SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: Mohazo, RaccoonStealer, Racealer, Racoon

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

References
2022-12-18ZAYOTEMAbdül Samed DOĞAN, Emirhan KESKİN
@online{doan:20221218:raccoon:f832aeb, author = {Abdül Samed DOĞAN and Emirhan KESKİN}, title = {{Raccoon Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view}, language = {English}, urldate = {2022-12-20} } Raccoon Stealer Technical Analysis Report
Raccoon
2022-10-25U.S. Department of Justice
@online{justice:20221025:newly:498b1f4, author = {U.S. Department of Justice}, title = {{Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation}}, date = {2022-10-25}, url = {https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation}, language = {English}, urldate = {2022-10-31} } Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
Raccoon
2022-09-29Team CymruS2 Research Team
@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-18K7 SecurityRahul R
@online{r:20220918:raccoon:9a4397c, author = {Rahul R}, title = {{Raccoon back with new claws!}}, date = {2022-09-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/}, language = {English}, urldate = {2022-09-19} } Raccoon back with new claws!
Raccoon
2022-09-16Group-IBTwitter (@GroupIB_GIB)
@online{groupibgib:20220916:uber:255f13d, author = {Twitter (@GroupIB_GIB)}, title = {{Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer}}, date = {2022-09-16}, organization = {Group-IB}, url = {https://twitter.com/GroupIB_GIB/status/1570821174736850945}, language = {English}, urldate = {2022-09-19} } Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-16CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220916:recordbreaker:8c2d4b5, author = {Anandeshwar Unnikrishnan}, title = {{Recordbreaker: The Resurgence of Raccoon}}, date = {2022-09-16}, organization = {Cloudsek}, url = {https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon}, language = {English}, urldate = {2022-10-24} } Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-12d01aMohamed Adel
@online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
@online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
@online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-18Soc InvestigationBalaGanesh
@online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-29ZscalerSarthak Misraa
@online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-06-30ZeroFoxStephan Simon
@online{simon:20220630:brief:4a98257, author = {Stephan Simon}, title = {{BRIEF: Raccoon Stealer Version 2.0}}, date = {2022-06-30}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/}, language = {English}, urldate = {2022-07-25} } BRIEF: Raccoon Stealer Version 2.0
Raccoon
2022-06-29SekoiaThreat & Detection Research Team
@online{team:20220629:raccoon:a59b65c, author = {Threat & Detection Research Team}, title = {{Raccoon Stealer v2 – Part 2: In-depth analysis}}, date = {2022-06-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/}, language = {English}, urldate = {2022-07-25} } Raccoon Stealer v2 – Part 2: In-depth analysis
Raccoon
2022-06-28SekoiaThreat & Detection Research Team
@online{team:20220628:raccoon:98accde, author = {Threat & Detection Research Team}, title = {{Raccoon Stealer v2 – Part 1: The return of the dead}}, date = {2022-06-28}, organization = {Sekoia}, url = {https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/}, language = {English}, urldate = {2022-06-30} } Raccoon Stealer v2 – Part 1: The return of the dead
Raccoon
2022-06-28AhnLabASEC
@online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-16Medium s2wlabS2W TALON
@online{talon:20220616:raccoon:de7df76, author = {S2W TALON}, title = {{Raccoon Stealer is Back with a New Version}}, date = {2022-06-16}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d}, language = {English}, urldate = {2022-06-17} } Raccoon Stealer is Back with a New Version
Raccoon
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-10CheckpointCheckpoint
@online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-04-14Avast DecodedVladimir Martyanov
@online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-10Bleeping ComputerBill Toulas
@online{toulas:20220410:new:1241933, author = {Bill Toulas}, title = {{New Meta information stealer distributed in malspam campaign}}, date = {2022-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/}, language = {English}, urldate = {2022-05-05} } New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-03-25Bleeping ComputerLawrence Abrams
@online{abrams:20220325:raccoon:c99dbc5, author = {Lawrence Abrams}, title = {{Raccoon Stealer malware suspends operations due to war in Ukraine}}, date = {2022-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/}, language = {English}, urldate = {2022-04-07} } Raccoon Stealer malware suspends operations due to war in Ukraine
Raccoon
2022-03-23Team CymruJosh Hopkins, Brian Eckman, Andy Kraus, Paul Welte
@online{hopkins:20220323:raccoon:8af8713, author = {Josh Hopkins and Brian Eckman and Andy Kraus and Paul Welte}, title = {{Raccoon Stealer – An Insight into Victim “Gates”}}, date = {2022-03-23}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/}, language = {English}, urldate = {2022-03-25} } Raccoon Stealer – An Insight into Victim “Gates”
Raccoon
2022-03-09AvastVladimir Martyanov
@online{martyanov:20220309:raccoon:b35569a, author = {Vladimir Martyanov}, title = {{Raccoon Stealer: “Trash panda” abuses Telegram}}, date = {2022-03-09}, organization = {Avast}, url = {https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram}, language = {English}, urldate = {2022-03-10} } Raccoon Stealer: “Trash panda” abuses Telegram
Raccoon
2021-10-21Bleeping ComputerLawrence Abrams
@online{abrams:20211021:massive:89295e6, author = {Lawrence Abrams}, title = {{Massive campaign uses YouTube to push password-stealing malware}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/}, language = {English}, urldate = {2021-11-02} } Massive campaign uses YouTube to push password-stealing malware
Raccoon RedLine Stealer
2021-10-21cybleCyble
@online{cyble:20211021:raccoon:612369d, author = {Cyble}, title = {{​​Raccoon Stealer Under the Lens: A Deep-dive Analysis}}, date = {2021-10-21}, organization = {cyble}, url = {https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-10-26} } ​​Raccoon Stealer Under the Lens: A Deep-dive Analysis
Raccoon
2021-09-23ZeroFoxStephan Simon
@online{simon:20210923:raccoon:3c654c1, author = {Stephan Simon}, title = {{Raccoon Stealer Pivots Towards Self-Protection}}, date = {2021-09-23}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/}, language = {English}, urldate = {2021-10-11} } Raccoon Stealer Pivots Towards Self-Protection
Raccoon
2021-09-09BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210909:threat:79cd668, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer}}, date = {2021-09-09}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer}, language = {English}, urldate = {2021-09-19} } Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer
Raccoon
2021-09-01SophosSean Gallagher, Yusuf Polat, Anand Ajjan, Andrew Brandt
@online{gallagher:20210901:fake:07752c0, author = {Sean Gallagher and Yusuf Polat and Anand Ajjan and Andrew Brandt}, title = {{Fake pirated software sites serve up malware droppers as a service}}, date = {2021-09-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/}, language = {English}, urldate = {2021-09-09} } Fake pirated software sites serve up malware droppers as a service
Raccoon
2021-08-12Cisco TalosVanja Svajcer
@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-04ASECASEC
@online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-08-03SophosYusuf Arslan Polat, Sean Gallagher
@online{polat:20210803:trash:6611883, author = {Yusuf Arslan Polat and Sean Gallagher}, title = {{Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more}}, date = {2021-08-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/}, language = {English}, urldate = {2021-08-06} } Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more
Raccoon
2021-05-24Medium s2wlabSeunghoe Kim
@online{kim:20210524:deep:6cef7f7, author = {Seunghoe Kim}, title = {{Deep Analysis of Raccoon Stealer}}, date = {2021-05-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949}, language = {Korean}, urldate = {2021-06-16} } Deep Analysis of Raccoon Stealer
Raccoon
2021-05-05The RecordCatalin Cimpanu
@online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } Malware group leaks millions of stolen authentication cookies
Raccoon
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
@online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
@online{rostovcev:20201207:footprints:c2a90df, author = {Nikita Rostovcev}, title = {{The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity_raccoon}, language = {English}, urldate = {2020-12-08} } The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
Raccoon
2020-10-18Youtube (L!NK)LinkCabin
@online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
@online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
@techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20230125 | Detects win.raccoon.)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 8d4d08 e8???????? 8b4df4 8bc3 }
            // n = 5, score = 2400
            //   ff15????????         |                     
            //   8d4d08               | lea                 ecx, [ebp + 8]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bc3                 | mov                 eax, ebx

        $sequence_1 = { eb09 56 e8???????? 59 33f6 ff750c ff15???????? }
            // n = 7, score = 2400
            //   eb09                 | jmp                 0xb
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   33f6                 | xor                 esi, esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff15????????         |                     

        $sequence_2 = { 50 6819000200 33f6 56 ff7508 }
            // n = 5, score = 2400
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 53 ff75e4 895dec ff15???????? 894608 8b45ec 894604 }
            // n = 7, score = 2400
            //   53                   | push                ebx
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   ff15????????         |                     
            //   894608               | mov                 dword ptr [esi + 8], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_4 = { 8d85f4efffff 50 56 eb64 ff7508 ff15???????? 0345fc }
            // n = 7, score = 2400
            //   8d85f4efffff         | lea                 eax, [ebp - 0x100c]
            //   50                   | push                eax
            //   56                   | push                esi
            //   eb64                 | jmp                 0x66
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   0345fc               | add                 eax, dword ptr [ebp - 4]

        $sequence_5 = { ff36 e8???????? 59 8b45f8 33c9 51 51 }
            // n = 7, score = 2400
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_6 = { 85c9 75ee 8d4301 50 e8???????? }
            // n = 5, score = 2400
            //   85c9                 | test                ecx, ecx
            //   75ee                 | jne                 0xfffffff0
            //   8d4301               | lea                 eax, [ebx + 1]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 0f434dd8 51 56 e8???????? 83c40c }
            // n = 5, score = 2400
            //   0f434dd8             | cmovae              ecx, dword ptr [ebp - 0x28]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_8 = { 7202 8b0f 8b4638 03c1 3945fc 7417 681e0e0000 }
            // n = 7, score = 2400
            //   7202                 | jb                  4
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   8b4638               | mov                 eax, dword ptr [esi + 0x38]
            //   03c1                 | add                 eax, ecx
            //   3945fc               | cmp                 dword ptr [ebp - 4], eax
            //   7417                 | je                  0x19
            //   681e0e0000           | push                0xe1e

        $sequence_9 = { 83e801 7474 83e801 745b 83e801 7449 83e801 }
            // n = 7, score = 2400
            //   83e801               | sub                 eax, 1
            //   7474                 | je                  0x76
            //   83e801               | sub                 eax, 1
            //   745b                 | je                  0x5d
            //   83e801               | sub                 eax, 1
            //   7449                 | je                  0x4b
            //   83e801               | sub                 eax, 1

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules