| ID | X0015 |
| Aliases | |
| Platforms | Windows |
| Year | 2011 |
| Associated ATT&CK Software | None |
An information stealer.
| Name | Use |
|---|---|
| Sandbox Detection | Redhip detects all publicly available automated malware analysis workbenches (ThreatExpert, JoeBox, etc.). [1] |
| Virtual Machine Detection | Redhip detects VMWare, Virtual PC and Virtual Box. It also detects VM environments in general by considering timing lapses. [1] |
| Debugger Detection | Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE. [1] |
| Debugger Evasion | Redhip uses general approaches to detecting user level debuggers (e.g., Process Environment Block 'Being Debugged' field), as well as specific checks for kernel level debuggers like SOFICE. [1] |
| Software Packing | Redhip samples are packed with different custom packers. [1] |
[1] https://www.fireeye.com/blog/threat-research/2011/01/the-dead-giveaways-of-vm-aware-malware.html