SYMBOLCOMMON_NAMEaka. SYNONYMS
win.raccoon (Back to overview)

Raccoon

aka: Mohazo, RaccoonStealer, Racealer, Racoon
VTCollection    

Raccoon Stealer is a malware reportedly sold for $75 a week or $200 a month. It gathers personal information including passwords, browser cookies and autofill data, as well as cryptowallet details. Additionally, Raccoon Stealer records system information such as IP addresses and geo-location data.

References
2024-12-18Bleeping ComputerSergiu Gatlan
Raccoon Stealer malware operator gets 5 years in prison after guilty plea
Raccoon RecordBreaker
2024-06-10MandiantMandiant
UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion
Lumma Stealer MetaStealer Raccoon RedLine Stealer RisePro Vidar UNC5537
2024-02-28EchoCTIBilal BAKARTEPE, bixploit
Raccoon Stealer V2.0 Technical Analysis
Raccoon
2024-02-08Cybercrime DiariesOleg
Russian Language Cybercriminal Forums – Analyzing The Most Active And Renowned Communities.
Raccoon RecordBreaker
2023-11-24Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Recordbreaker
Raccoon RecordBreaker
2023-11-16CISACISA
Scattered Spider
Ave Maria BlackCat Raccoon Vidar
2023-11-16CISACISA
Scattered Spider
BlackCat Ave Maria Raccoon Vidar
2023-08-15CyberIntNoel Anthony Llimos
Raccoon Stealer Announce Return After Hiatus
Raccoon
2023-05-16SecureworksCounter Threat Unit ResearchTeam
The Growing Threat from Infostealers
Graphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar
2023-04-08Team CymruScott Fisher
Deriving Insight from Threat Actor Infrastructure
Raccoon
2023-03-26Luca Mella
Updates from the MaaS: new threats delivered through NullMixer
Fabookie Koi Loader Koi Stealer Nullmixer PseudoManuscrypt Raccoon RedLine Stealer
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2022-12-18ZAYOTEMAbdül Samed DOĞAN, Emirhan KESKİN
Raccoon Stealer Technical Analysis Report
Raccoon
2022-11-03Team CymruS2 Research Team
Inside the V1 Raccoon Stealer’s Den
Raccoon
2022-10-25U.S. Department of Justice
Newly Unsealed Indictment Charges Ukrainian National with International Cybercrime Operation
Raccoon
2022-09-29Team CymruS2 Research Team
Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP
2022-09-18K7 SecurityRahul R
Raccoon back with new claws!
Raccoon
2022-09-16CloudsekAnandeshwar Unnikrishnan
Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-16Group-IBTwitter (@GroupIB_GIB)
Tweet on Uber Employees potentially infected with Raccoon and Vidar stealer
Raccoon Vidar
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-09-12Infosec WriteupsAaron Stratton
Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-09-12d01aMohamed Adel
Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-29SekoiaLivia Tibirna, Quentin Bourgue, Threat & Detection Research Team
Traffers: a deep dive into the information stealer ecosystem
MetaStealer PrivateLoader Raccoon RedLine Stealer Vidar
2022-08-18Soc InvestigationBalaGanesh
Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-08-10Avast DecodedThreat Research Team
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks
Conti Raccoon RecordBreaker Zloader Caramel Tsunami
2022-08-02Recorded FutureInsikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-29ZscalerSarthak Misraa
Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-13KELAKELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-06-30ZeroFoxStephan Simon
BRIEF: Raccoon Stealer Version 2.0
Raccoon
2022-06-29SekoiaPierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
Raccoon Stealer v2 – Part 2: In-depth analysis
Raccoon
2022-06-28AhnLabASEC
New Info-stealer Disguised as Crack Being Distributed
ClipBanker CryptBot Raccoon RedLine Stealer
2022-06-28SekoiaPierre Le Bourhis, Quentin Bourgue, Threat & Detection Research Team
Raccoon Stealer v2 – Part 1: The return of the dead
Raccoon
2022-06-16Medium s2wlabS2W TALON
Raccoon Stealer is Back with a New Version
Raccoon
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-10CheckpointCheckpoint
Info-stealer Campaign targets German Car Dealerships and Manufacturers
Azorult BitRAT Raccoon
2022-04-14Avast DecodedVladimir Martyanov
Zloader 2: The Silent Night
ISFB Raccoon Zloader
2022-04-10Bleeping ComputerBill Toulas
New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-03-25Bleeping ComputerLawrence Abrams
Raccoon Stealer malware suspends operations due to war in Ukraine
Raccoon
2022-03-23Team CymruAndy Kraus, Brian Eckman, Josh Hopkins, Paul Welte
Raccoon Stealer – An Insight into Victim “Gates”
Raccoon
2022-03-09AvastVladimir Martyanov
Raccoon Stealer: “Trash panda” abuses Telegram
Raccoon
2021-10-21cybleCyble
​​Raccoon Stealer Under the Lens: A Deep-dive Analysis
Raccoon
2021-10-21Bleeping ComputerLawrence Abrams
Massive campaign uses YouTube to push password-stealing malware
Raccoon RedLine Stealer
2021-09-23ZeroFoxStephan Simon
Raccoon Stealer Pivots Towards Self-Protection
Raccoon
2021-09-09BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: Get Your Paws Off My Data, Raccoon Infostealer
Raccoon
2021-09-01SophosAnand Ajjan, Andrew Brandt, Sean Gallagher, Yusuf Polat
Fake pirated software sites serve up malware droppers as a service
Raccoon
2021-08-12Cisco TalosVanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-04ASECASEC
S/W Download Camouflage, Spreading Various Kinds of Malware
Raccoon RedLine Stealer Remcos Vidar
2021-08-03SophosSean Gallagher, Yusuf Arslan Polat
Trash Panda as a Service: Raccoon Stealer steals cookies, cryptocoins, and more
Raccoon
2021-05-24Medium s2wlabSeunghoe Kim
Deep Analysis of Raccoon Stealer
Raccoon
2021-05-05The RecordCatalin Cimpanu
Malware group leaks millions of stolen authentication cookies
Raccoon
2021-04-22SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2021
Emotet Ficker Stealer Raccoon
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-02-03Medium s2wlabHyunmin Suh, Minjei Cho
W1 Feb| EN | Story of the week: Stealers on the Darkweb
Azorult Raccoon Vidar
2021-01-18Medium csis-techblogBenoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP
2021-01-14RiskIQTeam RiskIQ
New Analysis Puts Magecart Interconnectivity into Focus
grelos magecart Raccoon
2020-12-07Group-IBNikita Rostovcev
The footprints of Raccoon: a story about operators of JS-sniffer FakeSecurity distributing Raccoon stealer
Raccoon
2020-10-18Youtube (L!NK)LinkCabin
Malware Analysis: Stealer - XOR, CyberChef, x64Dbg Scripting (Part 2)
Raccoon
2020-10-03Youtube (L!NK)LinkCabin
Malware Analysis: Stealer - Mutex Check, Stackstrings, IDA (Part 1)
Raccoon
2020-09-09MalwarebytesThreat Intelligence Team
Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-09-09MalwarebytesThreat Intelligence Team
Malvertising campaigns come back in full swing
Raccoon SmokeLoader
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2020-02-24CyberArkBen Cohen
Analyzing the Raccoon Stealer
Raccoon
2019-12-03SecFreaksSecFreaks
In depth analysis of an infostealer: Raccoon
Raccoon
2019-10-29BitdefenderBitdefender
A close look at Fallout Exploit Kit and Raccoon Stealer
Raccoon
2019-10-24CybereasonAssaf Dahan, Cybereason Nocturnus, Lior Rochberger
Hunting Raccoon: The new Masked Bandit on the Block
Raccoon
2019-01-01UltraHacksUltraHacks
Raccoon Stealer – onion panel
Raccoon
Yara Rules
[TLP:WHITE] win_raccoon_auto (20241030 | Detects win.raccoon.)
rule win_raccoon_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.raccoon."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 59 85c0 7505 8a07 8806 46 }
            // n = 7, score = 2400
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7505                 | jne                 7
            //   8a07                 | mov                 al, byte ptr [edi]
            //   8806                 | mov                 byte ptr [esi], al
            //   46                   | inc                 esi

        $sequence_1 = { 85ff 7464 833e00 53 }
            // n = 4, score = 2400
            //   85ff                 | test                edi, edi
            //   7464                 | je                  0x66
            //   833e00               | cmp                 dword ptr [esi], 0
            //   53                   | push                ebx

        $sequence_2 = { 7437 837b1410 7202 8b1b 837f1410 7202 8b3f }
            // n = 7, score = 2400
            //   7437                 | je                  0x39
            //   837b1410             | cmp                 dword ptr [ebx + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b1b                 | mov                 ebx, dword ptr [ebx]
            //   837f1410             | cmp                 dword ptr [edi + 0x14], 0x10
            //   7202                 | jb                  4
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_3 = { 897dec 3b7de4 75bf 83f9fa 7e1e 83c108 c1e308 }
            // n = 7, score = 2400
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   3b7de4               | cmp                 edi, dword ptr [ebp - 0x1c]
            //   75bf                 | jne                 0xffffffc1
            //   83f9fa               | cmp                 ecx, -6
            //   7e1e                 | jle                 0x20
            //   83c108               | add                 ecx, 8
            //   c1e308               | shl                 ebx, 8

        $sequence_4 = { 8bf0 59 85f6 742d 8d4514 50 }
            // n = 6, score = 2400
            //   8bf0                 | mov                 esi, eax
            //   59                   | pop                 ecx
            //   85f6                 | test                esi, esi
            //   742d                 | je                  0x2f
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   50                   | push                eax

        $sequence_5 = { 57 8b7d0c 8955f8 894df4 85ff 7403 832700 }
            // n = 7, score = 2400
            //   57                   | push                edi
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   894df4               | mov                 dword ptr [ebp - 0xc], ecx
            //   85ff                 | test                edi, edi
            //   7403                 | je                  5
            //   832700               | and                 dword ptr [edi], 0

        $sequence_6 = { 03ce e8???????? 8d4dd4 e8???????? 8b4df4 8bc6 }
            // n = 6, score = 2400
            //   03ce                 | add                 ecx, esi
            //   e8????????           |                     
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8bc6                 | mov                 eax, esi

        $sequence_7 = { e8???????? 89450c 85c0 0f8486000000 53 8b1d???????? 68???????? }
            // n = 7, score = 2400
            //   e8????????           |                     
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   85c0                 | test                eax, eax
            //   0f8486000000         | je                  0x8c
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   68????????           |                     

        $sequence_8 = { 56 57 ff15???????? 8b35???????? 57 ffd6 ff75e8 }
            // n = 7, score = 2400
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b35????????         |                     
            //   57                   | push                edi
            //   ffd6                 | call                esi
            //   ff75e8               | push                dword ptr [ebp - 0x18]

        $sequence_9 = { 8bcf e8???????? 59 59 8d7301 56 ff15???????? }
            // n = 7, score = 2400
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8d7301               | lea                 esi, [ebx + 1]
            //   56                   | push                esi
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 1212416
}
Download all Yara Rules