🐾 - 🚨 Raccoon Stealer V2 (2023) 💀 establishing communication to C2 - Leak 🚱 - Suricata Rule 3300702 (pawpatrules)

🐾 - 🚨 Raccoon Stealer V2 (2023) 💀 establishing communication to C2 - Leak 🚱

SID: 3300702Rev: 219 views

Sourcepawpatrules

CreatedAugust 16, 2023

UpdatedFebruary 18, 2024

Classificationcredential-theft

alert http any any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Raccoon Stealer V2 (2023) 💀 establishing communication to C2 - Leak 🚱"; flow:to_server, stateless; http.user_agent; content:"DuckTales"; http.method; content:"POST"; http.request_body; content:"machineId="; fast_pattern; pcre:"/machineId=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}|/"; content:"configId="; pcre:"/configId=[a-f0-9]{32}/"; reference:url,https://cyberint.com/blog/financial-services/raccoon-stealer/; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon; reference:url,https://twitter.com/g0njxa/status/1670824965438832643; target:src_ip; metadata:affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_16, updated_at 2024_02_18; sid:3300702; rev:2; classtype:credential-theft;)

References

url	https://cyberint.com/blog/financial-services/raccoon-stealer/
url	https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon
url	https://twitter.com/g0njxa/status/1670824965438832643

Metadata

affected productWindows_XP_Vista_7_8_10_11_Server_32_64_Bit

attack targetClient_Endpoint

created at2023_08_16

updated at2024_02_18

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!