Raccoon

15
Global rank
12
Month rank
11
Week rank
2582
IOCs

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Stealer
Type
ex-USSR
Origin
1 February, 2019
First seen
3 June, 2023
Last seen
Also known as
Mohazo
Racealer

How to analyze Raccoon with ANY.RUN

Stealer
Type
ex-USSR
Origin
1 February, 2019
First seen
3 June, 2023
Last seen

IOCs

IP addresses
94.131.107.229
176.58.98.13
79.137.206.158
51.195.166.184
94.142.138.3
172.67.158.196
45.144.28.189
5.255.127.159
185.163.204.81
85.159.212.113
172.67.157.201
104.21.8.173
2.58.56.247
104.21.66.99
212.118.41.216
77.105.140.199
145.14.157.20
104.193.254.97
193.233.134.80
212.113.119.153
Hashes
0cd17dc9189afced57976af6abc0d1315f6ec87c097c148cdd59fbf8a34d41ff
0c1226d05d81a2f2f9ed910fff598bd00a0cb7ae43b3793735d45de1f35b838f
82363b5e1e7d56c1519c9de6f2df70ff4be092a404203969b512767d0803b6f7
28c1edc4fa9f29fde994540cd25402fd47d46404eb1ebbfc0fc0a245bf03bd04
43f48b33734f2b7ab20e3798845f8411723f643a15c9833b86942ab6beb9d4fe
34a4a22df4b0adc0662b7127e4a010d7cb416eaca7eff32aaf939ce914ca5846
81ae7aea498cdd4d50470b3dcd54088d7bce5bf5f6019b08d9d558acd190cb4d
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
9c947ac6b856728c38d6ffb20210d8c41034517705057cfaf754bdc1912d00c1
16825520a8bb99ab781de7be8a936e2110906d805dfe27d2e73e9611d198223d
92daab0dd63755ade525163518eba1ec286149dce12bca77e8db01a29cc725e7
97a5f327dc7b9b07fbb78b448fb2b96bcb0822c50bb5816390a4597fda1eec3f
6c07cb1892760f9bbb19d05b784d7a544e2d62e69b7ed65450a3e58bb099d05d
205bbb1c399ebabf9dfba9814047cab1f228fab1980e6a9e4c8a484492d876af
972385a61cc340b61a7e3101c1854a589ef2a61df0cc31ef680a329c2e68f0e6
d8180ece9a84f9a3bea9ea655ae82f545be29e4305d33ecbf8704eeef83ca073
2441721595344866251f220536f40eb877df6f30e392c13156712c55598717a0
fa76358c408f2f34a3bbf52c5b9903a3e105265ca07ae67d41caf596b99834a9
25128763bec88f9e6b4a99d05f4aa46fd3694452851fda8b1b5cbc0eb0474fa6
80cc4b9b573e536f8894ddbd23c69e2950629d0a29b0b19a12a4412f00ab6ae4
Domains
vcctggqm3t.dattolocal.net
tanda.com
vidstream.pro
p3.adhitzads.com
eltem.iptime.org
elx01.knas.systems
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
frederikkempe.com
majul.com
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
qxq.ddns.net
searchkn1.sima-land.ru
www.brujas.club
isns.net
krupskaya.com
m-onetrading-jp.com
thuocnam.tk
www.scammer.com
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 311
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5387
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3240
comments 3

Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.

Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular. In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.

General description of Raccoon malware

Raccoon malware comes with fairly basic info stealer functions like RedLine and by itself lacks any kind of antivirus protection. There are also no functions that would complicate the analysis of the malware. However, Raccoon developers do suggest using a third-party crypter.

When it comes to the core functionality this virus depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. On top of that, the stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.

When the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers' server.

The functions described above are rather basic, however, reportedly excellent service provided by the malware creators helped make this virus quite popular. The team behind this virus pushes out constant improvements and fixes based on user feedback.

By providing an easy-to-use dashboard Raccoon developers ensured that even non-technically savvy attackers can operate this malware successfully by customizing its configurations effortlessly. Hundreds of thousands of infected victims in a matter of months since the malware’s release is the result.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Speaking of the team behind Raccoon. The identities of the people behind this virus are a mystery, but some known members of the hacker community are known to have connections with this virus. Evidence suggests that one of the people behind Raccoon is known in the online community as glad0ff. A long known hacker who is responsible for the development of multiple malicious programs like crypto miners and RATs.

However, he does not seem to be working alone as some information about the disputes within the team has been leaked online. For instance, in one message an individual accuses someone-else from the of stealing from a common account, leaving the project, and attempting to scam customers.

There is also reason to believe that Raccoon was developed by Russian-speaking hackers. This is suggested by mistakes in the English language found in the control panel as well as the fact that the malware stops execution if it detects that the victim is from Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Armenia Tajikistan, or Uzbekistan. In addition, technical support is available in Russian and English languages, which also points to a potential x-USSR origin of the attackers.

Raccoon malware analysis

A video available in the ANY.RUN malware hunting service shows how a machine gets infected with Raccoon in real-time.

raccoon_process_graph

Figure 1: Here we can see the execution process of Raccoon. This graph was created in ANY.RUN.

racoon_text_report

Figure 2: Shows a text report that can help collect data about the malware execution in one place or make a presentation.

Raccoon execution process

Since Raccoon malware is a pretty standard example of a stealer-type malware, its execution process does not exactly stand out. In our analysis case, after the malware made its way into the infected system (does not matter which delivery method it would use) it downloaded additional modules from the Internet. These modules are mostly DLL dependencies which Raccoon requires to work correctly. After that, the malware began stealing information from browsers and the system and stored stolen data in an archive file. The file, in turn, was sent to the C2 server. Probably the same C&C server it was built in. Note that some versions of the Raccoon malware delete themselves after execution while others don't.

Raccoon stealer distribution

Raccoon stealer malware is distributed using multiple channels like browsers, however, the most popular destruction method is through the use of exploit kits. Attackers can even manage campaign configurations via the control panel. The malware utilizes mainly the Fallout exploit kit. This delivery method makes it possible for the infection to occur even without active user interaction — victims get infected while simply surfing the web.

The malware also makes its way to victim’s PCs Microsoft Office document attachments that are being distributed in mail spam campaigns. The contaminated document contains a macro that downloads the malware when enabled.

In addition, hackers have set up a Dropbox account where the malware is stored inside a .IMG file. Attackers use social engineering to trick victims into opening a malicious URL and download the infected file.

Finally, the last distribution method is “bundled malware”. When users download real software from suspicious websites sometimes Raccoon comes as an unwanted part of the package bundled with the legitimate program.

How to detect Raccoon using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Raccoon malware trojan using ANY.RUN's "Static Discovering". Open either the "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

raccoon_static_discovering

Conclusion

While Raccoon malware is not a very technically advanced malicious program like Ursnif or Hawkeye, Raccoon sure made a lot of noise in the underground community in 2019, when it was first released. Available as a service for $200 per month, it came equipped with everything necessary to start a malware attack. And if a customer couldn’t do it on their own, they could always get support from the team behind this malware.

In fact, underground forums are filled with raving feedback about the excellent work of Raccoon support staff. Some even say that they were treated like real VIPs.

Developers have also shown that they are capable of rolling out updates very quietly and promise to upgrade the malware with Keylogger functionality in the near future.

While technical simplicity makes this threat relatively easy to defend against at the moment, growing popularity, extreme ease of use, and potential future improvement certainly suggest that this malware can become a big phenomenon. Some even say that Raccoon will replace Azorult.

ANY.RUN malware hunting service provides researchers with the ability to study samples of Raccoon in a controlled interactive environment and learn as much as possible about this malware. Hopefully, together we will neutralize or at least medicate the fallout from this and other cybersecurity threats.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy