocks NimPlant while running.
  • screenshot → Take a screenshot of the user's screen.
  • select → [id] Select another NimPlant.
  • shell → [command] Execute a shell command.
  • shinject (GUI) → [targetpid] [localfilepath] Load raw shellcode from a file and inject it into the specified process's memory space using dynamic invocation.
  • sleep → [sleeptime] {jitter%} Change the sleep time of the current NimPlant.
  • upload (GUI) → [localfilepath] {remotefilepath} Upload a file from the NimPlant server to the victim machine.
  • wget → [url] {remotefilepath} Download a file to disk remotely.
  • whoami → Get the user ID that NimPlant is running as.

It does not exploit any vulnerability.