{ "id": "11721375-fa86-4484-85dd-5b3abc70deda", "created_at": "2026-04-06T00:12:58.365013Z", "updated_at": "2026-04-10T13:12:25.269306Z", "deleted_at": null, "sha1_hash": "198595bcf2011308862793d15874d2ae15b3d37c", "title": "Recordbreaker: The Resurgence of Raccoon", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 665640, "plain_text": "Recordbreaker: The Resurgence of Raccoon\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 20:16:47 UTC\r\nResearcher: Anandeshwar Unnikrishnan\r\nEditors: Suchita Katira \u0026 Hansika Saxena\r\nAn info stealer is malicious software (malware) that seeks to steal private data from a compromised device, including\r\npasswords, cookies, autofill information from browsers, and cryptocurrency wallet information.\r\nSince the beginning of 2019, the Raccoon malware has been offered as malware-as-a-service on various cybercrime\r\nforums. The Raccoon Stealer group, however, was disbanded in March 2022 as a result of the death of one of its senior\r\ndevelopers in the Ukraine-Russia war.\r\nIn June 2022, a new version of the Raccoon stealer was identified in the wild by the researchers at Sekoia. Initially, the\r\nmalware was named “Recordbreaker” but was later identified as a revived version of Raccoon stealer. The developer of\r\nthe Raccoon stealer (MaaS) is very active on underground forums, regularly updating the malware, and posting about the\r\nnew feature builds on the forum.\r\nPost describing the technical details of recent samples and modifications made in the Raccoon Stealer\r\nThe Malware\r\nRaccoon samples have been spotted in the wild on numerous occasions. While some of these were protected by\r\ncommercial code protectors like VmProtect and Themida, others were seen packed in popular community packers like\r\nArmadillo.\r\nCloudSEK’s telemetry was able to pick up a very interesting Raccoon sample that employed very effective anti-analysis\r\nand anti-debugging techniques to foil analysis attempts. The sample covered in this report is unique in terms of the\r\ndeployment of the malware.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 1 of 16\n\nThe Malware Deployment\r\nThe packer used to obfuscate the stealer is specifically designed to perform the two main tasks:\r\nIdentify sandbox and debugging\r\nPerform hooking in order to control transfer to the stealer\r\nThe Process of Anti Analysis \u0026 Anti Debugging\r\nFor detecting sandboxed environments, especially virtual environments, the packer makes use of Read Time\r\nStamp Counter (RDTSC), a very well known CPU instruction used to detect VM by calculating the time\r\ndifference (delta) between two calls to RDTSC. RDTSC has also been observed, querying system information like\r\nthe firmware information table to identify VMs.\r\nTo prevent anti-debugging, the malware includes process-level debug checks and sets the main thread hidden from\r\nthe debugger.\r\nMalicious Hooks\r\nThe malware’s API trace provided a greater understanding of the internals of the packer, without having to spend much\r\ntime in a debugger. A very interesting behavior found in the trace log is shown below.\r\nThe threads in the current process are enumerated by using the following APIs:\r\nkernel32!CreateToolhelp32Snapshot\r\nkernel32!Thread32Next\r\nThe threads are then opened and suspended.\r\nOnce the threads are suspended, some memory is allocated and data is added to it.\r\nFinally, the memory protections are changed from RWX to RX.\r\nAPI trace present in the malware\r\nThe above sequence of operations is performed twice, and then the packer resumes the suspended threads.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 2 of 16\n\nImage of the packer resuming the suspended threads\r\nThe data written by the malware was retrieved by CloudSEK’s researchers with the help of instrumentation.\r\nAs shown in the image below, a call was made to kernel32!WriteProcessMemory was intercepted to see the passed\r\ndata. It is interesting to note that the lpAddress parameter in both calls points to ntdll.dll in the memory of the\r\nmalware. A total of five bytes of data was written in the memory region of the loaded ntdll.\r\nHooking the NT API Calls\r\nThe written data is a JMP (jump) instruction, followed by a specific address that points to one of the segments in\r\nthe packer.\r\nUpdated function entry after hooking\r\nHooking plays a major role in the stealer loading phase and the packer is hooking the following two APIs:\r\nntdll!DbgUiRemoteBreakin – The hooked DbgUiRemoteBreakin will take the control flow to exit. This is another\r\nanti-debugging technique in which, the targeted API is used mainly by Windows debuggers to do a software break.\r\nHence, the packer redirects the flow, which leads to the termination of the malware.\r\nntdll!ZwProtectVirtualMemory – If the above doesn’t happen, the packer makes a call to\r\nntdll!ZwProtectVirtualMemory and deploys the Raccoon Stealer v2 on the target system.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 3 of 16\n\nExperimenting with the return values of the kernel32!WriteProcessMemory call during analysis helped to confirm the\r\nhooking of ntdll!ZwProtectVirtualMemory, which is a crucial step in the infection process. Failure to hook\r\nntdll!ZwProtectVirtualMemory causes the malware to terminate and the following warning to appear.\r\nWarning popup triggered upon failure of hooking\r\nThis behavior is not observed when the malware fails to hook ntdll!DbgUiRemoteBreakin, as the program doesn’t get\r\nterminated.\r\nThe Malware Execution\r\nDynamic API Loading\r\nOnce Raccoon Stealer is executed, APIs are dynamically loaded into the memory. These APIs are later used by the\r\nmalware to perform malicious activities on the compromised machine.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 4 of 16\n\nCode responsible for runtime dynamic linking of DLLs\r\nString Decoding\r\nAfter successfully loading the libraries, the stealer decodes all the strings in memory. The previous versions of the stealer\r\nused RC4 decryption to encrypt the strings.\r\nRC4 decryption routine used in the old malware samples\r\nHowever, the recent version uses a custom XOR-based encoding to encrypt the strings.\r\nCustom XOR encoding used in new malware samples\r\nRussian Language Detection\r\nThe stealer calls the kernel32!GetDefaulLocaleName to retrieve the system language (locale name), and then checks it\r\nagainst the string “RU”. In case of a positive match, no logic is implemented for execution, which shows that the malware\r\nis still under development. In the future, we can expect the stealer to terminate itself after a match is found.\r\nMutex\r\nAfter the locale name check, the stealer looks for any active malware samples, by calling kernel32.OpenMutexW. If an\r\nactive malware process is found, the current malware execution is terminated, else a new mutex is created on the system.\r\nCode responsible for mutex creation\r\nAlso Read Technical Analysis of Bumblebee Malware Loader\r\nAdmin Check\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 5 of 16\n\nOnce the Mutex is created, Raccoon checks the privileges of the user process by following the steps below:\r\nAdvapi32.OpenProcess is called to obtain a handle to the process token.\r\nAdvapi32.GetTokenInformation is called on the acquired process token handle by passing TOKEN_USER as the\r\nvalue for TokenInformationClass parameter, which returns a user SID structure.\r\nThe SID structure is converted to a string by calling Advapi32!ConvertSidToStringSidW.\r\nThe SID string is compared with the value “S-1-5-18”, the SID value for Local/SYSTEM or members in the\r\nLocal Admin group.\r\nIf the user process is elevated, the value 0 is returned.\r\nAdministrator check performed by the stealer\r\nProcess Enumeration\r\nIf the process is elevated, the processes running on the system are enumerated as shown below:\r\nKernel32!CreateToolhelp32Snapshot is called by passing the flag TH32CS_SNAPPROCESS to include all\r\nprocesses running on the system in the snapshot.\r\nThe Kernel32!Process32First and Kernel32!Process32Next APIs are used to walk through the snapshot which\r\ncontains the information of processes running on the system.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 6 of 16\n\nProcess enumeration done by the malware\r\nIt is interesting to note that the result returned (1/0) is not used anywhere by Raccoon. The main reason behind this may be\r\nthe strong likelihood that the malware is still being actively developed, and some changes to the code of future Raccoon\r\nsamples should be anticipated.\r\nAlso to Read Raccoon Stealer Malware Threat Intel Advisory\r\nC2 Network\r\nAttackers employ a set of tools and procedures known as command and control infrastructure, usually abbreviated as C2\r\nor C\u0026C, to keep in touch with compromised devices after the initial access has been gained. The Raccoon stealer calls\r\nhome for the first time by sending a unique string to the C2. The string, for the communication, is crafted with the\r\nfollowing information:\r\nMachine GUID retrieved from the following location in the registry:\r\nComputer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\r\nThe username, fetched via the Advapi32!GetUserNameW API.\r\nThe configuration ID, which is decoded using the RC4 key in some samples and a unique alphanumeric string in\r\nothers.\r\nFormat of the victim profile sent to the C2\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 7 of 16\n\nThe HTTP POST request and the victim identification data sent by Raccoon Stealer to the C2\r\nC2 Configuration\r\nThe Raccoon stealer uses the following C2 identifier tags to control the behavior of the stealer.\r\nIdentifier Description\r\nlibs_ Library PE/DLL to download\r\news_ Browser Extensions\r\nwlts_ Crypto Wallets Stealing\r\nsstmnfo_ Collects SystemInformation and list of Installed Applications\r\nscrnsht_ Takes Screenshot\r\ntlgrm_ Steals data from Telegram Desktop\r\ngrbr_ Password Grabber\r\ndscrd_ Discord Stealer\r\nldr_ Launches additional payloads like RATs\r\ntoken Unique identifier for tracing campaign\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 8 of 16\n\nC2 configuration fetched by the malware\r\nFetching Library\r\nOnce the stealer obtains the C2 configuration from the C2, it starts to parse the configuration, searching for the libs_\r\nidentifier to download the legitimate library files such as:\r\nns33.dll\r\nmsvcp140.dll\r\nvcruntime140.dll\r\nmozglue.dll\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 9 of 16\n\nfreeble.dll\r\nsoftok3.dll\r\nsqlite3.dll\r\nThese are downloaded into the User\\AppData\\LocalLow directory and are not loaded into memory.\r\nLegitimate DLLs downloaded by the malware\r\nThe malware loads the necessary DLLs into memory, during the information-stealing process, and dynamically resolves\r\nvarious functions. The images below depict the dynamic API loading from sqlite.dll and ns33.dll respectively.\r\nRuntime dynamic loading of sqlite.dll\r\nRuntime dynamic loading of ns33.dll\r\nSysinfo Enumeration\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 10 of 16\n\nPost fetching the libraries, a profile of the host is created and sent to the C2 as a “System Info.txt” file.\r\nSystem information sent to C2\r\nThe stealer performs the host profiling only if sstmnfo_ identifier is present in the C2 configuration. Following\r\ninformation is enumerated in the host profile:\r\nLocale information, fetched from the system via the Kernel32!GetLocaleInfoW.\r\nTime zone information, fetched from the system via Kernel32!GetTimeZoneInformation.\r\nProduct Name (OS), fetched from the registry.\r\nArchitecture of the victim, identified by checking the presence of SysWOW64 directory.\r\nCPU vendor and model information, fetched by the CPUID assembly instruction.\r\nSystem information retrieved from the Kernel32!GetSystemInfo API.\r\nMemory information, fetched from the system via Kernel32!GlobalMemoryStatusEx.\r\nDisplay resolution, fetched from the system via User32!GetSystemMetrics\r\nDisplay adapters and monitors connected to the system.\r\nInstalled applications via SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall.\r\nInformation Stealing\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 11 of 16\n\nBrowser Data\r\nThe malware steals information saved by web browsers in the local user’s AppData directory. The primary directories\r\ntargeted are “User Data” and Profile .\r\nThe stealer is interested in the following browser data:\r\nCookies\r\nAutoFills\r\nStored passwords\r\nStored credit card information\r\nLike any stealer, Raccoon performs the following operations to steal the browser data:\r\nIt retrieves the target SQL database file stored by the browser. A few of Chrome’s critical databases, targeted by the\r\nstealer, are listed below.\r\nStolen Data Location of the Stolen Data\r\nPasswords C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\r\nAutoFills C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data\r\nCredit Cards C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data\r\nCookies C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\r\nThe malware steals the decryption key, stored in the “Local State” file of the browser, which is used to protect data\r\nstored in databases in the User Data directory, mentioned above.\r\nThe malware then proceeds to open the database and decrypts the data.\r\nThe stolen data is then sent back to C2.\r\nCommands to Steal the Browser Data\r\nThe previously downloaded sqlite.dll is loaded into memory to resolve the addresses of the functions required for\r\nquerying data from the browser database. Following images contain the various SQL queries employed by the malware to\r\nsteal the Chrome browser data.\r\nSQL queries used by Raccoon to steal cookie data from Chrome browser’s cookie store\r\nSQL queries used by Raccoon to steal credit card information saved on the browser\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 12 of 16\n\nSQL queries used by Raccoon to steal autofill data stored in the browser\r\nThe previously downloaded ns33.dll is loaded into memory to retrieve the data stored by Mozilla Firefox. The stealer then\r\nproceeds to steal the browser’s cookie, login, and form history data. The “ffcookies.txt” filename is used for sending\r\nstolen Firefox data to the C2 server.\r\nMozilla Firefox cookies targeted by Raccoon\r\nSQL query issued by Raccoon on the cookie.sqlite file, to steal cookie data from Firefox\r\nSQL query used by Raccoon to steal form history from Firefox\r\nWallets \u0026 Browser Extensions\r\nThe table below contains the list of wallets and web extensions targeted by the Raccoon malware.\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 13 of 16\n\nWallets\r\nExodus Atomic Jaxx Liberty Electron Cash\r\nBinance Coinomi Electrum Ledger\r\nGuarda Monero Ronin Daedalus\r\nBlockstream Green Meta Wasabi\r\nWeb Extensions\r\nmetax xdefi waveskeeper solflare\r\nrabby cyano coinbase auromina\r\nkhc tezbox coin98 temple\r\niconex sollet clover polymesh\r\nneoline keplr terraStation liquality\r\nSaturnWallet GuildWallet phantom tronlink\r\nbrave MetaMask ronin mewcx\r\nton goby bitkeep Cosmostation\r\nGameStop stargazer Enkrypt jaxxliberty\r\nCloverWallet\r\nFile Grabbing\r\nThe malware uses the grbr_ identifier to enable the grabber functionality and starts searching the system for files such as\r\npassword files, wallet seeds, etc.\r\nFile grabbing C2 configuration in Raccoon\r\nTelegram \u0026 Discord Data\r\nRaccoon steals Telegram data from the “Telegram Desktop”\\tdata directory. It is particularly interested in the directories\r\ncontaining user_data, emoji, tdummy, and dumps.\r\nThe stealer is also capable of stealing Discord data, such as tokens, but this feature is not enabled by default. The malware\r\noperator needs to explicitly provide a “dscrd_” identifier in the configuration to enable this option.\r\nScreenShot Capture\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 14 of 16\n\nApart from stealing information, Raccoon can also take screenshots of the compromised system by using the “scrnsht_”\r\nidentifier in the C2 configuration. The details of the screenshot capturing process are explained below.\r\nRaccoon utilizes two libraries namely gdi32.dll and gdiplus.dll to capture the screen of the victim. These libraries\r\nare dynamically loaded and the API addresses are resolved.\r\nMalware taking screen capture using gdi32.dll and gdiplus.dll\r\nList of APIs Resolved\r\nGdiplus!GdiplusStartup Gdiplus!GdipDisposeImage Gdiplus!GdipGetImageEncoders\r\nGdiplus!GetImageEncodersSize Gdiplus!GdipCreateBitmapFromHBitmap Gdiplus!GdipSaveImageToFile\r\ngdi32!BitBlt gdi32!CreateCompatibleBitmap gdi32!CreateCompatibleDC\r\ngdi32!DeleteObject gdi32!GetObjectW gdi32!SelectObject\r\ngdi32!SetStretchBltMode gdi32!StretchBlt\r\nThe process undertaken for screen grabbing using the above libraries is not straightforward. It requires extensive\r\nimage processing techniques, which is beyond the scope of this report. In a nutshell, the captured image is saved\r\nonto the disk in a jpeg format. Initially, the name assigned to the file is random, however, when it is sent to the C2,\r\nthe image is transferred as “–screenshot.jpg”. The below image shows the Raccoon’s conversation with C2.\r\nScreenshot being sent to the C2 endpoint\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 15 of 16\n\nAdditional Payload Execution\r\nThe Raccoon stealer, like any other malware in its class, has the ability to execute user-provided additional malware (such\r\nas RATs) on the compromised system. As per CloudSEK’s analysis of multiple samples, this feature is not present by\r\ndefault. Thus, when the stealer fetches the configuration, the operator will have to explicitly enable this feature by\r\nproviding the ldr_ identifier with a URL to fetch the additional payload executable along with the directory information,\r\nto install/drop it on the system for further execution.\r\nThe image below depicts the module responsible for this feature. Initially, the module checks for the identifier ldr_ in the\r\nC2 configuration. If no Idr_ is present, the flow returns to its main function.\r\nChecking the C2 configuration for additional payload execution option\r\nIf the C2 contains an ldr_ identifier, the following code is used to execute the fetched executable. The\r\nshell32!ShellExecuteW API is called by passing the file and the ‘open’ operation as parameters.\r\nCode responsible for additional payload execution via the ShellExecuteW API\r\nCleaning Up\r\nBefore exiting the system, the stealer deletes the DLL files that were loaded in the memory during the operation and\r\nterminates its execution.\r\nIndicators of Compromise (IoCs)\r\nBinary\r\n494ab44bb96537fc8a3e832e3cf032b0599501f96a682205bc46d9b7744d52ab\r\ndd2db9bfa45002375af028ac00ca1b5e0c1db30a116c21cac2b4c75cb4ff9aec\r\nIPv4\r\n193.56.146.177\r\nSource: https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nhttps://cloudsek.com/recordbreaker-the-resurgence-of-raccoon\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon" ], "report_names": [ "recordbreaker-the-resurgence-of-raccoon" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/198595bcf2011308862793d15874d2ae15b3d37c.pdf", "text": "https://archive.orkl.eu/198595bcf2011308862793d15874d2ae15b3d37c.txt", "img": "https://archive.orkl.eu/198595bcf2011308862793d15874d2ae15b3d37c.jpg" } }