HackTool.Win64.NimPlant.A
Windows
Threat Type: Hacking Tool
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It does not have any information-stealing capability.
TECHNICAL DETAILS
650,752 bytes
DLL
No
19 Sep 2024
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Propagation
This Hacking Tool does not have any propagation routine.
Rootkit Capabilities
This Hacking Tool does not have rootkit capabilities.
Information Theft
This Hacking Tool does not have any information-stealing capability.
NOTES:
This Hacking Tool accepts the following parameters:
- Command arguments shown as [required] {optional}.
- Commands with (GUI) can be run without parameters through the web interface.
- cancel → Cancel all pending tasks.
- cat → [filename] Print a file's contents to the screen.
- cd → [directory] Change the working directory.
- clear → Clear the screen.
- cp → [source] [destination] Copy a file or directory.
- curl → [url] Get a webpage remotely and return the results.
- download → [remotefilepath] {localfilepath} Download a file from NimPlant's disk to the NimPlant server.
- env → Get environment variables.
- execute-assembly (GUI) → {BYPASSAMSI=0} {BLOCKETW=0} [localfilepath] {arguments} Execute .NET assembly from memory. AMSI/ETW patched by default. Loads the CLR.
- exit → Exit the server, killing all NimPlants.
- getAv → List Antivirus / EDR products on target using WMI.
- getDom → Get the domain the target is joined to.
- getLocalAdm → List local administrators on the target using WMI.
- getpid → Show process ID of the currently selected NimPlant.
- getprocname → Show process name of the currently selected NimPlant.
- help → {command} Show this help menu or command-specific help.
- hostname → Show hostname of the currently selected NimPlant.
- inline-execute (GUI) → [localfilepath] [entrypoint] {arg1 type1 arg2 type2..} Execute Beacon Object Files (BOF) from memory.
- ipconfig → List IP address information of the currently selected NimPlant.
- kill → Kill the currently selected NimPlant.
- list → Show list of active NimPlants.
- listall → Show list of all NimPlants.
- ls → {path} List files and folders in a certain directory. Lists current directory by default.
- mkdir → [directory] Create a directory (and its parent directories if required).
- mv → [source] [destination] Move a file or directory.
- nimplant → Show info about the currently selected NimPlant.
- osbuild → Show operating system build information for the currently selected NimPlant.
- powershell → {BYPASSAMSI=0} {BLOCKETW=0} [command] Execute a PowerShell command in an unmanaged runspace. Loads the CLR.
- ps → List running processes on the target. Indicates current process.
- pwd → Get the current working directory.
- reg → [query|add] [path] {key} {value} Query or modify the registry. New values will be added as REG_SZ.
- rm → [file] Remove a file or directory.
- run → [binary] {arguments} Run a binary from disk. Returns output but blocks NimPlant while running.
- screenshot → Take a screenshot of the user's screen.
- select → [id] Select another NimPlant.
- shell → [command] Execute a shell command.
- shinject (GUI) → [targetpid] [localfilepath] Load raw shellcode from a file and inject it into the specified process's memory space using dynamic invocation.
- sleep → [sleeptime] {jitter%} Change the sleep time of the current NimPlant.
- upload (GUI) → [localfilepath] {remotefilepath} Upload a file from the NimPlant server to the victim machine.
- wget → [url] {remotefilepath} Download a file to disk remotely.
- whoami → Get the user ID that NimPlant is running as.
It does not exploit any vulnerability.
SOLUTION
9.800
2.765.00
26 Sep 2024
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as HackTool.Win64.NimPlant.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.