win.raccoon (Back to overview)


aka: Mohazo, RaccoonStealer, Racealer, Racoon

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

2024-02-28EchoCTIBilal BAKARTEPE, bixploit
Raccoon Stealer V2.0 Technical Analysis
2024-02-08Cybercrime DiariesOleg
Russian Language Cybercriminal Forums – Analyzing The Most Active And Renowned Communities.
Raccoon RecordBreaker
2023-11-24Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Recordbreaker
Raccoon RecordBreaker
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-08-15CyberIntNoel Anthony Llimos
Raccoon Stealer Announce Return After Hiatus
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2023-04-08Team CymruScott Fisher
Deriving Insight from Threat Actor Infrastructure
2023-03-26Luca Mella
Updates from the MaaS: new threats delivered through NullMixer
Fabookie Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2022-12-18ZAYOTEMAbdül Samed DOĞAN, Emirhan KESKİN
Raccoon Stealer Technical Analysis Report
2022-11-03Team CymruS2 Research Team
Inside the V1 Raccoon Stealer’s Den
2022-10-25U.S. Department of Justice
Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
2022-09-29Team CymruS2 Research Team
Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-18K7 SecurityRahul R
Raccoon back with new claws!
2022-09-16CloudsekAnandeshwar Unnikrishnan
Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-16Group-IBTwitter (@GroupIB_GIB)
Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-12d01aMohamed Adel
Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-29SekoiaThreat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-18Soc InvestigationBalaGanesh
Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-08-10Avast DecodedThreat Research Team
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks
Conti Raccoon RecordBreaker Zloader Caramel Tsunami
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-29ZscalerSarthak Misraa
Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-06-30ZeroFoxStephan Simon
BRIEF: Raccoon Stealer Version 2.0
2022-06-29SekoiaThreat & Detection Research Team
Raccoon Stealer v2 – Part 2: In-depth analysis
2022-06-28SekoiaThreat & Detection Research Team
Raccoon Stealer v2 – Part 1: The return of the dead
New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-16Medium s2wlabS2W TALON
Raccoon Stealer is Back with a New Version
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-04-14Avast DecodedVladimir Martyanov
Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-10Bleeping ComputerBill Toulas
New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-03-25Bleeping ComputerLawrence Abrams
Raccoon Stealer malware suspends operations due to war in Ukraine
2022-03-23Team CymruAndy Kraus, Brian Eckman, Josh Hopkins, Paul Welte
Raccoon Stealer – An Insight into Victim “Gates”
2022-03-09AvastVladimir Martyanov
Raccoon Stealer: “Trash panda” abuses Telegram
2021-10-21Bleeping ComputerLawrence Abrams
Massive campaign uses YouTube to push password-stealing malware
Raccoon RedLine Stealer
​​Raccoon Stealer Under the Lens: A Deep-dive Analysis
2021-09-23ZeroFoxStephan Simon
Raccoon Stealer Pivots Towards Self-Protection
2021-09-09BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer
2021-09-01SophosAnand Ajjan, Andrew Brandt, Sean Gallagher, Yusuf Polat
Fake pirated software sites serve up malware droppers as a service
2021-08-12Cisco TalosVanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-08-03SophosSean Gallagher, Yusuf Arslan Polat
Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more
2021-05-24Medium s2wlabSeunghoe Kim
Deep Analysis of Raccoon Stealer
2021-05-05The RecordCatalin Cimpanu
Malware group leaks millions of stolen authentication cookies
2021-04-22SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-18Medium csis-techblogBenoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
2020-10-18Youtube (L!NK)LinkCabin
Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
2020-10-03Youtube (L!NK)LinkCabin
Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
2020-09-09MalwarebytesThreat Intelligence Team
Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
Analyzing the Raccoon Stealer
In depth analysis of an infostealer: Raccoon
A close look at Fallout Exploit Kit and Raccoon Stealer
2019-10-24CybereasonAssaf Dahan, Cybereason Nocturnus, Lior Rochberger
Hunting Raccoon: The new Masked Bandit on the Block
Raccoon Stealer – onion panel
Yara Rules
[TLP:WHITE] win_raccoon_auto (20230808 | Detects win.raccoon.)
rule win_raccoon_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 8bf0 8975f0 85f6 7422 8d45ec c706???????? }
            // n = 6, score = 2400
            //   8bf0                 | mov                 esi, eax
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   85f6                 | test                esi, esi
            //   7422                 | je                  0x24
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   c706????????         |                     

        $sequence_1 = { e8???????? 68???????? eb31 51 }
            // n = 4, score = 2400
            //   e8????????           |                     
            //   68????????           |                     
            //   eb31                 | jmp                 0x33
            //   51                   | push                ecx

        $sequence_2 = { 8b45e8 3bc6 7c31 7f04 3bde 762b }
            // n = 6, score = 2400
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   3bc6                 | cmp                 eax, esi
            //   7c31                 | jl                  0x33
            //   7f04                 | jg                  6
            //   3bde                 | cmp                 ebx, esi
            //   762b                 | jbe                 0x2d

        $sequence_3 = { 53 50 8d45e0 895dd0 }
            // n = 4, score = 2400
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx

        $sequence_4 = { ff15???????? 8945f4 40 03c7 50 8945f0 }
            // n = 6, score = 2400
            //   ff15????????         |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   40                   | inc                 eax
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_5 = { ff15???????? 8bf0 83feff 7437 837b1410 7202 8b1b }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7437                 | je                  0x39
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_6 = { 8d45ec c706???????? 50 53 ff75e4 895dec ff15???????? }
            // n = 7, score = 2400
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   c706????????         |                     
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   ff15????????         |                     

        $sequence_7 = { 57 33db 8bf9 53 6aff 53 }
            // n = 6, score = 2400
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   8bf9                 | mov                 edi, ecx
            //   53                   | push                ebx
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_8 = { 6a01 52 52 52 52 }
            // n = 5, score = 2400
            //   6a01                 | push                1
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx

        $sequence_9 = { 0f85dd000000 57 57 57 57 8d45fc }
            // n = 6, score = 2400
            //   0f85dd000000         | jne                 0xe3
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d45fc               | lea                 eax, [ebp - 4]

        7 of them and filesize < 1212416
Download all Yara Rules