Common Information
Type Value
Value
rule RaccoonStealerv2 {
	meta:
		author = "eSentire Threat Intelligence team"
		date = "04/17/2023"
		description = "Detects the latest unpacked/unobfuscated build 2.1.0-4"
	strings:
		$pattern1 = { B9 ?? ?? ?? 00 E8 ?? ?? ?? 00 ?? ?? 89 45 E8 }
		$pattern2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 }
		$pattern3 = { 68 ?? ?? ?? 00 ?? ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
		$m1 = { 68 ?? ?? ?? 00 ?? 00 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
		$m2 = { 68 ?? ?? ?? 00 ?? 68 01 00 1F 00 FF 15 64 ?? ?? 00 }
	condition:
		2 of ($pattern*) and uint16(0) == 0x5A4D and 1 of ($m*) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2024-11-14 58 Malware Analysis: Raccoon Stealer Malware, Part 2