{
	"id": "f49d2b79-1b6a-4c85-b50f-937c6472345a",
	"created_at": "2026-04-06T00:21:14.617525Z",
	"updated_at": "2026-04-10T13:11:19.144407Z",
	"deleted_at": null,
	"sha1_hash": "2111edb170f94f98edcc43882f34a82b530077f9",
	"title": "Raccoon back with new claws!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1143355,
	"plain_text": "Raccoon back with new claws!\r\nPublished: 2022-07-18 · Archived: 2026-04-05 19:06:11 UTC\r\nRaccoon infostealer was first released in April 2019, the initial Version1(V1) was distributed in telegram groups\r\nand other forums as Malware-as-a-service (MaaS). The detailed blog on V1 can be seen here. Now the stealer has\r\nbeen updated with new features, and comes packed with Commercial packers. It has a stealthy way of gaining\r\ninformation from the system using Windows API’s. This blog discusses in depth on the Version2(V2) of Racoon\r\nStealer and its method to obtain the information. \r\nThe Stealer is usually downloaded when a user tries to download cracked software, thus the malware is added\r\nwith around 400MB of junk in the overlay along with an invalid digital signature from AVG.\r\nAnalysis\r\nThe sample is around 417MB disguises itself as Windows File System Proxy, has an invalid digital Signature\r\nand comes packed with VMProtect. The analysis is based on the unpacked binary.\r\nFigure  1: Sample Version Information\r\nDynamic API Resolving\r\nThe malware begins with resolving the required API’s dynamically through LoadLibrary and GetProcAddress.\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 1 of 18\n\nFigure 2: Dynamic API resolving procedure\r\nIt uses LoadLibrary to get the handles of kernel32.dll, shell32.dll, user32.dll, advapi32.dll, wininet.dll, ole32.dll,\r\ncrypt32.dll and pass on the returned handle as an argument to LoadLibrary to the get the address of the required\r\nWinAPI and stores them at a memory offset. \r\nString Decryption\r\nThe sample uses the RC4 algorithm for decrypting the base64 strings stored in binary. At first the string is base64\r\ndecoded using CryptStringToBinary API passing the dwFlags argument as CRYPT_STRING_BASE64(0x1).\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 2 of 18\n\nFigure 3: Base64 decode using CryptStringToBinaryA\r\nThe decoded base64 string is saved in a variable and it is passed as an argument to the function which RC4\r\ndecrypts the string using the hardcoded symmetric key “edinayarossiya”(“United Russia” –  a political party in\r\nRussia)\r\nFigure 4: String decryption procedure\r\nComplete list of strings decrypted is listed in Appendix A.\r\nRetrieve C2 URL\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 3 of 18\n\nThe binary uses the same string decryption method discussed above to retrieve the C2 URL. For the decryption of\r\nthe C2 it uses a different hardcoded RC4 symmetric key “b616297870490e1028b141f53eb3afe8” which is later\r\nused as config ID when initial information is sent.\r\nFigure 5: Decryption of Command and control server\r\nChecks system locale\r\nThe malware then proceeds to check the locale of the system using \r\nGetUserDefaultLocaleName API, and checks the returned string with a dword from virtual address 0x40E000.  In\r\nthis variant, this locale check does not affect the behaviour of the malware. Usually threat actors opt for an option\r\nfor excluding victims from certain geolocale. Seems like the threat actors here have that option but are not using\r\nit.\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 4 of 18\n\nFigure 6: Get Locale of Execution system\r\nChecks mutex\r\nThe malware checks for a mutex with name “8724643052”, if not, then creates one. If the mutex exists then it kills\r\nitself to stop itself from running multiple times.\r\nFigure 7: Malware checks if Mutex Exists\r\nChecks for system privilege\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 5 of 18\n\nThe malware retrieves the Current Process access token and compares it to the SID of NTAuthority\\System(“S-1-5-18”). If it matches it executes the function to enumerate the active process list. \r\nFigure 8: Check System Privilege\r\nSimilar to locale check, there is no change in behaviour \r\nFigure 9: Enumerate process list if it has System privilege\r\nGather Initial Information\r\nThe malware initially collects machine GUID, username and sends it to C2 and awaits response from C2 for\r\nfurther information gathering.\r\nMachine GUID is obtained from the registry key\r\n“HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography” under “MachineGUID”\r\nThe malware sends the initial information to C2 in the following syntax\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 6 of 18\n\nmachineId=\u003cmachineGUID\u003e|\u003cusername\u003e\u0026configid=\u003cRC4_key used to decrypt C2\u003e\r\nSends initial collected data\r\nAfter converting the collected initial data into Unicode string. It sends a POST request to the decrypted C2 using\r\nan unusual User-Agent String “record”. The data is sent in form data format.\r\nFigure 10: Procedure to send request to C2 and wait for response\r\nFigure 11: Request sent to C2\r\nAfter making the request the connection handle is kept open until it  receives a data response. It waits for the\r\nPOST response until the size of response is greater than 64 bytes. \r\nProcess C2 Response\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 7 of 18\n\nFigure 12: C2 response\r\nThe C2 response contains the urls of the dlls which are needed to collect detailed information\r\nA GET request is made to download all the Dll and it is saved in the APPDATA_LOCAL folder.The path to\r\nAPPDATA_LOCAL is retrieved using the API SHGetFolderPath with CSIDL passed as\r\n“CSIDL_LOCAL_APPDATA”(0x1c)..If the response doesn’t have the String “Token” in it the malware kills\r\nitself.\r\nCollect detailed information\r\nAfter downloading the required dlls, it changes the current working directory and adds the path to the\r\nAPPDATA_LOCAL directory to “PATH” Environment Variable using SetEnvironmentVariableW.\r\nSystem Info.txt\r\nThe malware first collects the system information and sends it as a POST request to the C2. Let us see what and\r\nhow the system information is collected using WinAPI.\r\nLocale : The malware collects the current locale using the API GetLocaleInfoW\r\nTimeZone : Timezone is retrieved using API GetTimeZoneInformation\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 8 of 18\n\nFigure 13: collection of Locale and TimeZone using API\r\nProduct Name : Windows version is retrieved by querying the registry key\r\n“HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\” and data\r\n“ProductName”\r\nFigure 14: retrieve productname from registry\r\nArchitecture : The malware checks if SYSWOW64 directory exists on the system, if it is unavailable it\r\nconsiders the architecture as 32bit, else architecture is 64bit.\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 9 of 18\n\nFigure 15: Find system architecture\r\nProcessor : The processor information is obtained with the usage of ASM instruction “CPUID”(CPU\r\nIdentification).\r\nRAM : The Exact amount of physical storage is retrieved using the API GlobalMemoryStatusEx,which\r\nreturns the “LPMEMORYSTATUSEX” structure. From the returned structure the malware takes the field\r\n“ullTotalPhys” and right shift by 20 bits to convert it into MB.\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 10 of 18\n\nFigure 16: Get RAM information\r\nDisplay height and width : Display height and width is obtained using the API “GetSystemMetrics” by\r\npassing the argument 0x0(SM_CXSCREEN) to retrieve width and 0x1(SM_CYSCREEN) to get height.\r\nDisplay Devices : The display enumerated and saved using the API “EnumDisplayDevicesW”\r\nScreen dimension and display devices could be checked at the server if the malware is executed in a VM or\r\nsandbox.\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 11 of 18\n\nFigure 17: Get Display information\r\nList of Installed Products : The complete list of products which are installed are obtained by looping\r\nthrough all the subkeys under “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall”\r\nAll the collected information about the System is sent immediately to the C2 without saving it to a file.\r\nCookies.txt\r\nAfter collecting all the information related to system, it proceeds to collect browser saved passwords, credit card\r\ndetails and cookies using the following dll\r\n1. Sqlite3.dll – to collect login id and passwords from chrome(ium) based browsers\r\n2. mozglue.dll/nss3.dll – to collects login id and passwords from firefox\r\nThe following queries are used to query the required information.\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nSELECT name, value FROM autofill\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nSELECT fieldname, value FROM moz_formhistory\r\nSELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nThe Stealer even has the capability to collect the crypto wallets if found on the system and sends all the collected\r\ninformation to C2 immediately.\r\nCaptures screenshot\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 12 of 18\n\nA series of Windows API is used to capture the screenshot of the infected machine, and is sent to C2. The flow is\r\nsimilar to the example code given by microsoft here. \r\nCleanup\r\nThe malware deletes all the files which are downloaded from the internet, after the information is sent to C2.\r\nFigure 18: Cleanup Activity\r\nWe strongly recommend not to download any cracked software to get infected with malware.\r\nWe at K7 Labs provide detection against latest threats and also for this newer variant of Racoon Stealer. Users are\r\nadvised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard\r\ntheir devices.\r\nIndicators of Compromise(IOC)\r\nFile Name Hash K7 Detection Name\r\nlaunchctl.exe b0bc998182378e73e2847975cc6f7eb3 Trojan ( 005690671 )\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 13 of 18\n\nC2\r\nhxxp://www[.]retro-rave[.]xyz\r\nIP\r\n51.195.166[.]184\r\nUser-Agent\r\nrecord\r\nAppendix : Strings Decrypted during Runtime ( Using RC4 key: “edinayarossiya” )\r\ntlgrm_\r\news_\r\ngrbr_\r\n%s    TRUE    %s    %s    %s    %s    %s\r\nURL:%s\r\nUSR:%s\r\nPASS:%s\r\n        %d) %s\r\n    – Locale: %s\r\n    – OS: %s\r\n    – RAM: %d MB\r\n    – Time zone: %c%ld minutes from GMT\r\n    – Display size: %dx%d\r\n%d\r\n    – Architecture: x%d\r\n    – CPU: %s (%d cores)\r\n    – Display Devices:\r\n%s\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 14 of 18\n\nformhistory.sqlite\r\n\\*\r\nlogins.json\r\n\\autofill.txt\r\n\\cookies.txt\r\n\\passwords.txt\r\n*/*\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nContent-Type: multipart/form-data; boundary=\r\nContent-Type: text/plain;\r\nUser Data\r\nwallets\r\nwlts_\r\nldr_\r\nscrnsht_\r\nsstmnfo_\r\ntoken:\r\nnss3.dll\r\nsqlite3.dll\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nPATH\r\nProductName\r\nWeb Data\r\nsqlite3_prepare_v2\r\nsqlite3_open16\r\nsqlite3_close\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 15 of 18\n\nsqlite3_step\r\nsqlite3_finalize\r\nsqlite3_column_text16\r\nsqlite3_column_bytes16\r\nsqlite3_column_blob\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nSELECT name, value FROM autofill\r\npera \r\nStable\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nSELECT fieldname, value FROM moz_formhistory\r\ncookies.sqlite\r\nmachineId=\r\n\u0026configId=\r\n“encrypted_key”:”\r\nstats_version”:”\r\nContent-Type: application/x-object\r\nContent-Disposition: form-data; name=”file”; filename=”\r\nGET\r\nPOST\r\nLow\r\nMachineGuid\r\nimage/jpeg\r\nGdiPlus.dll\r\nGdi32.dll\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 16 of 18\n\nGdiplusStartup\r\nGdipDisposeImage\r\nGdipGetImageEncoders\r\nGdipGetImageEncodersSize\r\nGdipCreateBitmapFromHBITMAP\r\nGdipSaveImageToFile\r\nBitBlt\r\nCreateCompatibleDC\r\nDeleteObject\r\nGetObjectW\r\nSelectObject\r\nSetStretchBltMode\r\nStretchBlt\r\nSELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nNUM:%s\r\nHOLDER:%s\r\nEXP:%s/%s\r\n\\CC.txt\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nSECITEM_FreeItem\r\nhostname”:”\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 17 of 18\n\n“,”httpRealm”:\r\nencryptedUsername”:”\r\n“,”encryptedPassword”:”\r\n“,”guid”:\r\nProfiles\r\nSource: https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nhttps://labs.k7computing.com/index.php/raccoon-back-with-new-claws/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/"
	],
	"report_names": [
		"raccoon-back-with-new-claws"
	],
	"threat_actors": [],
	"ts_created_at": 1775434874,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2111edb170f94f98edcc43882f34a82b530077f9.pdf",
		"text": "https://archive.orkl.eu/2111edb170f94f98edcc43882f34a82b530077f9.txt",
		"img": "https://archive.orkl.eu/2111edb170f94f98edcc43882f34a82b530077f9.jpg"
	}
}