SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: RaccoonStealer, Racoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

References
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkCyberArk
@techreport{cyberark:20200224:analyzing:57cc981, author = {CyberArk}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2020-04-15} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3bd3 0f84ec000000 3bf8 7d29 8b5df0 0fb7849ef60e0000 8bce }
            // n = 7, score = 1100
            //   3bd3                 | cmp                 edx, ebx
            //   0f84ec000000         | je                  0xf2
            //   3bf8                 | cmp                 edi, eax
            //   7d29                 | jge                 0x2b
            //   8b5df0               | mov                 ebx, dword ptr [ebp - 0x10]
            //   0fb7849ef60e0000     | movzx               eax, word ptr [esi + ebx*4 + 0xef6]
            //   8bce                 | mov                 ecx, esi

        $sequence_1 = { 837f0875 7417 68280a0000 68???????? 68???????? e8???????? 83c40c }
            // n = 7, score = 1100
            //   837f0875             | cmp                 dword ptr [edi + 8], 0x75
            //   7417                 | je                  0x19
            //   68280a0000           | push                0xa28
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc

        $sequence_2 = { 57 e8???????? 59 ff7508 8bc8 c645fc01 e8???????? }
            // n = 7, score = 1100
            //   57                   | push                edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8bc8                 | mov                 ecx, eax
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   e8????????           |                     

        $sequence_3 = { 83e801 0f8493000000 83e801 7473 83e801 7459 83e801 }
            // n = 7, score = 1100
            //   83e801               | sub                 eax, 1
            //   0f8493000000         | je                  0x99
            //   83e801               | sub                 eax, 1
            //   7473                 | je                  0x75
            //   83e801               | sub                 eax, 1
            //   7459                 | je                  0x5b
            //   83e801               | sub                 eax, 1

        $sequence_4 = { 57 894ddc 33db 33c0 895dfc }
            // n = 5, score = 1100
            //   57                   | push                edi
            //   894ddc               | mov                 dword ptr [ebp - 0x24], ecx
            //   33db                 | xor                 ebx, ebx
            //   33c0                 | xor                 eax, eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_5 = { 50 e8???????? eb0a ff75ec }
            // n = 4, score = 1100
            //   50                   | push                eax
            //   e8????????           |                     
            //   eb0a                 | jmp                 0xc
            //   ff75ec               | push                dword ptr [ebp - 0x14]

        $sequence_6 = { 8d458c 894d98 33c9 50 41 }
            // n = 5, score = 1100
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   894d98               | mov                 dword ptr [ebp - 0x68], ecx
            //   33c9                 | xor                 ecx, ecx
            //   50                   | push                eax
            //   41                   | inc                 ecx

        $sequence_7 = { 83f805 773b 8d42a9 8b4dfc 83c304 }
            // n = 5, score = 1100
            //   83f805               | cmp                 eax, 5
            //   773b                 | ja                  0x3d
            //   8d42a9               | lea                 eax, [edx - 0x57]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c304               | add                 ebx, 4

        $sequence_8 = { eb20 83f802 0f85be000000 8b45fc b900010000 0fb6d0 }
            // n = 6, score = 1100
            //   eb20                 | jmp                 0x22
            //   83f802               | cmp                 eax, 2
            //   0f85be000000         | jne                 0xc4
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   b900010000           | mov                 ecx, 0x100
            //   0fb6d0               | movzx               edx, al

        $sequence_9 = { 7538 8b450c 894f7c 898784000000 888f80000000 }
            // n = 5, score = 1100
            //   7538                 | jne                 0x3a
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   894f7c               | mov                 dword ptr [edi + 0x7c], ecx
            //   898784000000         | mov                 dword ptr [edi + 0x84], eax
            //   888f80000000         | mov                 byte ptr [edi + 0x80], cl

    condition:
        7 of them and filesize < 1155072
}
Download all Yara Rules