SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: RaccoonStealer, Racoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

References
2020-02-24CyberArkCyberArk
@techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33f6 56 ff7508 6801000080 ff15???????? 85c0 0f8597000000 }
            // n = 7, score = 1800
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6801000080           | push                0x80000001
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8597000000         | jne                 0x9d

        $sequence_1 = { 6a01 ba???????? 8bcf e8???????? 8b75fc }
            // n = 5, score = 1800
            //   6a01                 | push                1
            //   ba????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]

        $sequence_2 = { 8b3f 56 33c0 50 50 }
            // n = 5, score = 1800
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   56                   | push                esi
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_3 = { 7e11 56 8d45f8 50 ff33 }
            // n = 5, score = 1800
            //   7e11                 | jle                 0x13
            //   56                   | push                esi
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff33                 | push                dword ptr [ebx]

        $sequence_4 = { 6689759e 895da0 895da4 895da8 895dac }
            // n = 5, score = 1800
            //   6689759e             | mov                 word ptr [ebp - 0x62], si
            //   895da0               | mov                 dword ptr [ebp - 0x60], ebx
            //   895da4               | mov                 dword ptr [ebp - 0x5c], ebx
            //   895da8               | mov                 dword ptr [ebp - 0x58], ebx
            //   895dac               | mov                 dword ptr [ebp - 0x54], ebx

        $sequence_5 = { 6a04 68???????? 8bce e8???????? eb19 }
            // n = 5, score = 1800
            //   6a04                 | push                4
            //   68????????           |                     
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   eb19                 | jmp                 0x1b

        $sequence_6 = { 8bf8 85db 7409 53 ff15???????? eb02 }
            // n = 6, score = 1800
            //   8bf8                 | mov                 edi, eax
            //   85db                 | test                ebx, ebx
            //   7409                 | je                  0xb
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   eb02                 | jmp                 4

        $sequence_7 = { e8???????? 59 ff750c ffd3 8b550c 8bcf 50 }
            // n = 7, score = 1800
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ffd3                 | call                ebx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax

        $sequence_8 = { e8???????? 81ec98000000 53 56 57 894ddc 33db }
            // n = 7, score = 1800
            //   e8????????           |                     
            //   81ec98000000         | sub                 esp, 0x98
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   33db                 | xor                 ebx, ebx

        $sequence_9 = { ff15???????? 8bf0 83feff 7437 837b1410 7202 8b1b }
            // n = 7, score = 1800
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7437                 | je                  0x39
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

    condition:
        7 of them and filesize < 1155072
}
Download all Yara Rules