Bilal
Cybersecurity Enthusiast
Evaluating Binary Atlas Against Real-World Malware (XWorm RAT)
Why This Test Was Performed
The main goals were to optimize Binary Atlas using real-world malware instead of synthetic or simplified samples. Rather than building detections only from documentation or known signatures, the aims were to:
-
Test actual malware samples
-
Observe what Binary Atlas misses
-
Improve heuristics
-
Refine static-analysis logic
-
Gradually close the gap with production-grade malware analysis platforms
-
VirusTotal Reference: 44285aa905260b91338398c20807f4fbc0d0cd191d23553fa7f060f15ff4718c
-
Full report generated by Binary Atlas: infected_analysis_20260520_024717.html
Sample Information
| Field | Value |
|---|---|
| SHA256 | 44285aa905260b91338398c20807f4fbc0d0cd191d23553fa7f060f15ff4718c |
| File Type | Windows PE |
| Runtime | .NET Framework / VB.NET |
| Suspected Family | XWorm RAT |
| Analysis Type | Static-only |
External Validation & Threat Intelligence
Before analyzing the sample with Binary Atlas, the file was checked using industry malware intelligence platforms and public threat reports.
The sample was flagged as malicious and associated with:
- Anti-debugging behavior
- Obfuscation
- WMI usage
- RAT behavior
Community reports and threat-analysis platforms identified the malware family and characteristics as:
- XWorm
- RAT / Backdoor behavior
- Windows PE executable
- VB.NET / .NET Framework based malware
These external signals provided a baseline to compare Binary Atlas findings against real-world detection systems.
Binary Atlas Analysis Results
Privilege & Execution Context
Binary Atlas identified:
| Property | Value |
|---|---|
| Privilege Context | USER |
| Execution Level | AS_INVOKER |
| Subsystem | WINDOWS_GUI |
This indicates the executable runs with the same privileges as the current user and does not request elevated administrator privileges by default.
PE Structure & Import Analysis
The engine successfully extracted PE headers, section information, and import data.
One of the most interesting findings: the binary imports only mscoree.dll -> _CorExeMain.
Why this matters:
- Confirms the executable is a managed .NET application
- Demonstrates how .NET malware can hide functionality behind the CLR runtime
Limitations of traditional import analysis in this case:
- Malicious functionality may not appear in native imports
- APIs can be resolved dynamically
- The malware can rely heavily on managed code, reflection, or runtime loading
At the moment, the engine still relies heavily on PE-level inspection and needs deeper .NET-specific analysis capabilities.
Security Mitigations
Binary Atlas detected:
| Feature | Status |
|---|---|
| ASLR | Enabled |
| DEP / NX | Enabled |
| CFG | Disabled |
| TLS Callbacks | None |
The binary enables common mitigations (ASLR, DEP) while Control Flow Guard (CFG) is not enabled.
Static Indicators & C2 Detection
Static analysis makes detecting real C2 infrastructure difficult compared to dynamic systems, but Binary Atlas identified suspicious hardcoded indicators including:
Potential C2 / Indicators:
- https://api.telegram.org/bot
- http://ip-api.com/line/?fields=hosting
These suggest remote communication capability, possible Telegram-based C2 usage, and system/network profiling behavior.
Other detected artifacts:
- Registry keys
- User-agent strings
- PowerShell references
- Socket-related keywords
- Command execution indicators
Domain Extraction Problems
Binary Atlas currently produces many false-positive domains. For example, internal .NET namespaces such as System.Core and System.Net were incorrectly treated as hardcoded domains.
Needed improvements:
- Better filtering
- Improved context awareness
- More intelligent parsing
Suspicious Keyword Detection
Detected suspicious keywords (examples):
- download
- cmd.exe
- connect
- powershell
- remote
- c2
- socket
- telegram
- exec
- /c
Weakness: the engine mostly detects words individually rather than reconstructing full commands or execution chains. For example, detecting powershell alone is weaker than detecting a full PowerShell execution chain.
Future improvements should focus on:
- Full command reconstruction
- Context-aware string extraction
- Better behavioral correlation
Signature & Runtime Information
Binary Atlas identified the runtime as .NET Framework and reported an unsigned or invalid digital signature.
Currently the engine still performs full analysis even if a binary contains a valid signature because signature-validation logic is under development.
Import Anomaly Weakness
Import anomaly scoring performed poorly for this managed .NET sample. The engine reported:
Import anomaly score: 0/100
This is misleading because managed .NET malware often minimizes native imports and resolves APIs dynamically.
This sample highlighted the need for:
- .NET metadata analysis
- Reflection detection
- P/Invoke analysis
- Managed-code inspection
DLL Hijacking Detection
Binary Atlas detected several DLL-related references (examples):
- kernel32.dll
- SbieDll.dll
- NTDll.dll
- SHCore.dll
- user32.dll
- avicap32.dll
- mscoree.dll
It also identified registry paths related to autoruns, Explorer settings, and class registrations.
The engine classified DLL hijacking severity as HIGH, which may be an overestimate since some DLL references are normal for Windows applications.
Anti-Analysis Detection
The engine detected anti-analysis indicators related to virtualization:
- VMware indicators
- VirtualBox indicators
This suggests the malware attempts to detect virtualized or sandboxed environments, matching external threat intelligence.
Persistence Mechanism Detection
Detected persistence-related artifacts and techniques:
- Scheduled Task detection (schtasks)
- Startup folder references (get_StartupPath)
- WMI persistence indicators (Win32_Process, WMI)
The engine classified the sample as persistent malware due to multiple persistence techniques being present.
Overall Threat Classification
| Category | Result |
|---|---|
| Threat Level | CRITICAL |
| Detection Confidence | 75% |
| Total Findings | 8 |
| Malware Complexity | ADVANCED |
Binary Atlas Findings
| Detection | Severity |
|---|---|
| Ransomware_Generic | CRITICAL |
| Rootkit_Indicators | HIGH |
| Anti-Analysis Evasion | HIGH |
| Command Execution | MEDIUM |
| Persistence Mechanisms | MEDIUM |
| Polymorphic Signature | MEDIUM |
| Hooks and Detours | MEDIUM |
| String Encryption | MEDIUM |
Current Problems & Limitations
This test revealed several important weaknesses in Binary Atlas including:
- False positives in ransomware detection
- Overly broad rootkit indicators
- Weak .NET import analysis
- Noisy domain extraction
- Incomplete command reconstruction
- Overly aggressive DLL hijacking detection
What the engine needs:
- More rules
- Better heuristics
- Improved context analysis
- Deeper .NET inspection
- Smarter correlation logic
Final Thoughts
Binary Atlas is making progress in static malware triage and behavioral inference. The engine successfully identified anti-analysis behavior, persistence indicators, suspicious communication patterns, command execution references, and several malware-related heuristics from a real-world sample using static analysis alone.
At the same time, this report documents important gaps and shows the project is not production-ready. The goal is to:
- Document real-world testing
- Openly show weaknesses and detection gaps
- Encourage contributions from malware researchers, reverse engineers, and detection engineers