SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: Mohazo, RaccoonStealer, Racealer, Racoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

References
2021-09-23ZeroFoxStephan Simon
@online{simon:20210923:raccoon:3c654c1, author = {Stephan Simon}, title = {{Raccoon Stealer Pivots Towards Self-Protection}}, date = {2021-09-23}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/}, language = {English}, urldate = {2021-10-11} } Raccoon Stealer Pivots Towards Self-Protection
Raccoon
2021-09-09BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210909:threat:79cd668, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer}}, date = {2021-09-09}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer}, language = {English}, urldate = {2021-09-19} } Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer
Raccoon
2021-09-01SophosSean Gallagher, Yusuf Polat, Anand Ajjan, Andrew Brandt
@online{gallagher:20210901:fake:07752c0, author = {Sean Gallagher and Yusuf Polat and Anand Ajjan and Andrew Brandt}, title = {{Fake pirated software sites serve up malware droppers as a service}}, date = {2021-09-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/}, language = {English}, urldate = {2021-09-09} } Fake pirated software sites serve up malware droppers as a service
Raccoon
2021-08-12Cisco TalosVanja Svajcer
@online{svajcer:20210812:signed:728ea8f, author = {Vanja Svajcer}, title = {{Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT}}, date = {2021-08-12}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html}, language = {English}, urldate = {2021-08-20} } Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-03SophosYusuf Arslan Polat, Sean Gallagher
@online{polat:20210803:trash:6611883, author = {Yusuf Arslan Polat and Sean Gallagher}, title = {{Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more}}, date = {2021-08-03}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/}, language = {English}, urldate = {2021-08-06} } Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more
Raccoon
2021-05-24Medium s2wlabSeunghoe Kim
@online{kim:20210524:deep:6cef7f7, author = {Seunghoe Kim}, title = {{Deep Analysis of Raccoon Stealer}}, date = {2021-05-24}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949}, language = {Korean}, urldate = {2021-06-16} } Deep Analysis of Raccoon Stealer
Raccoon
2021-05-05The RecordCatalin Cimpanu
@online{cimpanu:20210505:malware:27b4343, author = {Catalin Cimpanu}, title = {{Malware group leaks millions of stolen authentication cookies}}, date = {2021-05-05}, organization = {The Record}, url = {https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/}, language = {English}, urldate = {2021-05-07} } Malware group leaks millions of stolen authentication cookies
Raccoon
2021-04-22SpamhausSpamhaus Malware Labs
@techreport{labs:20210422:spamhaus:4a32a4d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2021}}, date = {2021-04-22}, institution = {Spamhaus}, url = {https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf}, language = {English}, urldate = {2021-04-28} } Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-12PTSecurityPTSecurity
@online{ptsecurity:20210412:paas:1d06836, author = {PTSecurity}, title = {{PaaS, or how hackers evade antivirus software}}, date = {2021-04-12}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/}, language = {English}, urldate = {2021-04-12} } PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
@online{suh:20210203:w1:45a76f4, author = {Hyunmin Suh and Minjei Cho}, title = {{W1 Feb| EN | Story of the week: Stealers on the Darkweb}}, date = {2021-02-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d}, language = {English}, urldate = {2021-02-04} } W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon vidar
2021-01-18Medium csis-techblogBenoît Ancel
@online{ancel:20210118:gcleaner:f8b9064, author = {Benoît Ancel}, title = {{GCleaner — Garbage Provider Since 2019}}, date = {2021-01-18}, organization = {Medium csis-techblog}, url = {https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a}, language = {English}, urldate = {2021-01-21} } GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
@online{riskiq:20210114:new:29f2c96, author = {Team RiskIQ}, title = {{New Analysis Puts Magecart Interconnectivity into Focus}}, date = {2021-01-14}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/magecart-medialand/}, language = {English}, urldate = {2021-01-18} } New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
@online{rostovcev:20201207:footprints:c2a90df, author = {Nikita Rostovcev}, title = {{The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer}}, date = {2020-12-07}, organization = {Group-IB}, url = {https://www.group-ib.com/blog/fakesecurity_raccoon}, language = {English}, urldate = {2020-12-08} } The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
Raccoon
2020-10-18Youtube (L!NK)LinkCabin
@online{linkcabin:20201018:malware:fa0c6a0, author = {LinkCabin}, title = {{Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)}}, date = {2020-10-18}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=1dbepxN2YD8}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
@online{linkcabin:20201003:malware:9ac8043, author = {LinkCabin}, title = {{Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)}}, date = {2020-10-03}, organization = {Youtube (L!NK)}, url = {https://www.youtube.com/watch?v=5KHZSmBeMps}, language = {English}, urldate = {2020-11-25} } Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
@online{team:20200909:malvertising:ed1c3b8, author = {Threat Intelligence Team}, title = {{Malvertising campaigns come back in full swing}}, date = {2020-09-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/}, language = {English}, urldate = {2020-09-15} } Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
@techreport{cohen:20200224:analyzing:57cc981, author = {Ben Cohen}, title = {{Analyzing the Raccoon Stealer}}, date = {2020-02-24}, institution = {CyberArk}, url = {https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf}, language = {English}, urldate = {2021-04-29} } Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
@online{secfreaks:20191203:in:f3d3fd0, author = {SecFreaks}, title = {{In depth analysis of an infostealer: Raccoon}}, date = {2019-12-03}, organization = {SecFreaks}, url = {https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html}, language = {English}, urldate = {2020-01-13} } In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
@techreport{bitdefender:20191029:close:30321a7, author = {Bitdefender}, title = {{A close look at Fallout Exploit Kit and Raccoon Stealer}}, date = {2019-10-29}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf}, language = {English}, urldate = {2020-01-09} } A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonCybereason Nocturnus, Assaf Dahan, Lior Rochberger
@online{nocturnus:20191024:hunting:79a2141, author = {Cybereason Nocturnus and Assaf Dahan and Lior Rochberger}, title = {{Hunting Raccoon: The new Masked Bandit on the Block}}, date = {2019-10-24}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block}, language = {English}, urldate = {2019-12-03} } Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019UltraHacksUltraHacks
@online{ultrahacks:2019:raccoon:f94537a, author = {UltraHacks}, title = {{Raccoon Stealer – onion panel}}, date = {2019}, organization = {UltraHacks}, url = {https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d}, language = {English}, urldate = {2020-01-13} } Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20211008 | Detects win.raccoon.)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894b08 89530c 81ff02000080 750d 8bc3 6a10 50 }
            // n = 7, score = 2200
            //   894b08               | mov                 dword ptr [ebx + 8], ecx
            //   89530c               | mov                 dword ptr [ebx + 0xc], edx
            //   81ff02000080         | cmp                 edi, 0x80000002
            //   750d                 | jne                 0xf
            //   8bc3                 | mov                 eax, ebx
            //   6a10                 | push                0x10
            //   50                   | push                eax

        $sequence_1 = { 7408 53 57 ff15???????? 8b4df0 57 }
            // n = 6, score = 2200
            //   7408                 | je                  0xa
            //   53                   | push                ebx
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   57                   | push                edi

        $sequence_2 = { 8b45f8 33c9 51 51 ff75f4 }
            // n = 5, score = 2200
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_3 = { ff15???????? 85c0 750b 85ff 7410 8b4514 8907 }
            // n = 7, score = 2200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   85ff                 | test                edi, edi
            //   7410                 | je                  0x12
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8907                 | mov                 dword ptr [edi], eax

        $sequence_4 = { 895c3820 895c3824 8b07 8b4804 03cf e8???????? }
            // n = 6, score = 2200
            //   895c3820             | mov                 dword ptr [eax + edi + 0x20], ebx
            //   895c3824             | mov                 dword ptr [eax + edi + 0x24], ebx
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   03cf                 | add                 ecx, edi
            //   e8????????           |                     

        $sequence_5 = { ff36 e8???????? 59 8b45f8 33c9 51 51 }
            // n = 7, score = 2200
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx
            //   51                   | push                ecx

        $sequence_6 = { 8b75f4 8d45b4 ff36 68???????? }
            // n = 4, score = 2200
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]
            //   8d45b4               | lea                 eax, dword ptr [ebp - 0x4c]
            //   ff36                 | push                dword ptr [esi]
            //   68????????           |                     

        $sequence_7 = { 68???????? 68???????? e8???????? 83c40c 0fb64708 }
            // n = 5, score = 2200
            //   68????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   0fb64708             | movzx               eax, byte ptr [edi + 8]

        $sequence_8 = { 8bd6 50 8bcf e8???????? 59 59 }
            // n = 6, score = 2200
            //   8bd6                 | mov                 edx, esi
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_9 = { 59 59 43 33c0 }
            // n = 4, score = 2200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   43                   | inc                 ebx
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules