{"id":2711,"date":"2022-08-30T02:08:00","date_gmt":"2022-08-30T02:08:00","guid":{"rendered":"\/cybersecurity-blog\/?p=2711"},"modified":"2024-08-07T09:51:53","modified_gmt":"2024-08-07T09:51:53","slug":"raccoon-stealer-v2-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/","title":{"rendered":"Raccoon Stealer 2.0 Malware analysis"},"content":{"rendered":"\n<p>Raccoon Stealer was one of the most mentioned malware in 2019. Cybercriminals sold this simple but versatile info stealer as a MaaS just for $75 per week and $200 per month. And it successfully attacked numerous systems. But in March 2022, threat authors shut down their operations.&nbsp;<br><\/p>\n\n\n\n<p>In July 2022, a new variant of this malware was released. And now Raccoon Stealer 2.0 has gone viral and got a new name in the wild \u2013 RecordBreaker. In this article, we will analyze several samples of the info stealer to find out its techniques and what data it collects.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is Raccoon Stealer?<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/malware-trends\/raccoon\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Raccoon Stealer<\/a> is a kind of malware that steals various data from an infected computer. It\u2019s quite a basic malware, but hackers who provide excellent service and simple navigation have made Raccoon popular.&nbsp;<\/p>\n\n\n\n<p><strong>The malware\u2019s owners are interested in the following data:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Login\/password pairs from various services saved in browsers<\/li>\n\n\n\n<li>Cookies from different browsers<\/li>\n\n\n\n<li>Bank data<\/li>\n\n\n\n<li>Cryptocurrency wallets<\/li>\n\n\n\n<li>Credit card information<\/li>\n\n\n\n<li>Arbitrary files, which can be of interest to intruders<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Raccoon \u2013 a sample overview<\/h2>\n\n\n\n<p>In the process of malware analysis, we worked with the following samples:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>sha-256<\/strong><\/td><\/tr><tr><td>9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42<\/td><\/tr><tr><td>0142baf3e69fe93e0151a1b5719c90df8e2adca4301c3aa255dd19e778d84edf<\/td><\/tr><tr><td>022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03<\/td><\/tr><tr><td>048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059<\/td><\/tr><tr><td>263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693<\/td><\/tr><tr><td>27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577<\/td><\/tr><tr><td>494ab44bb96537fc8a3e832e3cf032b0599501f96a682205bc46d9b7744d52ab<\/td><\/tr><tr><td>f26f5331588cb62a97d44ce55303eb81ef21cf563e2c604fe06b06d97760f544<\/td><\/tr><tr><td>fcdc29b4d9cb808c178954d08c53c0519970fe585b850204655e44c1a901c4de<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/yXPSOEuXJQE44k_ivfXIkqFignlXxdZqlseaXSpQvUmrFSRJHy77Biz765abgQgHFJEL0fj6X_UVICn6nNE6tWG6jYiykFbLVPr4reVv5RgSYJpiNDI8spfY0_3K9iyk321DBEp9fI5VP8KH1fBmqpI\" alt=\"Raccoon malware overview in DiE\n\" width=\"892\" height=\"517\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware overview in DiE<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>MITRE ATT&amp;CK Matrix produced by <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\">ANY.RUN Sandbox<\/a>:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/MWvhIN5ICBFyILTEiNtZEVx6UVjGnmIXWn7Lf4KB1j37IBxBq58vmEIJMbffjsWqVs-5FSr664EkyVlekJnTjqrIRljnqGDlCvWF816xFTS3MQF8-RLyEkdQJQAfqNAAhyWL-JziTwyHz2LY6KtFnwk\" alt=\"MITRE ATT&amp;CK Matrix produced by ANY.RUN Sandbox\n\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Challenges during the malware analysis of Raccoon stealer v2<\/h2>\n\n\n\n<p>Raccoon stealer v.2 got extremely famous, and, of course, we decided to look into it closely. And here, we have faced several challenges:<br><\/p>\n\n\n\n<p>When we first started our malware analysis, we immediately got a sample <strong>9ee50e94a731872a74f4778037850ae2b9fae9d6c53a957ed7187173feb4f4<\/strong>, which we were unable to run in our sandbox. This example was packed and immediately finished execution when we tried to run it in a virtual environment. So, our team decided to investigate the sandbox evasion mechanisms.<br><\/p>\n\n\n\n<p>During the sample\u2019s reverse-engineering, we encountered another issue: the packer detects the presence of Anti-Anti-Debugger and terminates before checking the execution\u2019s environment. In our case, we used TitanHide.&nbsp;<\/p>\n\n\n\n<p>When running the program under a debugger, the&nbsp;NtQueryInformationProcess call causes the ProcessInformation variable to be overwritten.&nbsp;The packer compares the random value written to this variable earlier with the value after the call. If they are different, it stops execution.&nbsp;<br><\/p>\n\n\n\n<p><strong>The challenge was solved with the following script for x64dbg:<br><\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bphc \nrun \nfindallmem 0, #e91727f5ff# \nbph ref.addr(0)+5\nrun \n $p = &#091;esp+0x10]\n$val = &#091;p]\nlog \"secret:{0}\",$val \nbphc                  \nsti                 \nsti                      \nmov &#091;$p], $val             \nret  <\/code><\/pre>\n\n\n\n<p>It turned out that <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/mrexodia\/TitanHide\/issues\/70\" target=\"_blank\">the bug was known<\/a> but had not been fixed at the moment of our research. After the report, it was <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/mrexodia\/TitanHide\/commit\/6a5a68a2447ad9454adfcbd9390ec05b9dcef2d6\" target=\"_blank\">fixed<\/a>. Therefore, this Anti-debugger detection method no longer works. <\/p>\n\n\n\n<p>But this script didn\u2019t solve the problem of running in the virtual environment without a debugger. So we continued our malware analysis and came across an interesting piece of code:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/_0FBQhFbCx2RDQC29PDu-xMMvw6Oae29uk5lIRvAUQAQkYn9OVGKkL_qCPI-6GKLSoUPmfV5MN1A1FWmNS0AdkRna8XDtSXA6jHgNxpJJZbE3PXIJ37B4KopMpg63D_1RD0crrvZevjkx4nS6bwS2nM\" alt=\"\"\/><\/figure>\n\n\n\n<p>As it turned out, this piece of code is executed differently in virtual and real environments. An exception occurs after the IF flag is set in the flag register with the popfd command. If we run in a virtual environment, the exception handler pre-installed by the malware considers that the exception occurred on the &#8220;call&#8221; instruction.&nbsp;<\/p>\n\n\n\n<p>However, when running on a real machine, the exception occurs on the &#8220;nop&#8221; instruction. Thus, by comparing the addresses of the exceptions that occurred, the malware determines the presence of a virtual environment.&nbsp;<\/p>\n\n\n\n<p>Bypassing this check is enough to decrease the EIP register value by one when entering the exception handler. After that, the malware is successfully launched.&nbsp;<\/p>\n\n\n\n<p>After making the necessary corrections on our end, this detection method no longer works in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN sandbox<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Execution process of RecordBreaker malware&nbsp;<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Loading WinAPI libraries, getting addresses of used functions<\/strong><\/h4>\n\n\n\n<p>First, Raccoon dynamically loads WinAPI libraries using kernel32.dll!LoadLibraryW and gets addresses of WinAPI functions using kernel32.dll!GetProcAddress<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/EdNkEs67ybBfaDvwLlUknRrn1n7y0CY4Ds4ah0-tcb-c93qSz-FA1Ur__thygY_D0EDtKpeNEZEkUflf0h0W8s3zdnGqOaAgPZUXG8BnmMtT1QqWQk6CxkiZFzXj-J-rsJvnzYnqUe3voJgtnIecZnQ\" alt=\"Raccoon is dynamically loading needed libraries and getting WinAPI imports addresses\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon is dynamically loading needed libraries and getting WinAPI imports addresses<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Decryption of strings&nbsp;<\/strong><\/h4>\n\n\n\n<p>Depending on the sample, the algorithm for encrypting strings can be:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>encrypted with RC4 algorithm, then encoded into the Base64 format<\/li>\n\n\n\n<li>XOR encrypted with a random key, e.g.:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/CguG26Mc-ds-h05sV-jc3HkFjWuLovNYiiSLcoS8UVELXXqBkmyHHo0C2gDw7aPiUzXgpcBGWyllArdRTMEGTuLkSzwrD_g_2JHQgPVCskCjiARFDnbad-Fm6EXLt4673T79dVNb9VLofnRUfzBvsIA\" alt=\"Raccoon Stealer is using XOR strings encryption\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon Stealer is using XOR strings encryption<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>encryption may not be applied at all<\/li>\n<\/ul>\n\n\n\n<p><strong>Examples of decrypted strings:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>logins.json<\/td><\/tr><tr><td>\\autofill.txt<\/td><\/tr><tr><td>\\cookies.txt<\/td><\/tr><tr><td>\\passwords.txt<\/td><\/tr><tr><td>formhistory.sqlite<\/td><\/tr><tr><td>\u2026<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">C2 servers decryption<\/h4>\n\n\n\n<p>The next malware step is to decrypt C&amp;C servers. There can be several up to five ones. As in the case of strings, the encryption algorithm of C&amp;C servers may vary depending on a sample.<\/p>\n\n\n\n<p>From all the samples we have reviewed, at least two methods have been identified:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption using the RC4 algorithm with further recoding to Base64:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/1-1.png\" alt=\"Raccoonstealer is using RC4 -&gt; Base64 encryption chain for C2s\n\" class=\"wp-image-2783\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer is using RC4 -&gt; Base64 encryption chain for C2s<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Encryption with XOR:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/AlxxeIoNgAiUtFPlSYvPYNzw4fXcR5d_gkRITyz_nQ-AUddswqhmhlvqjv1led0_0Vu87HfwFkO_Z0cciwYDPZcjorIO3BCREQ59JGLQ6NNVSKgpyZXdNhaAr1nXp-1tjBVCPO7vaU5nS8D5IAhEjdk\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/vzHEEgNnOTA4ilAYpA4BIKph9lBZcimYS7oqV7XXKo1fIiJJSf0pRGvnCPKxObb9jiCYEz9MkVULB5NEgnDOfGuEO7e-x5C2y3Ki8IFNQB6pKXJXcNPpGqCoEJC4xgVoyN5yzoMFe7yxEOmgAujtamU\" alt=\"Raccoon malware is using XOR C2s encryption\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware is using XOR C2s encryption<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Raccoon termination triggers<\/h4>\n\n\n\n<p>At this stage the malware has not executed any malicious code yet. There are certain triggers that may cause the program to terminate without executing any other actions. <\/p>\n\n\n\n<p>The user&#8217;s locale is checked (in some samples, certain locales corresponding to the locales of CIS countries cause Raccoon to terminate)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/JZHO0IDYdHsY3TKTNN-1vOu6LJiJOUGS0W7hyJpWWnkwDOonUdoFdhrnG_qbVcJkz9UxNVOutNamn210rr5we61E0IA9Eg7ql7sQSoQAxCQCsKtfFh972ppvi-xfT6Sln2kFGZTqjlTFzto3IR4L1MQ\" alt=\"Raccoon is checking for specific user locale\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon is checking for specific user locale<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>A check is made to see if the malware has been rerun, in parallel with another sample running on this machine. RecordBreaker tries to open a particular mutex (the value of the mutex varies in different samples). If it succeeds, it terminates immediately. If not, it creates the mutex itself.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/QrOiVy3wx8ciLel7Lkb5mF3h7dvm_wnzi23Q6UAZwQYSltueY9r6gVH8rJoGBUAjsu7VMm39VYbCxK4bZaclr28C8KUxT6Qm2K_O4rGE_PCJlTedA7DPdBqLiuboskcmtVTd4QUHUaVvlvINPGBec_w\" alt=\"Raccoon v2 is checking for a specific mutex\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon v2 is checking for a specific mutex<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>We can see the result in <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\" target=\"_blank\">ANY.RUN<\/a>: the mutex was created.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/yak4TZXGcFxgJIr1X7tHeuyjfxBM9YJlFyg84sRVzeiN6o2R6hakJblhU9aUFog0kbSBrFwyRnraAy3qFvPnaG8JNe45okhQ-6U9BYaCmE_Vgi1rnVggoW_b3nB2Xd1wp48yEC_7NM3HRlcZqI8CC20\" alt=\"Mutex operations are captured by ANY.RUN interactive sandbox\n\"\/><figcaption class=\"wp-element-caption\"><em>Mutex operations are captured by ANY.RUN interactive sandbox<\/em><br><br><\/figcaption><\/figure>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSign up now and <span class=\"highlight\">check Raccoon&#8217;s mutex <\/span> in ANY.RUN\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/#register\" rel=\"noopener\" target=\"_blank\">\nCreate free account\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h4 class=\"wp-block-heading\">Privilege Level Check<\/h4>\n\n\n\n<p>After creating a mutex, the malware performs a System\/LocalSystem level privilege check using Advapi32.dll!GetTokenInformation and Advapi32.dll!ConvertSidToStringSidW comparing StringSid with L &#8220;S-1-5-18&#8221;:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/7Mpiu-1LMZ3aJ2-sloI0_HdNMwOFfh7kNQa5J_1OM4r6a_Smr6uRntqdoPcutieHwIgR9oMK6wHB9Es-lHOhqO4maLv9ZdkLPffYwKG94fTpi6od4yAhWBdphriXx-hB8tKKKyxhXgnCF4hyeXjGkWc\" alt=\"Raccoonstealer 2.0 is checking for System\/LocalSystem privileges\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer 2.0 is checking for System\/LocalSystem privileges<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Process enumeration<\/h4>\n\n\n\n<p>If the check shows that RecordBreaker has the privilege level it needs, it starts enumerating processes using the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to capture processes and kernel32.dll!Process32First \/ kernel32.dll!Process32Next). In our samples this information isn&#8217;t collected or processed in any way.&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/IRwJBOhBqGjGEUtYJW2hP_0ryry4TMuOtT3Em48Tgvybj3SkonKYdYvdsTKxA82-ewxRAdl9Ju7AKv7EEIWxgUoPnffMHBO47ZeQ6iQXWzlmQxx1MmNumlnrjDfX9S0On_xrmjI5vTmQC9zNDp6tEQI\" alt=\"Raccoon malware is enumerating currently running processes\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware is enumerating currently running processes<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Connecting to C2 servers<\/h4>\n\n\n\n<p>The next important step is to attempt to connect to one of the C&amp;C servers. To do this, Raccoon stealer generates a string like:<br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>machineId={machineguid}|{username}&amp;configId={c2_key}<\/code><\/pre>\n\n\n\n<p>Then the program tries to send a POST request with the string to every possible server.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/Dithb1vghjOFVm6f0Px-xAP8Y3guZto4PGsTHmAKokFzn15F0pwjKEohYciWx9-NdSgjoevpmtG91euf_hdFu8nIdzNoOobbLhcdTYLKGu6l9M9pscAWvntDX8frQKSXjTKs4Ubw9YVLIFbWSkdb590\" alt=\"Raccoon Stealer is trying to connect to C2s\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon Stealer is trying to connect to C2s<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>An example of a connection request that was intercepted by the HTTP MITM proxy feature in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\">ANY.RUN sandbox<\/a>:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/2.png\" alt=\"Raccoon info stealer C2 connection request \n\" class=\"wp-image-2781\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon info stealer C2 connection request&nbsp;<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>It is important to note that if there are multiple C&amp;C servers, the malware will only accept commands from the one it was able to connect to first. In response to the above request, the server will send the malware a configuration. If RecordBreaker fails to connect to any of the C&amp;C servers, it will stop its work.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Description of the malware configuration structure<\/h2>\n\n\n\n<p>Configuration lines are divided into prefixes, each tells the malware how to interpret a particular line. Here is a table describing these prefixes and what they do:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-17\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"10\"\n           data-wpID=\"17\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Prefix                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Example                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Prefix\u2019s function                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        libs_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        libs_nss3:http:\/\/{HOSTADDR}\/{RANDOM_STRING}\/nss3.dlllibs_msvcp140:http:\/\/{HOSTADDR}\/{RANDOM_STRING}\/msvcp140.dll libs_vcruntime140:http:\/\/{HOSTADDR}\/{RANDOM_STRING}\/vcruntime140.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Legitimate libraries necessary for malware work                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        grbr_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        grbr_dekstop:%USERPROFILE%\\Desktop\\|*.txt, *.doc, *pdf*|-|5|1|0|files grbr_documents:%USERPROFILE%\\Documents\\|*.txt, *.doc, *pdf*|-|5|1|0|files grbr_downloads:%USERPROFILE%\\Downloads\\|*.txt, *.doc, *pdf*|-|5|1|0|files                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Targeted arbitrary files from custom\u00a0 directories                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        wlts_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar* wlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB* wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Targeted crypto-wallets and the files associated with them\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ews_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings ews_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settingsews_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Targeted cryptowallet related extensions for Google Chrome\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ldr_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        [missing in the configuration of the sample]                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Additional commands that should be executed by malware\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        tlgrm_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        tlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Targeted files related to the Telegram messenger                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        scrnsht_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        scrnsht_Screenshot.jpeg:1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C8\"\n                    data-col-index=\"2\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The name of the screenshot(s) that the malware takes in the process                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        token                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        101f4cb19fcd8b9713dcbf6a5816dc74                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C9\"\n                    data-col-index=\"2\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Part of the URL path for further queries to C2                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        sstmnfo_                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        sstmnfo_System Info.txt:System Information: |Installed applications: |                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"C10\"\n                    data-col-index=\"2\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        The file description with some system data\u00a0 and a list of installed applications that the malware will generate later                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-17'>\ntable#wpdtSimpleTable-17{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-17 td, table.wpdtSimpleTable17 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Once the info stealer receives information concerning what kind of data to collect from C2, it proceeds to do so.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">System data collection<\/h2>\n\n\n\n<p>The stealer collects various information about the infected system, including the OS bitness, information about RAM, CPU, and user data like the applications installed in the system.<br><\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Raccoon\u2019s mechanisms for data collection:<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;gets the size of the main monitor using user32.dll!GetSystemMetrics<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/3.png\" alt=\"Raccoon malware v2 is getting the user\u2019s display resolution\n\" class=\"wp-image-2784\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware v2 is getting the user\u2019s display resolution<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;finds a list of GPU devices, using user32.dll!EnumDisplayDevicesW<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/tDTx6PNTjR0ryw194V0LDgOVq1qz_TifQusjKjuUgbQv_xh_9CmhLD8tB-6GQgM3jGPETtqmzzBctaHs0ZF4UhQe3yLV2IGjKR8ZN2efOBauynIUBslMSnqq4P9KorFYL8pH0ZEdvMOjqwh3ZgHgigA\" alt=\"Raccoon Stealer is iterating through display devices\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon Stealer is iterating through display devices<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;determines the architecture (bitness) of the system by calling the x64-specific function kernel32.dll!GetSystemWow64DirectoryW and comparing the last error code with ERROR_CALL_NOT_IMPLEMENTED<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/4.png\" alt=\"Raccoon malware v2 is getting the user\u2019s display resolution\n\" class=\"wp-image-2786\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware v2 is getting the user\u2019s display resolution<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;&nbsp;collects RAM information via kernel32.dll!GlobalMemoryStatusEx<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/5.png\" alt=\"Raccoon malware ver.2 is checking the user\u2019s system RAM information\" class=\"wp-image-2787\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware ver.2 is checking the user\u2019s system RAM information<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;gets information about the user&#8217;s timezone by kernel32!GetTimeZoneInformation:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/6.png\" alt=\"Raccoon malware is collecting the user\u2019s system timezone data\n\" class=\"wp-image-2789\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware is collecting the user\u2019s system timezone data<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;grabs the OS version from the registry, using advapi32.dll!RegOpenKeyExW and advapi32.dll!RegQueryValueExW to read the value of the key&nbsp; HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/8NyTMT_dWJYCQXofZca1_1LnjDpZ4B5-8nLe78hAcDs9Hz92mp6SAf8BiKvaF3OK1qEqt4kZAppencXozryq1SI5I0jxXY9I8oFhyYI7kbQg4cMtdnBRMhma6rFrb1tPabkes5xJwRV0aj1RC46BBhc\" alt=\"Raccoonstealer gets the user\u2019s OS version\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer gets the user\u2019s OS version<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;obtains Information about the vendor of the CPU using asm-instruction __cpuid:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/p6-YYt3Qy2wKwoKZLaVDXZQvGYcoJ1G3m4s6csbR2dqB0c3OK5ppzPEEczFwGOybi5TGnvjVISkN0AOsyYdPaJIZCV9XBm4e8XLNQ0xtMYO8gNbt4eFRC_kW9rg8W4sYxTV1BauwDXcsq9PgBOctfX8\" alt=\"Raccoonstealer 2.0 is getting CPU vendor info\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer 2.0 is getting CPU vendor info<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;gets CPU cores number with kernel32.dll!GetSystemInfo<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/7.png\" alt=\"Raccoon malware is getting CPU cores count\n\" class=\"wp-image-2793\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware is getting CPU cores count<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;collects the user\u2019s default locale info requesting kernel32.dll!GetUserDefaultLCID and kernel32.dll!GetLocaleInfoW<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/RwdOuWd3rn805d3rrN6BoLtS1T_UPlsBqa4qbFgUC7Bv1ip3zBuvUybTAc4GG5jl2Pn2lwAtCwZuZfqxvrL_9jPbpfQhydMLXPBjORuhnDtyY7zVzLINPhzsgGXAQXFv1ODfc-zsPDWAdTN-hHxKcic\" alt=\"Raccoon info stealer is getting the user\u2019s default locale info\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon info stealer is getting the user\u2019s default locale info<\/em><br><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;grabs data about installed apps from the registry using advapi32.dll!RegOpenKeyExW, advapi32.dll!RegEnumKeyExW, and advapi32.dll!RegQueryValueExW.<\/li>\n<\/ul>\n\n\n\n<p><br>The &#8220;DisplayName&#8221; and &#8220;DisplayVersion&#8221; values of all&nbsp; \\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall key sub-keys:<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/8.png\" alt=\" Raccoon malware 2.0 is traversing through the user\u2019s installed applications list\n\" class=\"wp-image-2790\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware 2.0 is traversing through the user\u2019s installed applications list<\/em><\/figcaption><\/figure>\n\n\n\n<p>After obtaining the system information, RecordBreaker gets ready to steal user data. The malware loads the previously downloaded legitimate libraries to reach this goal.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/9.png\" alt=\"Raccoon Stealer is loading previously downloaded legitimate third-party libs\n\" class=\"wp-image-2792\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon Stealer is loading previously downloaded legitimate third-party libs<\/em><\/figcaption><\/figure>\n\n\n\n<p>This way, the program has the functions needed for operations:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/nSN0aZ_rOJwdT-9gKZuxe6Ta3mIk_qsHchYTQFjfdAe8oD_bg_2B09y5K0DIDNzLZZ62pLsW-X_WFiX3zcWufn_5IzFoLOimnLbCReukgDoSgkblYz7VV2g348Zk-k19DtuwSirUYKOvrUbJ2BviGQc\" alt=\"Raccoonstealer gets functions addresses from the newly loaded modules\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer gets functions addresses from the newly loaded modules<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>Once the libraries have been loaded, Raccoon starts to collect user data.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">User data collection <\/h2>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Cookies<\/strong><\/h4>\n\n\n\n<p>First of all, the stealer collects cookies. It creates a copy of the cookies file and tries to open it. If it fails to do so, the current subroutine is terminated.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/d5an8XFrLo2RR4CbaNsQVSLWlujoQnMC4O2eo60xrCD98aVQp9t-QtZ-WaUGXt_gv8f43PXaBukMMdjZxzBXIgwIB7FiGNvs3vd6pxB5CGJgtENFg-Y03MmB-j8nnXKvXO9f_8x2RFicf_9muc8uY9I\" alt=\"Raccoon malware v2 is copying the cookies database and trying to open it\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware v2 is copying the cookies database and trying to open it<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>If the sample manages to open the database, it retrieves cookies from it by executing the SQL query&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT host, path, isSecure, expiry, name, value FROM moz_cookies<\/code><\/pre>\n\n\n\n<p>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/RkAHLy2ZJsMfEHqbnmxIPoNXhHZsLe5z6r3_1HsfS6hqYTNScSRhJcxrC8gacSQHWoeYFwF1WWKmfyeDZYORQll8ABTmlcAVpFkasBdd-2AILrqnf2Cxp1M0siRVpFwKOaLATySO8pPV9HJxbzr-JsU\" alt=\"Raccoon stealer v2 is executing a SQL request to retrieve data from the cookies database\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon stealer v2 is executing a SQL request to retrieve data from the cookies database<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Autofill data<\/strong><\/h4>\n\n\n\n<p>The next step in Raccoon\u2019s \u201cplan\u201d is to retrieve the autofill data. The program tries to open the database logins.json:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/_iav3OAZ_WPBOzMIaST-75H0fnkiT3ljot2YxsQXy0m8Gpaidhod9d6kG2HNfu5Ry4gCt667lG8Z2A0NqZodXepqw_tc5F0R8wrdP_4JBLTSs0Ai6W59pQx5COM90Q9XUq1Z-ZYz9xIg9Unm8Dod0fk\" alt=\"Raccoon Stealer 2.0 is trying to open the logins.json database\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon Stealer 2.0 is trying to open the logins.json database<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>Then the stealer tries to decrypt the data from that database, using the \u0417nss3.dll!PK11SDR_Decrypt method.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/jxSUeU1bFBcN7JgYm7XdN2DhAG-IeDHLQvK09KrhYgGm-WtwSuRSTiYuUVTra2xfSAaKvod4Mcj7Wv03v2oKg3Qvw5CV35RVNQBWR6adDOrewBtKgP-K1tExYS1R-JBFNK6zfpjm1mFdEw7--eisa0U\" alt=\"Raccoon malware 2.0 decrypts encrypted logins.json database\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware 2.0 decrypts encrypted logins.json database<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>After that, the malware formats collected data like so:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u201cURL:%s\\nUSR:%s\\nPASS:%s\u201d<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/10.png\" alt=\"Using encrypted data, Raccoon malware formats it to a more readable state\n\" class=\"wp-image-2795\"\/><figcaption class=\"wp-element-caption\"><em>Using encrypted data, Raccoon malware formats it to a more readable state<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Autofill form data<\/strong><\/h4>\n\n\n\n<p>After these manipulations, the stealer collects the autofill form data. It attempts to open the formhistory.sqlite database:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/1AmhauZ_QXuTr7Vtag0yDnUKp1LEMzcOVHbsnMqMv19W397QVIzEt33186OLVjZKsZzoV0sz6FxjtL1svb9LybAQNBEAY6KlQ74-XEwmv5lYQrFEjp5kQbfKKbrj6YOCF7g4rDr2UCTNd0pRGloU3A0\" alt=\"Raccoon info stealer tries to open another database\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon info stealer tries to open another database<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>If the connection to the database is successful, the program retrieves form data values from it with an SQL query like: <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT name, value FROM autofill<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/XSc2-JFXrmvGOrncnydmNuLUIWQgOWrcME7m4irt2JsJuCcb2pqAadmoeKtQ7XqemtgfC_YcoQta2il_gYOrs-vEZz70zjdJWYJx0_KJ-vH9lKjiBRvTA4JAtByLx9X2PSwQzEyhK7o8OJF9Vj6fgQo\" alt=\"Raccoonstealer is executing another SQL request to retrieve data\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer is executing another SQL request to retrieve data<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>RecordBreaker concatenates all data together and sends POST requests to C2. <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\">ANY.RUN sandbox<\/a>\u2019s HTTP MITM proxy feature intercepts all the data that the malware has managed to collect.<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;SystemInfo POST request<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/0fu8Ltf_IcqNXiPxNuuTzeai_IyybDBfMNSNG8Lf1m1s9dBn1N55QqnvpAxzojdR1gU-1JLdYqcx9JhG3_hw2CHauUYq-0voGrmtQ1mW1yDlBlvack6rfD1mw-n8yEbCsQxhCNyfvHTr6GmUFwt2tOU\" alt=\"System info request made by Raccoon aka RecordBreaker \" width=\"910\" height=\"530\"\/><figcaption class=\"wp-element-caption\"><em>System info request made by Raccoon aka RecordBreaker&nbsp;<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UserInfo POST <em>request<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/nxlbcy9gV-7MfkLUnVHoNqBfdl8OpGDDrhq9SDayfcMODhNYPF3I5POlLqrdeGSyQnwSBBluL1KRV7rG0sQmOAj9br_yeXypn60pvEqUOvDkohBIKRdH-lO-1F9zEFO22RUHQ0V8ml27o2LxVwDT8Bc\" alt=\"User info request made by Raccoon malware \n\"\/><figcaption class=\"wp-element-caption\"><em>User info request made by Raccoon malware&nbsp;<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>When the C2 server gets each chunk of data, it responds &#8220;received&#8221;:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/08\/image-11.png\" alt=\"C2 server responds\" class=\"wp-image-2798\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Crypto-wallets, Custom, and Telegram file data collection<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Crypto-wallets data<\/strong><\/h4>\n\n\n\n<p>RecordBreaker is looking for users\u2019 crypto-wallets data using filters and templates retrieved from the configuration.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/mkvk2HhKZOobpVOywNJrJ4mYEHbcz665xdBXL2lO66LrQsZMpYnxdJsAASb8Nl5P6teMb7XQhZEb6_QnkmvkF3k6Zrb3Rv1E-K11CYqCVjgRaTp_vGBGgrS-A_78qAEsnuf7ttFMutI__CBwu7lp9-4\" alt=\"RecordBreaker is looking for the user\u2019s crypto-wallets data\"\/><figcaption class=\"wp-element-caption\"><em>RecordBreaker is looking for the user\u2019s crypto-wallets data<\/em><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Custom files<\/strong><\/h4>\n\n\n\n<p>Then, the wallet.dat file is searched (it contains local information about the bitcoin wallet). After that, the stealer looks for arbitrary files from custom directories specified in the configuration.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/YLygOSvK8gBS577jMwqlj7r_-aWfCq7Y1WouhuEU7IHc5Thczsdl-WAi5FPREiuMFXGQ3IOshTqdi2Gft1HuwkucByOZLF_6uWQkysK6pLClGqKtw3aQDxRUNnOeEUVa-OzqkjWcoEx60LoWgHXij9A\" alt=\"Raccoonstealer is looking for any custom files\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer is looking for any custom files<\/em><br><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Telegram messenger files&nbsp;<\/strong><\/h4>\n\n\n\n<p>The sample is looking for files related to Telegram messenger using data from the configuration.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/2cbh8Wzex7s6dOYWXHmrDzFS11rsV7UYNboWZ0zPxYYR7mXkMkVSSJzIOQ2VIeGN37ccuwyS5_9VQ_CLuWX8704_cGqMzcutYSpPaKuG7uSg9L_xmC7zWX5tBsYrAm7OSZWrJ11_6ddQT8UntbkRAw8\" alt=\"RecordBreaker is looking for files related to Telegram messenger\n\"\/><figcaption class=\"wp-element-caption\"><em>RecordBreaker is looking for files related to Telegram messenger<br><\/em><\/figcaption><\/figure>\n\n\n\n<p>After the malware has sent all the files, it takes a screenshot(s).&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/pGQ8tlJOsb2ds3uC3klnD6_6UapVjYvgzN3q_EvtWhjUG1LKL4Rzh0ZHFyTGLkBV8XSf1NEVuLSmDIaWZrZtQSapz6E9gDTi6kckhyo6uJ9Lp_mRluyPW6mackFAvQ6uKJERM6L50VJffU2zSHxIvoQ\" alt=\"Raccoon malware v2 is making screenshots of the user\u2019s environment\n\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware v2 is making screenshots of the user\u2019s environment<\/em><br><\/figcaption><\/figure>\n\n\n\n<p>An example of a screenshot captured by <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/OK2uEXoYSazZ1DuoZ1rAFX8kHHz70_JRnmXEFbJ9MzV1JD-7t2NvIxTV4hD9NxJdjDVz_Y8sXeBpbN0LgPl2CxZbmSAyv9X_P5uACzLK8JuArSnxqC4-svkyl6ViDqKunQE1lCKg4DvPil4QWg0LNFo\" alt=\"The screenshot made by the 2d version of Raccoon malware\n\"\/><figcaption class=\"wp-element-caption\"><em>The screenshot made by the 2d version of Raccoon malware<br><\/em><\/figcaption><\/figure>\n\n\n\n<p>If any additional commands are provided in configuration, the sample will execute them before finishing its work. For example, Raccoon executes other commands with the help of WinAPI (shell32.dll!ShellExecuteW) if C2 has sent them in the prefix ldr_:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/bEypeBcYBKniXXMQDwf_BSDUwkVOswB3tlZC1Ff9Hu0YosTXAxyMAKwrA-FzV0xU2oXhHFnNX00lVSsuEvNhHqDh2EIVG483ovg7iqvt9ruwcJXIZwji4v-NhlrwdELuHvodO6uMDLkHvocBreKf8jY\" alt=\"Raccoonstealer executes extra commands \"\/><figcaption class=\"wp-element-caption\"><em>Raccoonstealer executes extra commands&nbsp;<\/em><\/figcaption><\/figure>\n\n\n\n<p>Then, the malware releases the remaining allocated resources, unloads the libraries, and finishes its work.<br><\/p>\n\n\n\n    <div class=\"post-footer\">\n      <div class=\"post-footer-banner\">\n        <p class=\"post-footer-banner__text\">\n          Free <span>malware research<\/span> with ANY.RUN\n        <\/p>\n        <div class=\"post-footer-banner__button-warp\">\n          <a href=\"https:\/\/app.any.run\/#register\" id=\"post-footer-banner\" target=\"_blank\" class=\"post-footer-banner__button\">\n            Start Now!\n          <\/a>\n        <\/div>\n      <\/div>\n    <\/div>\n  \n\n\n\n<h2 class=\"wp-block-heading\">Raccoon configuration extraction<\/h2>\n\n\n\n<p>You can use our Python script to extract C2 servers from the unpacked Raccoon sample, or get malware configuration <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/df94e59b-fa59-4f8f-ba81-93781e82046f\" target=\"_blank\">right in our service<\/a>, which will unpack the sample from memory dumps and extract C2s for you:<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/XREwgLFk_ay0ro1aLKoXlq0Sx3srZPx19tM7fGUvm63OW1JLFKQKoyI6epzjmCpeDLw61_ykUYA0OR1M7UUu-3WfQtEK1DEjRWMGFlP38tcJoGYz-PkC9ZCG5d8pXTP57trY0KyjbYJRjjWvguP20Q85UIyVXnWNeY4IElvMcpP08Wv3xyNvi7X-UA\" alt=\"Raccoon malware configuration\"\/><figcaption class=\"wp-element-caption\"><em>Raccoon malware configuration<\/em><\/figcaption><\/figure>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>import os, sys, re, string\n\nfrom enum import IntEnum\nfrom base64 import b64decode, b64encode\nfrom malduck import xor, rc4, base64\n\n# c2 buffer len &amp; invalid c2 placeholder\nRACCOON_C2_PLACEHOLDER = b\" \" * 64\nRACCOON_C2_BUFF_LEN = len(RACCOON_C2_PLACEHOLDER)\n\n# c2s array size &amp; key size\nRACCOON_C2S_LEN = 5\nRACCOON_KEY_LEN = 32\n\nclass ERaccoonBuild(IntEnum):\n    UNKNOWN_BUILD = -1,\n    OLD_BUILD = 0,\n    NEW_BUILD = 1\n\n# extracts ascii and unicode strings from binary file\nclass RaccoonStringExtractor:\n    ASCII_BYTE = string.printable.encode()\n\n    c2_list = &#091;]\n    rc4_key = str()\n    xor_key = str()\n    raccoon_build = ERaccoonBuild.UNKNOWN_BUILD\n    \n    def __init__(self, binary_path) -&gt; None:\n        with open(binary_path, 'rb') as bin:\n            self.buffer = bin.read()\n        self.__process_strings()\n\n    def __is_base64_encoded(self, data) -&gt; bool:\n        try:\n            data = data.rstrip()\n            return b64encode(b64decode(data)) == data\n        except Exception:\n            return False\n\n    def __is_valid_key(self, key) -&gt; bool:\n        key_re = re.compile(rb\"^&#091;a-z0-9]{%d,}\" % RACCOON_KEY_LEN)\n        return re.match(key_re, key)\n\n    def __process_strings(self) -&gt; None:\n        ascii_re = re.compile(rb\"(&#091;%s]{%d,})\" % (self.ASCII_BYTE, 4))\n\n        self.c2_list = &#091;]\n        ascii_strings = &#091;]\n\n        for i, match in enumerate(ascii_re.finditer(self.buffer)):\n            a_string = match&#091;0]\n            offset = match.start()\n            string_entry = (a_string, offset)\n            ascii_strings.append(string_entry)\n\n            if len(a_string) == RACCOON_C2_BUFF_LEN and \\\n                a_string != RACCOON_C2_PLACEHOLDER and \\\n                    self.__is_base64_encoded(a_string) == True:\n\n                self.raccoon_build = ERaccoonBuild.OLD_BUILD\n                print(f\"&#091;+] found possible encrypted c2 {a_string.rstrip()} at {hex(offset)}\")\n                self.c2_list.append(string_entry)\n\n                if len(self.c2_list) == 1: # first c2 found\n                    rc4_key, offset = ascii_strings&#091;i-1]\n                    # rc4 key should be 32-bytes long and contain only a-z 0-9 chars\n                    if self.__is_valid_key(rc4_key):\n                        self.rc4_key = rc4_key\n                        print(f\"&#091;+] found possible rc4 key {self.rc4_key} at {hex(offset)}\")\n                    else:\n                        continue\n                  \n        # have we found any c2s yet?\n        if len(self.c2_list) == 0:\n            for a_string, offset in ascii_strings:\n                if len(a_string) == RACCOON_KEY_LEN and self.__is_valid_key(a_string):\n                    self.raccoon_build = ERaccoonBuild.NEW_BUILD\n                    self.xor_key = a_string\n                    print(f\"&#091;+] found possible xor key {self.xor_key} at {hex(offset)}\")\n                    \n                    # extract c2s for new builds\n                    curr_offset = offset + 36\n                    for _ in range(0, RACCOON_C2S_LEN):\n                        enc_c2 = self.buffer&#091;curr_offset : curr_offset + RACCOON_C2_BUFF_LEN]\n                        \n                        if enc_c2.find(0x20) != 0 and enc_c2 != RACCOON_C2_PLACEHOLDER: # check if c2 is empty\n                            print(f\"&#091;+] found possible encrypted c2 {enc_c2.rstrip()} at {hex(curr_offset)}\")\n                            self.c2_list.append((enc_c2, curr_offset))\n\n                        curr_offset += RACCOON_C2_BUFF_LEN + 8 # each c2 is padded by 8 bytes\n                    return # don't process strings any further\n        else:\n            return\n\n        print(f\"&#091;!] C2Cs not found, could be a new build of raccoon sample\")\n\nclass RaccoonC2Decryptor:\n    def __init__(self, sample_path: str) -&gt; None:\n        self.extractor = RaccoonStringExtractor(sample_path)\n\n    def __is_valid_c2(self, c2):\n        return re.match(\n            rb\"((https?):((\/\/)|(\\\\\\\\))+(&#091;\\w\\d:#@%\/;$()~_?\\+-=\\\\\\.&amp;](#!)?)*)\", c2\n        )\n\n    def decrypt(self) -&gt; bool:\n        raccoon_build = self.extractor.raccoon_build\n        if raccoon_build == ERaccoonBuild.OLD_BUILD:\n            return self.decrypt_method_1()\n        elif raccoon_build == ERaccoonBuild.NEW_BUILD:\n            return self.decrypt_method_2()\n        else:\n            return False # unknown raccoon build\n\n    def decrypt_method_1(self) -&gt; None:\n        for enc_c2, _ in self.extractor.c2_list:\n            decrypted_c2 = rc4(\n                self.extractor.rc4_key, \n                base64(enc_c2.rstrip())\n            )\n\n            if self.__is_valid_c2:\n                print(f\"&#091;&gt;] decrypted c2: {decrypted_c2}\")\n            else:\n                print(f\"&#091;!] invalid c2: {decrypted_c2}\")\n\n    def decrypt_method_2(self) -&gt; None:\n        for enc_c2, _ in self.extractor.c2_list:\n            decrypted_c2 = xor(\n                self.extractor.xor_key, \n                enc_c2.rstrip()\n            )\n            \n            if self.__is_valid_c2:\n                print(f\"&#091;&gt;] decrypted c2: {decrypted_c2}\")\n            else:\n                print(f\"&#091;!] invalid c2: {decrypted_c2}\")\n\ndef main():\n    # parse arguments\n    if len(sys.argv) == 2:\n        sample_path = os.path.abspath(sys.argv&#091;1])\n    else:\n        print(f\"&#091;!] usage: {os.path.basename(__file__)} &lt;sample path&gt;\")\n        return False\n\n    try:\n        RaccoonC2Decryptor(sample_path).decrypt()\n    except Exception as ex:\n        print(f\"&#091;!] exception: {ex}\")\n\nif __name__ == '__main__':\n    main()<\/code><\/pre>\n<\/div><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<br><\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-16\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"16\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Filename                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        SHA-256                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\nss3.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\msvcp140.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\vcruntime140.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\mozglue.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\freebl3.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        b2ae93d30c8beb0b26f03d4a8325ac89b92a299e8f853e5caa51bb32575b06c6                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\softokn3.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        44be3153c15c2d18f49674a092c135d3482fb89b77a1b2063d01d02985555fe0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        \\AppData\\LocalLow\\sqlite3.dll                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        1b4640e3d5c872f4b8d199f3cff2970319345c766e697a37de65d10a1cffa102                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-16'>\ntable#wpdtSimpleTable-16{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-16 td, table.wpdtSimpleTable16 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h4 class=\"wp-block-heading\"><strong>HTTP\/HTTPS Requests:<br><\/strong><\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>http:\/\/[C2 address]\/<\/td><\/tr><tr><td>http:\/\/[C2 address] \/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/nss3.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/msvcp140.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/vcruntime140.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/mozglue.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/freebl3.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/sqlite3.dll<\/td><\/tr><tr><td>http:\/\/[C2 address]\/[config token]<\/td><\/tr><tr><td>http:\/\/[C2 address]\/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK\/softokn3.dll<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>We have done malware analysis of the Raccoon stealer 2.0 performance using a v2 sample in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_content=raccoon_stealer\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN sandbox<\/a>. The examined sample has used various techniques to evade detection: legitimate libraries for data collection, dynamic library loading, string encryption, and C&amp;C server encryption. Some examples are additionally protected by packers or being a part of other malware.<br><\/p>\n\n\n\n<p>Copy the script of Raccoon stealer and try to extract C2 servers by yourselves and let us know about your results.<br><\/p>\n\n\n\n<p>And write in the comments below what other malware analysis you are interested in. We will be glad to add it to the series!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A few words about ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our Enterprise plan.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=raccoon&amp;utm_content=trial\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><br><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Raccoon Stealer was one of the most mentioned malware in 2019. Cybercriminals sold this simple but versatile info stealer as a MaaS just for $75 per week and $200 per month. And it successfully attacked numerous systems. But in March 2022, threat authors shut down their operations.&nbsp; In July 2022, a new variant of this [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":2975,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-2711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Raccoon Stealer 2.0 Malware analysis - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"ANY.RUN team of analytics has done a malware research of Raccoon Stealer 2.0. Check our results, including the script to extract C2 servers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hardee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\"},\"author\":{\"name\":\"hardee\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Raccoon Stealer 2.0 Malware analysis\",\"datePublished\":\"2022-08-30T02:08:00+00:00\",\"dateModified\":\"2024-08-07T09:51:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\"},\"wordCount\":2564,\"commentCount\":14,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\",\"name\":\"Raccoon Stealer 2.0 Malware analysis - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-08-30T02:08:00+00:00\",\"dateModified\":\"2024-08-07T09:51:53+00:00\",\"description\":\"ANY.RUN team of analytics has done a malware research of Raccoon Stealer 2.0. Check our results, including the script to extract C2 servers.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Raccoon Stealer 2.0 Malware analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"hardee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png\",\"caption\":\"hardee\"},\"description\":\"I contribute to open source from time to time and I am always up for a challenge.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Raccoon Stealer 2.0 Malware analysis - ANY.RUN&#039;s Cybersecurity Blog","description":"ANY.RUN team of analytics has done a malware research of Raccoon Stealer 2.0. Check our results, including the script to extract C2 servers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/","twitter_misc":{"Written by":"hardee","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/"},"author":{"name":"hardee","@id":"https:\/\/any.run\/"},"headline":"Raccoon Stealer 2.0 Malware analysis","datePublished":"2022-08-30T02:08:00+00:00","dateModified":"2024-08-07T09:51:53+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/"},"wordCount":2564,"commentCount":14,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/","name":"Raccoon Stealer 2.0 Malware analysis - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-08-30T02:08:00+00:00","dateModified":"2024-08-07T09:51:53+00:00","description":"ANY.RUN team of analytics has done a malware research of Raccoon Stealer 2.0. Check our results, including the script to extract C2 servers.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Raccoon Stealer 2.0 Malware analysis"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"hardee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/MicrosoftTeams-image-11.png","caption":"hardee"},"description":"I contribute to open source from time to time and I am always up for a challenge.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2711"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=2711"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2711\/revisions"}],"predecessor-version":[{"id":8544,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2711\/revisions\/8544"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/2975"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=2711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=2711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=2711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}