ID	X0015
Type	Information Stealer
Aliases	None
Platforms	Windows
Year	2011
Associated ATT&CK Software	None

Redhip

Redhip is an information stealer.

ATT&CK Techniques

Name	Use
Credential Access::Credentials from Password Stores::Windows Credential Manager (T1555.004)	Redhip acquires credentials from Windows Credential Manager. [2]
Defense Evasion::File and Directory Permissions Modification (T1222)	Redhip sets file attributes. [2]
Defense Evasion::Virtualization/Sandbox Evasion::System Checks (T1497.001)	Redhip references anti-VM strings targeting VirtualBox. [2]
Discovery::Account Discovery (T1087)	Redhip gets a user security identifier. [2]
Discovery::System Owner/User Discovery (T1033)	Redhip gets a session user name. [2]
Execution::Shared Modules (T1129)	Redhip accesses PEB ldr_data. [2]

Enhanced ATT&CK Techniques

Name	Use
Anti-Static Analysis::Software Packing (F0001)	Redhip samples are packed with different custom packers. [1]
Collection::Keylogging::Application Hook (F0002.001)	Redhip logs keystrokes via application hook. [2]
Collection::Keylogging::Polling (F0002.002)	Redhip logs keystrokes via polling. [2]
Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02)	Redhip encodes data using XOR. [2]
Discovery::File and Directory Discovery (E1083)	Redhip gets a file size. [2]
Persistence::Registry Run Keys / Startup Folder (F0012)	Redhip persists via a Run registry key. [2]
Discovery::System Information Discovery (E1082)	Redhip checks the OS version. [2]
Execution::Command and Scripting Interpreter (E1059)	Redhip accepts command line arguments. [2]
Defense Evasion::Process Injection::Thread Execution Hijacking (E1055.003)	Redhip injects threads. [2]

MBC Behaviors

Name	Use
Anti-Behavioral Analysis::Sandbox Detection::Product Key/ID Testing (B0007.005)	Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.) by considering OS product keys and special DLLs and checks for sandboxes and AV modules. [1] [2]
Anti-Behavioral Analysis::Virtual Machine Detection (B0009)	Redhip detects VMWare, Virtual PC, and Virtual Box. It also detects VM environments in general by considering time lapses. [1]
Anti-Behavioral Analysis::Debugger Detection (B0001)	Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFTICE. [1]
Anti-Behavioral Analysis::Debugger Evasion (B0002)	Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFTICE. [1]
Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged (B0001.035)	Redhip checks for PEB BeingDebugged flag. [2]
Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032)	Redhip checks for time delay via GetTickCount. [2]
Cryptography::Cryptographic Hash (C0029)	Redhip hashes data via WinCrypt. [2]
Cryptography::Cryptographic Hash::SHA1 (C0029.002)	Redhip hashes data using SHA1. [2]
Cryptography::Encrypt Data (C0027)	Redhip encrypts data using DPAPI. [2]
Data::Encode Data::XOR (C0026.002)	Redhip encodes data using XOR. [2]
Discovery::Code Discovery::Inspect Section Memory Permissions (B0046.002)	Redhip inspects section memory permissions. [2]
Discovery::Taskbar Discovery (B0043)	Redhip finds taskbars. [2]
Execution::Install Additional Program (B0023)	Redhip contains an embedded PE file. [2]
File System::Copy File (C0045)	Redhip copies files. [2]
File System::Create Directory (C0046)	Redhip creates directories. [2]
File System::Delete File (C0047)	Redhip deletes files. [2]
File System::Get File Attributes (C0049)	Redhip gets file attributes. [2]
File System::Read File (C0051)	Redhip reads files on Windows. [2]
File System::Set File Attributes (C0050)	Redhip sets file attributes. [2]
File System::Write File (C0052)	Redhip writes files on Windows. [2]
Memory::Allocate Memory (C0007)	Redhip spawns threads to RWX shellcode. [2]
Operating System::Registry::Delete Registry Key (C0036.002)	Redhip deletes registry keys. [2]
Operating System::Registry::Query Registry Value (C0036.006)	Redhip queries or enumerates registry values. [2]
Operating System::Registry::Set Registry Key (C0036.001)	Redhip sets registry values. [2]
Process::Create Mutex (C0042)	Redhip creates a mutex. [2]
Process::Create Process (C0017)	Redhip creates a process on Windows. [2]
Process::Create Process::Create Suspended Process (C0017.003)	Redhip creates a suspended process. [2]
Process::Set Thread Local Storage Value (C0041)	Redhip sets thread local storage values. [2]

Indicators of Compromise

SHA256 Hashes

07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365
65853e6a70b50166b2e2bd1e163d420d1184ff865183c5f68d8e8bb83eff3e6d

References

[1] https://web.archive.org/web/20200815134441/https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html

[2] capa v4.0, analyzed at MITRE on 10/12/2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

redhip.md

redhip.md

Redhip

ATT&CK Techniques

Enhanced ATT&CK Techniques

MBC Behaviors

Indicators of Compromise

References

Files

redhip.md

Latest commit

History

redhip.md

File metadata and controls

Redhip

ATT&CK Techniques

Enhanced ATT&CK Techniques

MBC Behaviors

Indicators of Compromise

References