| ID | X0015 |
| Aliases | None |
| Platforms | Windows |
| Year | 2011 |
| Associated ATT&CK Software | None |
An information stealer.
| Name | Use |
|---|---|
| Credential Access::Credentials from Password Stores::Windows Credential Manager (T1555.004) | Acquire credentials from Windows Credential Manager (This capa rule had 3 matches) [2] |
| Defense Evasion::File and Directory Permissions Modification (T1222) | Set file attributes (This capa rule had 1 match) [2] |
| Defense Evasion::Virtualization/Sandbox Evasion::System Checks (T1497.001) | Reference anti-VM strings targeting VirtualBox (This capa rule had 1 match) [2] |
| Discovery::Account Discovery (T1087) | Get user security identifier (This capa rule had 1 match) [2] |
| Discovery::System Owner/User Discovery (T1033) | Get session user name (This capa rule had 3 matches) [2] |
| Execution::Shared Modules (T1129) | Access PEB ldr_data (This capa rule had 1 match) [2] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Sandbox Detection::Product Key/ID Testing (B0007.005) | Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.) by considering OS product keys and special DLLs. [1] check for sandbox and av modules (This capa rule had 2 matches) [2] |
| Anti-Behavioral Analysis::Virtual Machine Detection (B0009) | Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses. [1] |
| Anti-Behavioral Analysis::Debugger Detection (B0001) | Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE. [1] |
| Anti-Behavioral Analysis::Debugger Evasion (B0002) | Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE. [1] |
| Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged (B0001.035) | Check for PEB BeingDebugged flag (This capa rule had 6 matches) [2] |
| Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) | Check for time delay via GetTickCount (This capa rule had 1 match) [2] |
| Cryptography::Cryptographic Hash (C0029) | Hash data via WinCrypt (This capa rule had 1 match) [2] |
| Cryptography::Cryptographic Hash::SHA1 (C0029.002) | Hash data using SHA1 (This capa rule had 1 match) [2] |
| Cryptography::Encrypt Data (C0027) | Encrypt data using DPAPI (This capa rule had 6 matches) [2] |
| Data::Encode Data::XOR (C0026.002) | Encode data using XOR (This capa rule had 1 match) [2] |
| Discovery::Code Discovery::Inspect Section Memory Permissions (B0046.002) | Inspect section memory permissions (This capa rule had 1 match) [2] |
| Discovery::Taskbar Discovery (B0043) | Find taskbar (This capa rule had 1 match) [2] |
| Execution::Install Additional Program (B0023) | Contain an embedded PE file (This capa rule had 1 match) [2] |
| File System::Copy File (C0045) | Copy file (This capa rule had 2 matches) [2] |
| File System::Create Directory (C0046) | Create directory (This capa rule had 1 match) [2] |
| File System::Delete File (C0047) | Delete file (This capa rule had 2 matches) [2] |
| File System::Get File Attributes (C0049) | Get file attributes (This capa rule had 2 matches) [2] |
| File System::Read File (C0051) | Read file on Windows (This capa rule had 3 matches) [2] |
| File System::Set File Attributes (C0050) | Set file attributes (This capa rule had 1 match) [2] |
| File System::Write File (C0052) | Write file on Windows (This capa rule had 1 match) [2] |
| Memory::Allocate Memory (C0007) | Spawn thread to RWX shellcode (This capa rule had 1 match) [2] |
| Operating System::Registry::Delete Registry Key (C0036.002) | Delete registry key (This capa rule had 2 matches) [2] |
| Operating System::Registry::Query Registry Value (C0036.006) | Query or enumerate registry value (This capa rule had 9 matches) [2] |
| Operating System::Registry::Set Registry Key (C0036.001) | Set registry value (This capa rule had 4 matches) [2] |
| Process::Create Mutex (C0042) | Create mutex (This capa rule had 1 match) [2] |
| Process::Create Process (C0017) | Create process on Windows (This capa rule had 10 matches) [2] |
| Process::Create Process::Create Suspended Process (C0017.003) | Create process suspended (This capa rule had 10 matches) [2] |
| Process::Set Thread Local Storage Value (C0041) | Set thread local storage value (This capa rule had 1 match) [2] |
SHA256 Hashes
- 07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365
- 65853e6a70b50166b2e2bd1e163d420d1184ff865183c5f68d8e8bb83eff3e6d
[1] https://web.archive.org/web/20161025013916/https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html
[2] capa v4.0, analyzed at MITRE on 10/12/2022