SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: Mohazo, RaccoonStealer, Racealer, Racoon

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

References
2023-11-16CISACISA
@techreport{cisa:20231116:scattered:5864b37, author = {CISA}, title = {{Scattered Spider}}, date = {2023-11-16}, institution = {CISA}, url = {https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf}, language = {English}, urldate = {2023-11-17} } Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-11-16CISACISA
@online{cisa:20231116:scattered:ec1932d, author = {CISA}, title = {{Scattered Spider}}, date = {2023-11-16}, organization = {CISA}, url = {https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a}, language = {English}, urldate = {2023-11-22} } Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-08-15CyberIntNoel Anthony Llimos
@online{llimos:20230815:raccoon:4aeeaa5, author = {Noel Anthony Llimos}, title = {{Raccoon Stealer Announce Return After Hiatus}}, date = {2023-08-15}, organization = {CyberInt}, url = {https://cyberint.com/blog/financial-services/raccoon-stealer/}, language = {English}, urldate = {2023-08-16} } Raccoon Stealer Announce Return After Hiatus
Raccoon
2023-05-16SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20230516:growing:c703021, author = {Counter Threat Unit ResearchTeam}, title = {{The Growing Threat from Infostealers}}, date = {2023-05-16}, organization = {Secureworks}, url = {https://www.secureworks.com/research/the-growing-threat-from-infostealers}, language = {English}, urldate = {2023-07-31} } The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2023-04-08Team CymruScott Fisher
@online{fisher:20230408:deriving:79162c2, author = {Scott Fisher}, title = {{Deriving Insight from Threat Actor Infrastructure}}, date = {2023-04-08}, organization = {Team Cymru}, url = {https://www.youtube.com/watch?v=kfl_2_NBVGc}, language = {English}, urldate = {2023-07-31} } Deriving Insight from Threat Actor Infrastructure
Raccoon
2023-03-26Luca Mella
@online{mella:20230326:updates:deb3c61, author = {Luca Mella}, title = {{Updates from the MaaS: new threats delivered through NullMixer}}, date = {2023-03-26}, url = {https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1}, language = {English}, urldate = {2023-03-29} } Updates from the MaaS: new threats delivered through NullMixer
Fabookie Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2022-12-18ZAYOTEMAbdül Samed DOĞAN, Emirhan KESKİN
@online{doan:20221218:raccoon:f832aeb, author = {Abdül Samed DOĞAN and Emirhan KESKİN}, title = {{Raccoon Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view}, language = {English}, urldate = {2022-12-20} } Raccoon Stealer Technical Analysis Report
Raccoon
2022-10-25U.S. Department of Justice
@online{justice:20221025:newly:498b1f4, author = {U.S. Department of Justice}, title = {{Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation}}, date = {2022-10-25}, url = {https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation}, language = {English}, urldate = {2022-10-31} } Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
Raccoon
2022-09-29Team CymruS2 Research Team
@online{team:20220929:seychelles:2d1a3c1, author = {S2 Research Team}, title = {{Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.}}, date = {2022-09-29}, organization = {Team Cymru}, url = {https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore}, language = {English}, urldate = {2022-10-10} } Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-18K7 SecurityRahul R
@online{r:20220918:raccoon:9a4397c, author = {Rahul R}, title = {{Raccoon back with new claws!}}, date = {2022-09-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/}, language = {English}, urldate = {2022-09-19} } Raccoon back with new claws!
Raccoon
2022-09-16Group-IBTwitter (@GroupIB_GIB)
@online{groupibgib:20220916:uber:255f13d, author = {Twitter (@GroupIB_GIB)}, title = {{Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer}}, date = {2022-09-16}, organization = {Group-IB}, url = {https://twitter.com/GroupIB_GIB/status/1570821174736850945}, language = {English}, urldate = {2022-09-19} } Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-16CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220916:recordbreaker:8c2d4b5, author = {Anandeshwar Unnikrishnan}, title = {{Recordbreaker: The Resurgence of Raccoon}}, date = {2022-09-16}, organization = {Cloudsek}, url = {https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon}, language = {English}, urldate = {2022-10-24} } Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-12d01aMohamed Adel
@online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
@online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
@online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-29SekoiaThreat & Detection Research Team
@online{team:20220829:traffers:8b7930b, author = {Threat & Detection Research Team}, title = {{Traffers: a deep dive into the information stealer ecosystem}}, date = {2022-08-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem}, language = {English}, urldate = {2022-08-31} } Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-18Soc InvestigationBalaGanesh
@online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-29ZscalerSarthak Misraa
@online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-06-30ZeroFoxStephan Simon
@online{simon:20220630:brief:4a98257, author = {Stephan Simon}, title = {{BRIEF: Raccoon Stealer Version 2.0}}, date = {2022-06-30}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/}, language = {English}, urldate = {2022-07-25} } BRIEF: Raccoon Stealer Version 2.0
Raccoon
2022-06-29SekoiaThreat & Detection Research Team
@online{team:20220629:raccoon:a59b65c, author = {Threat & Detection Research Team}, title = {{Raccoon Stealer v2 – Part 2: In-depth analysis}}, date = {2022-06-29}, organization = {Sekoia}, url = {https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/}, language = {English}, urldate = {2022-07-25} } Raccoon Stealer v2 – Part 2: In-depth analysis
Raccoon
2022-06-28SekoiaThreat & Detection Research Team
@online{team:20220628:raccoon:98accde, author = {Threat & Detection Research Team}, title = {{Raccoon Stealer v2 – Part 1: The return of the dead}}, date = {2022-06-28}, organization = {Sekoia}, url = {https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/}, language = {English}, urldate = {2022-06-30} } Raccoon Stealer v2 – Part 1: The return of the dead
Raccoon
2022-06-28AhnLabASEC
@online{asec:20220628:new:df3f9bf, author = {ASEC}, title = {{New Info-stealer Disguised as Crack Being Distributed}}, date = {2022-06-28}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/35981/}, language = {English}, urldate = {2022-06-30} } New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-16Medium s2wlabS2W TALON
@online{talon:20220616:raccoon:de7df76, author = {S2W TALON}, title = {{Raccoon Stealer is Back with a New Version}}, date = {2022-06-16}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d}, language = {English}, urldate = {2022-06-17} } Raccoon Stealer is Back with a New Version
Raccoon
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-10CheckpointCheckpoint
@online{checkpoint:20220510:infostealer:33aee4a, author = {Checkpoint}, title = {{Info-stealer Campaign targets German Car Dealerships and Manufacturers}}, date = {2022-05-10}, organization = {Checkpoint}, url = {https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/}, language = {English}, urldate = {2022-05-13} } Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-04-14Avast DecodedVladimir Martyanov
@online{martyanov:20220414:zloader:23c520a, author = {Vladimir Martyanov}, title = {{Zloader 2: The Silent Night}}, date = {2022-04-14}, organization = {Avast Decoded}, url = {https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/}, language = {English}, urldate = {2022-04-15} } Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-10Bleeping ComputerBill Toulas
@online{toulas:20220410:new:1241933, author = {Bill Toulas}, title = {{New Meta information stealer distributed in malspam campaign}}, date = {2022-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/}, language = {English}, urldate = {2022-05-05} } New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-03-25Bleeping ComputerLawrence Abrams
@online{abrams:20220325:raccoon:c99dbc5, author = {Lawrence Abrams}, title = {{Raccoon Stealer malware suspends operations due to war in Ukraine}}, date = {2022-03-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/}, language = {English}, urldate = {2022-04-07} } Raccoon Stealer malware suspends operations due to war in Ukraine
Raccoon
2022-03-23Team CymruJosh Hopkins, Brian Eckman, Andy Kraus, Paul Welte
@online{hopkins:20220323:raccoon:8af8713, author = {Josh Hopkins and Brian Eckman and Andy Kraus and Paul Welte}, title = {{Raccoon Stealer – An Insight into Victim “Gates”}}, date = {2022-03-23}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/}, language = {English}, urldate = {2022-03-25} } Raccoon Stealer – An Insight into Victim “Gates”
Raccoon
2022-03-09AvastVladimir Martyanov
@online{martyanov:20220309:raccoon:b35569a, author = {Vladimir Martyanov}, title = {{Raccoon Stealer: “Trash panda” abuses Telegram}}, date = {2022-03-09}, organization = {Avast}, url = {https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram}, language = {English}, urldate = {2022-03-10} } Raccoon Stealer: “Trash panda” abuses Telegram
Raccoon
2021-10-21Bleeping ComputerLawrence Abrams
@online{abrams:20211021:massive:89295e6, author = {Lawrence Abrams}, title = {{Massive campaign uses YouTube to push password-stealing malware}}, date = {2021-10-21}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/}, language = {English}, urldate = {2021-11-02} } Massive campaign uses YouTube to push password-stealing malware
Raccoon RedLine Stealer
2021-10-21cybleCyble
@online{cyble:20211021:raccoon:612369d, author = {Cyble}, title = {{​​Raccoon Stealer Under the Lens: A Deep-dive Analysis}}, date = {2021-10-21}, organization = {cyble}, url = {https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/}, language = {English}, urldate = {2021-10-26} } ​​Raccoon Stealer Under the Lens: A Deep-dive Analysis
Raccoon
2021-09-23ZeroFoxStephan Simon
@online{simon:20210923:raccoon:3c654c1, author = {Stephan Simon}, title = {{Raccoon Stealer Pivots Towards Self-Protection}}, date = {2021-09-23}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/}, language = {English}, urldate = {2021-10-11} } Raccoon Stealer Pivots Towards Self-Protection
Raccoon
2021-09-09BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210909:threat:79cd668, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer}}, date = {2021-09-09}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer}, language = {English}, urldate = {2021-09-19} } Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer
Raccoon
2021-09-01SophosSean Gallagher, Yusuf Polat, Anand Ajjan, Andrew Brandt
@online{gallagher:20210901:fake:07752c0, author = {Sean Gallagher and Yusuf Polat and Anand Ajjan and Andrew Brandt}, title = {{Fake pirated software sites serve up malware droppers as a service}}, date = {2021-09-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/}, language = {English}, urldate = {2021-09-09} } Fake pirated software sites serve up malware droppers as a service
Raccoon
2021-08-12Cisco TalosVanja Svajcer
@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-04ASECASEC
@online{asec:20210804:sw:fd538d1, author = {ASEC}, title = {{S/W Download Camouflage, Spreading Various Kinds of Malware}}, date = {2021-08-04}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/25837/}, language = {Korean}, urldate = {2022-03-07} } S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-08-03SophosYusuf Arslan Polat, Sean Gallagher
@online{polat:20210803:trash:6611883, author = {Yusuf Arslan Polat and Sean Gallagher}, title = {{Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more}}, date = {2021-08-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/}, language = {English}, urldate = {2021-08-06} } Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more
Raccoon
2021-05-24Medium s2wlabSeunghoe Kim
@online{kim:20210524:deep:6cef7f7, author = {Seunghoe Kim}, title = {{Deep Analysis of Raccoon Stealer}}, date = {2021-05-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949}, language = {Korean}, urldate = {2021-06-16} } Deep Analysis of Raccoon Stealer
Raccoon
2021-05-05The RecordCatalin Cimpanu
@online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } Malware group leaks millions of stolen authentication cookies
Raccoon
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
@online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
@online{rostovcev:20201207:footprints:c2a90df, author = {Nikita Rostovcev}, title = {{The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity_raccoon}, language = {English}, urldate = {2020-12-08} } The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
Raccoon
2020-10-18Youtube (L!NK)LinkCabin
@online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
@online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
@techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20230808 | Detects win.raccoon.)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bf0 8975f0 85f6 7422 8d45ec c706???????? }
            // n = 6, score = 2400
            //   8bf0                 | mov                 esi, eax
            //   8975f0               | mov                 dword ptr [ebp - 0x10], esi
            //   85f6                 | test                esi, esi
            //   7422                 | je                  0x24
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   c706????????         |                     

        $sequence_1 = { e8???????? 68???????? eb31 51 }
            // n = 4, score = 2400
            //   e8????????           |                     
            //   68????????           |                     
            //   eb31                 | jmp                 0x33
            //   51                   | push                ecx

        $sequence_2 = { 8b45e8 3bc6 7c31 7f04 3bde 762b }
            // n = 6, score = 2400
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   3bc6                 | cmp                 eax, esi
            //   7c31                 | jl                  0x33
            //   7f04                 | jg                  6
            //   3bde                 | cmp                 ebx, esi
            //   762b                 | jbe                 0x2d

        $sequence_3 = { 53 50 8d45e0 895dd0 }
            // n = 4, score = 2400
            //   53                   | push                ebx
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   895dd0               | mov                 dword ptr [ebp - 0x30], ebx

        $sequence_4 = { ff15???????? 8945f4 40 03c7 50 8945f0 }
            // n = 6, score = 2400
            //   ff15????????         |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   40                   | inc                 eax
            //   03c7                 | add                 eax, edi
            //   50                   | push                eax
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_5 = { ff15???????? 8bf0 83feff 7437 837b1410 7202 8b1b }
            // n = 7, score = 2400
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   7437                 | je                  0x39
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]

        $sequence_6 = { 8d45ec c706???????? 50 53 ff75e4 895dec ff15???????? }
            // n = 7, score = 2400
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   c706????????         |                     
            //   50                   | push                eax
            //   53                   | push                ebx
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   ff15????????         |                     

        $sequence_7 = { 57 33db 8bf9 53 6aff 53 }
            // n = 6, score = 2400
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   8bf9                 | mov                 edi, ecx
            //   53                   | push                ebx
            //   6aff                 | push                -1
            //   53                   | push                ebx

        $sequence_8 = { 6a01 52 52 52 52 }
            // n = 5, score = 2400
            //   6a01                 | push                1
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx
            //   52                   | push                edx

        $sequence_9 = { 0f85dd000000 57 57 57 57 8d45fc }
            // n = 6, score = 2400
            //   0f85dd000000         | jne                 0xe3
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   57                   | push                edi
            //   8d45fc               | lea                 eax, [ebp - 4]

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules