SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: RaccoonStealer, Racoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

References
2020-10-18Youtube (L!NK)LinkCabin
@online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
@online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkCyberArk
@techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 897de4 47 8955f0 0fb71b 895dfc 3bf9 7d08 }
            // n = 7, score = 1300
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   47                   | inc                 edi
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   0fb71b               | movzx               ebx, word ptr [ebx]
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   3bf9                 | cmp                 edi, ecx
            //   7d08                 | jge                 0xa

        $sequence_1 = { 85c0 7530 8d85ecfdffff 50 }
            // n = 4, score = 1300
            //   85c0                 | test                eax, eax
            //   7530                 | jne                 0x32
            //   8d85ecfdffff         | lea                 eax, [ebp - 0x214]
            //   50                   | push                eax

        $sequence_2 = { 782c 8b45fc ff7004 ff15???????? 40 50 e8???????? }
            // n = 7, score = 1300
            //   782c                 | js                  0x2e
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff15????????         |                     
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_3 = { 8d4dfc 51 8d4df8 c745ec02000000 }
            // n = 4, score = 1300
            //   8d4dfc               | lea                 ecx, [ebp - 4]
            //   51                   | push                ecx
            //   8d4df8               | lea                 ecx, [ebp - 8]
            //   c745ec02000000       | mov                 dword ptr [ebp - 0x14], 2

        $sequence_4 = { 894de4 8945e8 8955f0 85c0 0f8497000000 8d45ec }
            // n = 6, score = 1300
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   85c0                 | test                eax, eax
            //   0f8497000000         | je                  0x9d
            //   8d45ec               | lea                 eax, [ebp - 0x14]

        $sequence_5 = { 895dfc 3bf9 7d08 3bd3 }
            // n = 4, score = 1300
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   3bf9                 | cmp                 edi, ecx
            //   7d08                 | jge                 0xa
            //   3bd3                 | cmp                 edx, ebx

        $sequence_6 = { 6a03 8d57fd eb1a 0fb7863e0f0000 }
            // n = 4, score = 1300
            //   6a03                 | push                3
            //   8d57fd               | lea                 edx, [edi - 3]
            //   eb1a                 | jmp                 0x1c
            //   0fb7863e0f0000       | movzx               eax, word ptr [esi + 0xf3e]

        $sequence_7 = { 56 ff15???????? 8bf8 8b45c4 }
            // n = 4, score = 1300
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]

        $sequence_8 = { 7515 e8???????? c70016000000 e8???????? e9???????? 8b4de8 }
            // n = 6, score = 1300
            //   7515                 | jne                 0x17
            //   e8????????           |                     
            //   c70016000000         | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_9 = { 8bf0 8d45bc 50 56 ff15???????? 56 }
            // n = 6, score = 1300
            //   8bf0                 | mov                 esi, eax
            //   8d45bc               | lea                 eax, [ebp - 0x44]
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff15????????         |                     
            //   56                   | push                esi

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules