Skip to content


VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. 1

Item Value
ID S0257
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols VERMIN uses HTTP for C2 communications.1
enterprise T1560 Archive Collected Data VERMIN encrypts the collected files using 3-DES.1
enterprise T1123 Audio Capture VERMIN can perform audio capture.1
enterprise T1119 Automated Collection VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .1
enterprise T1115 Clipboard Data VERMIN collects data stored in the clipboard.1
enterprise T1140 Deobfuscate/Decode Files or Information VERMIN decrypts code, strings, and commands to use once it’s on the victim’s machine.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion VERMIN can delete files on the victim’s machine.1
enterprise T1105 Ingress Tool Transfer VERMIN can download and upload files to the victim’s machine.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging VERMIN collects keystrokes from the victim machine.1
enterprise T1027 Obfuscated Files or Information VERMIN is obfuscated using the obfuscation tool called ConfuserEx.1
enterprise T1027.002 Software Packing VERMIN is initially packed.1
enterprise T1057 Process Discovery VERMIN can get a list of the processes and running tasks on the system.1
enterprise T1113 Screen Capture VERMIN can perform screen captures of the victim’s machine.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery VERMIN uses WMI to check for anti-virus software installed on the system.1
enterprise T1082 System Information Discovery VERMIN collects the OS name, machine name, and architecture information.1
enterprise T1016 System Network Configuration Discovery VERMIN gathers the local IP address.1
enterprise T1033 System Owner/User Discovery VERMIN gathers the username from the victim’s machine.1