Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
38
Global rank
61 infographic chevron month
Month rank
58 infographic chevron week
Week rank
0
IOCs

Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019.

Stealer
Type
ex-USSR
Origin
1 February, 2019
First seen
29 September, 2025
Last seen
Also known as
Mohazo
Racealer

How to analyze Raccoon with ANY.RUN

Type
ex-USSR
Origin
1 February, 2019
First seen
29 September, 2025
Last seen

IOCs

IP addresses
93.115.22.159
93.115.22.165
94.142.138.147
89.23.107.183
5.78.81.39
157.90.161.111
5.78.80.43
194.87.31.58
185.193.125.199
193.222.96.7
Hashes
e441f76f21f624136a63e22a03fe2f32674d47e9869091524eb5037303e60a51
5459853dee95ac5619cf480d85091fd966b9e803fcfd3fa3657867fc5cf8bf3d
5c99eb2387267ead33d262d96c50b078a56807726841b409f358d60f066325fe
171b6f98a0b8dc135ef1c2b25c7c5f8f7aaebb2e7ab0d7614c0fef18943403da
18287cdb57c003ec142374e12dad1384cea60ec47fd4c9e52c25188541eb7d8d
c31757bd0ff0850199dd28d6db0bc174cd7dff38126979bfef5d8a21b361d22c
71069db69f2f329fb6db239ba43f59cc4e6f3073d4b6e395b87c3b5fb8b6d801
615626311e5585ca29b9d589fd213e8e1195f9c99c073e5aaf2bda6eeeb896f7
d306be54458ea5c162a9d6f82b4545fb7e399041c4baf4783be1cbe559f13872
74da82468886e1fe5d3d2fd98035e69ec9b2ac77f48bd42b48f5f20f016703a8
e6216bf0b023119fd7452c847697e20d2725e10428c616ef2ce05958adff3cf2
4b4e2cb90f19ec78d76ee50e62baf1d609efa74716f92cc1f42921716372553a
184e98107496e5859dd0f09c42deffffaf0cc9362cc192f0e89bf2c4b20d82fd
696a95cf33aa6b46f668767198df73293ad3dba14b80a1e918bdd05a716480cf
e5f7ceca2e1e28f3d66a4eee123e075f4e69c03792c49fa9b4f0c7e55e32148b
a721fc0d9ef18fe4ee9b4a42134292cd0c588cacb3d2d28ef9fdb585eb4cd774
0afcea05106a649eae4e8bd387f73f6e54f126afc2b89f47d8f43bcf8732bfc7
0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
32b13fb13aa4da8b4809776fe2345fdf7164ecb5d0903aee94929ab415c01e63
43630c9fda7054562a21db7a11df3b35e73001b9d81eb1591ab785bdb2e5cd2a
Domains
mehranschool.org
URLs
http://89.185.85.53/
http://77.73.134.30/
http://176.113.115.217/
http://172.86.75.144/
http://80.92.206.80/
http://92.204.160.116/
http://45.15.156.38/
http://37.220.87.6/
http://79.137.196.11/
http://194.37.80.221/
http://185.25.51.202/
http://5.42.199.17/
http://185.246.220.214/
http://88.210.9.212/
http://45.15.156.120/
http://79.137.205.87/
http://51.195.166.180/
http://146.70.125.95/
http://159.69.241.241/
http://172.86.121.106/
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 545
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2341
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1009
comments 0

Raccoon is an information stealer malware — a virus that threat actors use to retrieve sensitive data from infected machines. Also known as Mohazo and Racealer, this is a modern malware that was first sighted in 2019.

Although some consider this a relatively basic malware, excellent service from creators, who distribute it as malware as a service and a user-friendly, simplistic dashboard, helped make Raccoon quite popular. In fact, the malware has already managed to infect upwards of 100,000 devices and became one of the most mentioned viruses in hacker communities.

General description of Raccoon malware

Raccoon malware comes with fairly basic info stealer functions like RedLine and by itself lacks any kind of antivirus protection. There are also no functions that would complicate the analysis of the malware. However, Raccoon developers do suggest using a third-party crypter.

When it comes to the core functionality this virus depending on the configuration enabled by an attacker, can check system settings, capture screenshots, collect basic information like OS version, IP and username and steal passwords and logins from a variety of browsers. On top of that, the stealer can retrieve information from Microsoft Outlook as well as steal cryptocurrency wallets.

When the data collection process ends the data is packed into a .ZIP archive that is then sent to the attackers' server.

The functions described above are rather basic, however, reportedly excellent service provided by the malware creators helped make this virus quite popular. The team behind this virus pushes out constant improvements and fixes based on user feedback.

By providing an easy-to-use dashboard Raccoon developers ensured that even non-technically savvy attackers can operate this malware successfully by customizing its configurations effortlessly. Hundreds of thousands of infected victims in a matter of months since the malware’s release is the result.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Speaking of the team behind Raccoon. The identities of the people behind this virus are a mystery, but some known members of the hacker community are known to have connections with this virus. Evidence suggests that one of the people behind Raccoon is known in the online community as glad0ff. A long known hacker who is responsible for the development of multiple malicious programs like crypto miners and RATs.

However, he does not seem to be working alone as some information about the disputes within the team has been leaked online. For instance, in one message an individual accuses someone-else from the of stealing from a common account, leaving the project, and attempting to scam customers.

There is also reason to believe that Raccoon was developed by Russian-speaking hackers. This is suggested by mistakes in the English language found in the control panel as well as the fact that the malware stops execution if it detects that the victim is from Russia, Ukraine, Belarus, Kazakhstan, Kyrgyzstan, Armenia Tajikistan, or Uzbekistan. In addition, technical support is available in Russian and English languages, which also points to a potential x-USSR origin of the attackers.

Raccoon malware analysis

A video available in the ANY.RUN malware hunting service shows how a machine gets infected with Raccoon in real-time.

Read a detailed analysis of Raccoon Stealer 2.0 in our blog.

raccoon_process_graph

Figure 1: Here we can see the execution process of Raccoon. This graph was created in ANY.RUN.

racoon_text_report

Figure 2: Shows a text report that can help collect data about the malware execution in one place or make a presentation.

Raccoon execution process

Since Raccoon malware is a pretty standard example of a stealer-type malware, its execution process does not exactly stand out. In our analysis case, after the malware made its way into the infected system (does not matter which delivery method it would use) it downloaded additional modules from the Internet. These modules are mostly DLL dependencies which Raccoon requires to work correctly. After that, the malware began stealing information from browsers and the system and stored stolen data in an archive file. The file, in turn, was sent to the C2 server. Probably the same C&C server it was built in. Note that some versions of the Raccoon malware delete themselves after execution while others don't.

Raccoon stealer distribution

Raccoon stealer malware is distributed using multiple channels like browsers, however, the most popular destruction method is through the use of exploit kits. Attackers can even manage campaign configurations via the control panel. The malware utilizes mainly the Fallout exploit kit. This delivery method makes it possible for the infection to occur even without active user interaction — victims get infected while simply surfing the web.

The malware also makes its way to victim’s PCs Microsoft Office document attachments that are being distributed in mail spam campaigns. The contaminated document contains a macro that downloads the malware when enabled.

In addition, hackers have set up a Dropbox account where the malware is stored inside a .IMG file. Attackers use social engineering to trick victims into opening a malicious URL and download the infected file.

Finally, the last distribution method is “bundled malware”. When users download real software from suspicious websites sometimes Raccoon comes as an unwanted part of the package bundled with the legitimate program.

How to detect Raccoon using ANY.RUN?

Some malware creates files in which it named itself. You can find such info about Raccoon malware trojan using ANY.RUN's "Static Discovering". Open either the "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

raccoon_static_discovering

Conclusion

While Raccoon malware is not a very technically advanced malicious program like Ursnif or Hawkeye, Raccoon sure made a lot of noise in the underground community in 2019, when it was first released. Available as a service for $200 per month, it came equipped with everything necessary to start a malware attack. And if a customer couldn’t do it on their own, they could always get support from the team behind this malware.

In fact, underground forums are filled with raving feedback about the excellent work of Raccoon support staff. Some even say that they were treated like real VIPs.

Developers have also shown that they are capable of rolling out updates very quietly and promise to upgrade the malware with Keylogger functionality in the near future.

While technical simplicity makes this threat relatively easy to defend against at the moment, growing popularity, extreme ease of use, and potential future improvement certainly suggest that this malware can become a big phenomenon. Some even say that Raccoon will replace Azorult.

ANY.RUN malware hunting service provides researchers with the ability to study samples of Raccoon in a controlled interactive environment and learn as much as possible about this malware. Hopefully, together we will neutralize or at least medicate the fallout from this and other cybersecurity threats.

HAVE A LOOK AT

BlackMatter screenshot
BlackMatter
blackmatter
BlackMatter is a ransomware strain operating as a Ransomware-as-a-Service (RaaS), designed to encrypt files, remove recovery options, and extort victims across critical industries. Emerging in 2021, it quickly became a major concern due to its ability to evade defenses, spread across networks, and cause large-scale operational disruption, forcing security teams to act against a highly destructive and persistent threat.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Keylogger screenshot
Keylogger
keylogger
A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Akira Ransomware screenshot
Akira Ransomware emerged in March 2023 and compromised over 250 organizations by January 2024 with approximately $42 million in ransom payments. It employs double extortion tactics exfiltrating data before encryption and threatening to publish it on a dedicated website.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More