SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: Mohazo, RaccoonStealer, Racealer, Racoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

References
2021-05-24Medium s2wlabSeunghoe Kim
@online{kim:20210524:deep:6cef7f7, author = {Seunghoe Kim}, title = {{Deep Analysis of Raccoon Stealer}}, date = {2021-05-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949}, language = {Korean}, urldate = {2021-06-16} } Deep Analysis of Raccoon Stealer
Raccoon
2021-05-05The RecordCatalin Cimpanu
@online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } Malware group leaks millions of stolen authentication cookies
Raccoon
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon vidar
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
@online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
@online{rostovcev:20201207:footprints:c2a90df, author = {Nikita Rostovcev}, title = {{The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity_raccoon}, language = {English}, urldate = {2020-12-08} } The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
Raccoon
2020-10-18Youtube (L!NK)LinkCabin
@online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
@online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
@techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20210616 | Detects win.raccoon.)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 56 8d45f8 894df4 50 6819000200 33f6 }
            // n = 7, score = 2000
            //   e8????????           |                     
            //   56                   | push                esi
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   50                   | push                eax
            //   6819000200           | push                0x20019
            //   33f6                 | xor                 esi, esi

        $sequence_1 = { 0f84d5000000 8b4df8 83f901 0f86c9000000 8a03 3c01 }
            // n = 6, score = 2000
            //   0f84d5000000         | je                  0xdb
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83f901               | cmp                 ecx, 1
            //   0f86c9000000         | jbe                 0xcf
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   3c01                 | cmp                 al, 1

        $sequence_2 = { 8b5d14 33f6 83fb01 7507 b800020000 }
            // n = 5, score = 2000
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   33f6                 | xor                 esi, esi
            //   83fb01               | cmp                 ebx, 1
            //   7507                 | jne                 9
            //   b800020000           | mov                 eax, 0x200

        $sequence_3 = { 57 33ff 8965f0 8975e8 8b06 897dec }
            // n = 6, score = 2000
            //   57                   | push                edi
            //   33ff                 | xor                 edi, edi
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi

        $sequence_4 = { 0f434dd8 51 56 e8???????? }
            // n = 4, score = 2000
            //   0f434dd8             | cmovae              ecx, dword ptr [ebp - 0x28]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_5 = { 57 51 51 6aff 8d7d08 0f437d08 }
            // n = 6, score = 2000
            //   57                   | push                edi
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   6aff                 | push                -1
            //   8d7d08               | lea                 edi, dword ptr [ebp + 8]
            //   0f437d08             | cmovae              edi, dword ptr [ebp + 8]

        $sequence_6 = { 885def e8???????? 8d55e8 8bc8 e8???????? }
            // n = 5, score = 2000
            //   885def               | mov                 byte ptr [ebp - 0x11], bl
            //   e8????????           |                     
            //   8d55e8               | lea                 edx, dword ptr [ebp - 0x18]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_7 = { 0f84d5000000 8b4df8 83f901 0f86c9000000 8a03 }
            // n = 5, score = 2000
            //   0f84d5000000         | je                  0xdb
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83f901               | cmp                 ecx, 1
            //   0f86c9000000         | jbe                 0xcf
            //   8a03                 | mov                 al, byte ptr [ebx]

        $sequence_8 = { 8d45fc 33f6 50 68???????? 6a01 56 68???????? }
            // n = 7, score = 2000
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   33f6                 | xor                 esi, esi
            //   50                   | push                eax
            //   68????????           |                     
            //   6a01                 | push                1
            //   56                   | push                esi
            //   68????????           |                     

        $sequence_9 = { 83c108 894df0 7828 8bf9 8bcf 8bc3 }
            // n = 6, score = 2000
            //   83c108               | add                 ecx, 8
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   7828                 | js                  0x2a
            //   8bf9                 | mov                 edi, ecx
            //   8bcf                 | mov                 ecx, edi
            //   8bc3                 | mov                 eax, ebx

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules