Skip to content

Latest commit

 

History

History
100 lines (83 loc) · 7.65 KB

redhip.md

File metadata and controls

100 lines (83 loc) · 7.65 KB
Raw
ID X0015
Aliases None
Platforms Windows
Year 2011
Associated ATT&CK Software None

Redhip

Redhip is an information stealer.

ATT&CK Techniques

Name Use
Credential Access::Credentials from Password Stores::Windows Credential Manager (T1555.004) Redhip acquires credentials from Windows Credential Manager. [2]
Defense Evasion::File and Directory Permissions Modification (T1222) Redhip sets file attributes. [2]
Defense Evasion::Virtualization/Sandbox Evasion::System Checks (T1497.001) Redhip references anti-VM strings targeting VirtualBox. [2]
Discovery::Account Discovery (T1087) Redhip gets a user security identifier. [2]
Discovery::System Owner/User Discovery (T1033) Redhip gets a session user name. [2]
Execution::Shared Modules (T1129) Redhip accesses PEB ldr_data. [2]

Enhanced ATT&CK Techniques

Name Use
Anti-Static Analysis::Software Packing (F0001) Redhip samples are packed with different custom packers. [1]
Collection::Keylogging::Application Hook (F0002.001) Redhip logs keystrokes via application hook. [2]
Collection::Keylogging::Polling (F0002.002) Redhip logs keystrokes via polling. [2]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) Redhip encodes data using XOR. [2]
Discovery::File and Directory Discovery (E1083) Redhip gets a file size. [2]
Persistence::Registry Run Keys / Startup Folder (F0012) Redhip persists via a Run registry key. [2]
Discovery::System Information Discovery (E1082) Redhip checks the OS version. [2]
Execution::Command and Scripting Interpreter (E1059) Redhip accepts command line arguments. [2]
Defense Evasion::Process Injection::Thread Execution Hijacking (E1055.003) Redhip injects threads. [2]

MBC Behaviors

Name Use
Anti-Behavioral Analysis::Sandbox Detection::Product Key/ID Testing (B0007.005) Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.) by considering OS product keys and special DLLs and checks for sandboxes and AV modules. [1] [2]
Anti-Behavioral Analysis::Virtual Machine Detection (B0009) Redhip detects VMWare, Virtual PC, and Virtual Box. It also detects VM environments in general by considering time lapses. [1]
Anti-Behavioral Analysis::Debugger Detection (B0001) Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFTICE. [1]
Anti-Behavioral Analysis::Debugger Evasion (B0002) Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFTICE. [1]
Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged (B0001.035) Redhip checks for PEB BeingDebugged flag. [2]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) Redhip checks for time delay via GetTickCount. [2]
Cryptography::Cryptographic Hash (C0029) Redhip hashes data via WinCrypt. [2]
Cryptography::Cryptographic Hash::SHA1 (C0029.002) Redhip hashes data using SHA1. [2]
Cryptography::Encrypt Data (C0027) Redhip encrypts data using DPAPI. [2]
Data::Encode Data::XOR (C0026.002) Redhip encodes data using XOR. [2]
Discovery::Code Discovery::Inspect Section Memory Permissions (B0046.002) Redhip inspects section memory permissions. [2]
Discovery::Taskbar Discovery (B0043) Redhip finds taskbars. [2]
Execution::Install Additional Program (B0023) Redhip contains an embedded PE file. [2]
File System::Copy File (C0045) Redhip copies files. [2]
File System::Create Directory (C0046) Redhip creates directories. [2]
File System::Delete File (C0047) Redhip deletes files. [2]
File System::Get File Attributes (C0049) Redhip gets file attributes. [2]
File System::Read File (C0051) Redhip reads files on Windows. [2]
File System::Set File Attributes (C0050) Redhip sets file attributes. [2]
File System::Write File (C0052) Redhip writes files on Windows. [2]
Memory::Allocate Memory (C0007) Redhip spawns threads to RWX shellcode. [2]
Operating System::Registry::Delete Registry Key (C0036.002) Redhip deletes registry keys. [2]
Operating System::Registry::Query Registry Value (C0036.006) Redhip queries or enumerates registry values. [2]
Operating System::Registry::Set Registry Key (C0036.001) Redhip sets registry values. [2]
Process::Create Mutex (C0042) Redhip creates a mutex. [2]
Process::Create Process (C0017) Redhip creates a process on Windows. [2]
Process::Create Process::Create Suspended Process (C0017.003) Redhip creates a suspended process. [2]
Process::Set Thread Local Storage Value (C0041) Redhip sets thread local storage values. [2]

Indicators of Compromise

SHA256 Hashes

  • 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365
  • 65853e6a70b50166b2e2bd1e163d420d1184ff865183c5f68d8e8bb83eff3e6d

References

[1] https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html

[2] capa v4.0, analyzed at MITRE on 10/12/2022