{
	"id": "3cac6056-abe2-4726-a2eb-b2a121f20218",
	"created_at": "2026-04-06T00:19:37.173227Z",
	"updated_at": "2026-04-10T13:11:29.442408Z",
	"deleted_at": null,
	"sha1_hash": "0078d4a05a3d3972f5a7524dd49d7d9469b7da1f",
	"title": "New Generation of Raccoon Stealer v2 | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 765135,
	"plain_text": "New Generation of Raccoon Stealer v2 | Zscaler\r\nBy Sarthak Misraa\r\nPublished: 2022-07-29 · Archived: 2026-04-05 12:48:55 UTC\r\nIntroduction\r\nRaccoon is a malware family that has been sold as malware-as-a-service on underground forums since early\r\n2019. In early July 2022, a new variant of this malware was released. The new variant, popularly known as\r\nRaccoon Stealer v2, is written in C unlike previous versions which were mainly written in C++.\r\nThe Raccoon Malware is a robust stealer that allows stealing of data such as passwords, cookies, and autofill data\r\nfrom browsers. Raccoon stealers also support theft from all cryptocurrency wallets.\r\nIn this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its\r\npredecessors. The authors of the Raccoon Stealer malware have announced that other formats are available,\r\nincluding DLLs and embedded in other PE files.\r\nDetailed Analysis\r\nRaccoon v2 is an information stealing malware that was first seen on 2022-07-03. The malware is written in C and\r\nassembly.\r\nThough we noticed a few new features in the newer variant as mentioned below, the data stealing mechanism is\r\nstill the same as is seen in its predecessor:\r\n1. Base64 + RC4 encryption scheme for all string literals\r\n2. Dynamic Loading Of WinAPI Functions\r\n3. Discarded the dependence on Telegram API\r\nWe have noticed a significant change in the way list of command and control servers is obtained. The Raccoon\r\nMalware v1 was seen abusing the Telegram network to fetch the list of command and control servers, whereas the\r\nnewer variant has abandoned the use of Telegram. Instead, they use a hardcoded IP address of a threat-actor-controlled server to fetch the list of command and control servers from where the next stage payload (mostly\r\nDLLs) is downloaded.\r\n \r\nFile Information\r\nMalware Name: Raccoon Stealer v2\r\nLanguage: C\r\nFile Type: exe\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 1 of 17\n\nFile Size: 56832\r\nMD5:  0cfa58846e43dd67b6d9f29e97f6c53e\r\nSHA1:  19d9fbfd9b23d4bd435746a524443f1a962d42fa\r\nSHA256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\nDebug Information\r\nThe analyzed file has debug data intact. According to the Debug headers compilation date was Thursday,\r\n26/05/2022 13:58:25 UTC as shown in Figure 1.\r\nFigure 1: Raccoon v2 Debug Headers\r\nWe have also seen a change in how Raccoon Stealer v2 hides its intentions by using a mechanism where API\r\nnames are dynamically resolved rather than being loaded statically. The stealer uses LoadLibraryW and\r\nGetProcAddress to resolve each of the necessary functions (shown in Figure 2). The names of the DLLs and\r\nWinAPI functions are stored in the binary as clear text.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 2 of 17\n\nFigure 2: Raccoon v2 dynamic resolution\r\nList Of Loaded DLLs\r\n1. kernel32.dll\r\n2. Shlwapi.dll\r\n3. Ole32.dll\r\n4. WinInet.dll\r\n5. Advapi32.dll\r\n6. User32.dll\r\n7. Crypt32.dll\r\n8. Shell32.dll\r\nRaccoon v1 did not employ dynamic resolution for used functions, therefore packed samples were often observed\r\nin the wild to evade detection mechanisms. Conversely, Raccoon v2 is often delivered unpacked. Figure 3 shows\r\nthe imported DLLs for raccoon v1.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 3 of 17\n\nFigure 3: Raccoon Stealer v1 imports (unpacked)\r\nOnce resolution of functions is done, the stealer will run its string decryption routine. The routine is simple. RC4\r\nencrypted strings are stored in the sample with base64 encoding. The sample first decodes the base64 encoding\r\nand then decrypts the encrypted string with the key ‘edinayarossiya’. This routine is followed for all the strings in\r\nfunction string_decryption(). The 'string_decryption' routine is shown in Figure 4.\r\nFigure 4: Raccoon v2 String Decryption Routine\r\nPrevious versions of Raccoon Stealer did not encrypt string literals other than hard coded IP addresses. The\r\nRaccoon v2 variant overcomes this by encrypting all the plain text strings. Several of the plaintext strings of\r\nRaccoon v1 are shown in Figure 5.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 4 of 17\n\nFigure 5: Plaintext Strings In Raccoon v1\r\nAfter manual decryption of the Raccoon v1 sample strings, the following (Figure 6 and Figure 7) strings were\r\nobtained in plaintext format.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 5 of 17\n\nFigure 6: Raccoon v2 Decrypted Strings\r\nFigure 7: Raccoon v2 Decrypted Strings\r\nThe command and control IP addresses are saved in the malware and follow the same decryption routine but have\r\na different key, 59c9737264c0b3209d9193b8ded6c127. The IP address contacted by the malware is\r\n‘hxxp://51(.)195(.)166(.)184/’. The decryption routine is shown in Figure 8.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 6 of 17\n\nFigure 8: IP Address Decryption Raccoon v2\r\nDecrypting Command and Control IP Address\r\nThe encrypted command and control IP Address can be easily decrypted by using public tools such CyberChef as\r\nshown in Figure 9.\r\nFigure 9: Raccoon v2 IP Address (via cyberchef utils)\r\nThis technique is common between both versions of the malware. Figure 10 shows the same routine employed in\r\nRaccoon v1.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 7 of 17\n\nFigure 10: Raccoon v1 setting up overhead before IP Address decryption\r\nOnce all the overhead of setting up the functions and decryption of the strings is done, the malware will perform\r\nsome checks before contacting the command and control server to download malicious DLLs and exfiltrate\r\ninformation.\r\n \r\nOverhead Before Exfiltration\r\nBefore executing the core of the malware, certain checks are made to understand the execution environment. This\r\nincludes making sure the malware isn't already running on the machine. Further the malware also checks if it's\r\nrunning as NT Authority/System.\r\nThe malware gets a handle on mutex and checks if it matches a particular value or not. If it matches, the malware\r\ncontinues execution.\r\nValue: 8724643052.\r\nThis technique is used to make sure only one instance of malware is running at one time. Figure 11 depicts the\r\nMutex check and creation for Raccoon v2, while Figure 12 depicts the similar procedure used in Raccoon v1.\r\nFigure 11: Raccoon v2 Mutex Check\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 8 of 17\n\nFigure 12: Raccoon v1 Mutex Check\r\nBy retrieving the Process token and matching the text \"S-1-5-18,\" as shown in Figure 13, the malware determines\r\nif it is or is not operating as the SYSTEM user.\r\nFigure 13: Raccoon v2 Enumerating Process Token\r\nIf running as a SYSTEM user, the enumeration of all the running processes is done with the help of\r\nfun_CreateToolhelp32Snapshot. Otherwise, the malware moves forward without the enumeration. Figure 14\r\nshows the 'enumerate_processes()' function being called while Figure 15 shows the malware iterating over the\r\nProcesses.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 9 of 17\n\nFigure 14: Raccoon v2 Enumerate Process\r\nFigure 15: Raccoon v2 Iterating Process Struct\r\nFingerprinting Host\r\nOnce the malware is aware of the environment in which it's running, it starts to fingerprint the host. This malware\r\nuses functions such as:\r\n1. RegQueryValueExW for fetching machine ID\r\n2. GetUserNameW\r\nFigure 16 depicts the malware retrieving the Machine ID from the registry key\r\n\"SOFTWAREMicrosoftCryptography\" via the RegQueryKeyExW and RegQueryValueExW functions.\r\nFigure 17 depicts malware using the GetUserNameW function to retrieve a username.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 10 of 17\n\nFigure 16: Raccoon v2 Fetching MachineID\r\nFigure 17: Raccoon v2 Fetching Username\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 11 of 17\n\nFigure 18: Raccoon v2: Username Buffer\r\nAfter all this is done, the malware will enumerate information such as MACHINE ID and username and then\r\nsend the data to the remote command and control server.\r\nFor this purpose, the malware creates a char string and starts appending these values to it. It starts by adding\r\nmachine id and username. Figure 19 shows the built payload in buffer.\r\nFigure 19: Raccoon v2: Fingerprinting Payload\r\nNext, it generates and appends configId which is the rc4 encryption key.\r\nmachineId=|\u0026configId=\r\nCommunications with Command and Control\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 12 of 17\n\nCommunication with command and control takes place over plain text http protocol. The previously decrypted IP\r\naddress hxxp://51(.)195(.)166(.)184/ is used for command and control communication.\r\nThe malware contacts the list of previously decrypted command and control IP addresses (stored in local_3c).\r\nSince this malware only contains one command and control IP Address, the post request is only made to one as\r\nseen in Figure 20.\r\nFigure 20: Raccoon v2: Command and Control communication\r\nCommand and Control URL\r\nFigure 21: Raccoon v2 URL in buffer\r\nRequest Headers\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 13 of 17\n\nFigure 22: Raccoon v2 Request Headers\r\nOnce the request has been made, the malware checks if the content body length is zero or not. If no content is\r\nreceived from command and control or the content body length is zero, the malware exits. This check is made\r\nbecause the exfiltration mechanism of the malware requires command and control to respond with a list IP\r\nAddresses to exfiltrate data to. In Figure 23, this condition can be seen along with the 'ExitProcess()'  function\r\ncall.\r\nFigure 23: Raccoon v2 Verifying Response Content\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 14 of 17\n\nDiscarded the dependence on Telegram bot\r\nThe Raccoon v1 relied on the Telegram Bot API description page to fetch command and control IP addresses and\r\nestablish connections. The recent malware variants (v2) from this family have started to hard-code IP addresses in\r\nthe binary to achieve this task. Raccoon Malware v2 uses 5 hard coded IP addresses and iterates over them.\r\nData Exfiltration\r\nThe malware relies on response from command and control server to down the required DLLs and decides on the\r\nnext course of action.\r\nAs of the writing of this blog the command and control IP has died, thus analysis of traffic towards the host is not\r\npossible. ThreatLabz has previously observed that the command and control server provides information on where\r\nto download additional payloads from and which IP Address to use for further communications.\r\nFigure 24: Raccoon v2 pinging extracted IP Address\r\nGrepped DLLs\r\nFigure 25: Raccoon v2 DLLs that are downloaded\r\nThe malware uses a WINAPI call to SHGetFolderPathW to get a path to C:\\Users\\\\AppData and appends\r\n“Local” to it and uses it as the path to store stolen information before sending it to the command and control.\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 15 of 17\n\nFigure 26: Raccoon v2 Storage Path In Buffer\r\nIndicators Of Compromise\r\nIP contacted by the analyzed sample of Raccoon v2.\r\n55(.)195(.)166(.)184\r\nList Of Other IPs that act as an C2 for other samples can be found here.\r\nDownloaded DLLs\r\n1. nss3.dll\r\n2. sqlite3.dll\r\n3. GdiPlus.dll\r\n4. Gdi32.dll\r\nPath Used By the Malware\r\n1. C:\\Users\\\\AppData\\Local\r\nOther samples observed in the wild of Raccoon v2.\r\n1. 0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909\r\n2. 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\n3. 048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059\r\n4. 0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256\r\n5. 2106b6f94cebb55b1d55eb4b91fa83aef051c8866c54bb75ea4fd304711c4dfc\r\n6. 263c18c86071d085c69f2096460c6b418ae414d3ea92c0c2e75ef7cb47bbe693\r\n7. 27e02b973771d43531c97eb5d3fb662f9247e85c4135fe4c030587a8dea72577\r\n8. 2911be45ad496dd1945f95c47b7f7738ad03849329fcec9c464dfaeb5081f67e\r\n9. 47f3c8bf3329c2ef862cf12567849555b17b930c8d7c0d571f4e112dae1453b1\r\n10. 516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e\r\n11. 5d66919291b68ab8563deedf8d5575fd91460d1adfbd12dba292262a764a5c99\r\n12. 62049575053b432e93b176da7afcbe49387111b3a3d927b06c5b251ea82e5975\r\n13. 7299026b22e61b0f9765eb63e42253f7e5d6ec4657008ea60aad220bbc7e2269\r\n14. 7322fbc16e20a7ef2a3188638014a053c6948d9e34ecd42cb9771bdcd0f82db0\r\n15. 960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63\r\n16. 99f510990f240215e24ef4dd1d22d485bf8c79f8ef3e963c4787a8eb6bf0b9ac\r\n17. 9ee50e94a731872a74f47780317850ae2b9fae9d6c53a957ed7187173feb4f42\r\n18. bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e\r\n19. c6e669806594be6ab9b46434f196a61418484ba1eda3496789840bec0dff119a\r\n20. e309a7a942d390801e8fedc129c6e3c34e44aae3d1aced1d723bc531730b08f5\r\n21. f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27\r\nConclusion\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 16 of 17\n\nRaccoon Stealer sold as Malware-as-a-Service has become popular over the past few years, and several incidents\r\nof this malware have been observed. The Authors of this malware are constantly adding new features to this\r\nfamily of malware. This is the second major release of the malware after the first release in 2019. This shows that\r\nthe malware is likely to evolve and remain a constant threat to organizations.\r\n \r\nZscaler coverage\r\nWe have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as our\r\nadvanced cloud sandbox.\r\nFigure 27: Zscaler Sandbox Detection\r\nZscaler's multilayered cloud security platform detects indicators at various levels, as shown below:\r\nWin32.PWS.Raccoon\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nhttps://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
	],
	"report_names": [
		"raccoon-stealer-v2-latest-generation-raccoon-family"
	],
	"threat_actors": [],
	"ts_created_at": 1775434777,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0078d4a05a3d3972f5a7524dd49d7d9469b7da1f.pdf",
		"text": "https://archive.orkl.eu/0078d4a05a3d3972f5a7524dd49d7d9469b7da1f.txt",
		"img": "https://archive.orkl.eu/0078d4a05a3d3972f5a7524dd49d7d9469b7da1f.jpg"
	}
}