{
	"id": "b51db8f5-4487-4131-8995-ce32edadb3f5",
	"created_at": "2026-04-10T03:21:25.27769Z",
	"updated_at": "2026-04-10T13:12:34.442076Z",
	"deleted_at": null,
	"sha1_hash": "319a41d5f954a95d93717e3ddae66c422af5fdf5",
	"title": "Raccoon Stealer v2 Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2642672,
	"plain_text": "Raccoon Stealer v2 Malware Analysis\r\nBy Aaron Stratton\r\nPublished: 2022-11-01 · Archived: 2026-04-10 02:59:34 UTC\r\n6 min read\r\nSep 12, 2022\r\nPress enter or click to view image in full size\r\nImage credit: Bleepingcomputer.com (https://www.bleepingcomputer.com/news/security/malware-dev-infects-own-pc-and-data-ends-up-on-intel-platform/)\r\nIntroduction\r\nRaccoon Stealer is an infostealer sold on underground hacker/cybercriminal forums, first observed in early 2019.\r\nRaccoon Stealer v2 first appeared in June of 2022, after the developers returned from a supposed\r\n“retirement” which they had announced in early 2022. [1] Just as with Raccoon Stealer v1, v2 is capable of\r\nstealing information to include cookies and other browser data, credit card data, usernames, and passwords.\r\nTechnical Analysis\r\nRaccoon Stealer v2 is written in C/C++, and coming in at only ~57kb, it is fairly lightweight. Below are the\r\nhashes for the packed sample, and the unpacked sample. Based on my research, Raccoon Stealer is not sold\r\npacked by default, rather, any packing must be done by the customer who will deploy the malware.\r\nPacked SHA256: 40daa898f98206806ad3ff78f63409d509922e0c482684cf4f180faac8cac273\r\nUnpacked SHA256: 0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909\r\nUnpacking\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 1 of 13\n\nUnpacking this sample is pretty straightforward. All I did was place breakpoints on a few API calls of interest\r\nsuch as VirtualProtect, WriteProcessMemory, CreateProcessInternalW, and VirtualAlloc. Once the VirtualProtect\r\nbreakpoint is hit, I followed the address in the EAX register in the memory dump, then ran the program again until\r\nthe next breakpoint. After that, I was able to dump the payload from memory and continue my analysis.\r\nPress enter or click to view image in full size\r\nFigure 1. Dumping the second stage payload from memory.\r\nResolving Imports\r\nTo start off, I opened the payload in PEstudio to perform some basic static analysis, which will guide how I carry\r\nout the rest of the analysis. Opening the binary in PEstudio, the small number of imported functions (only 8) leads\r\nme to believe that the malware probably resolves its imports dynamically.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 2 of 13\n\nFigure 2. Imported functions displayed in PEstudio.\r\nDisassembling the binary in Ghidra, I found the import resolver function early on in the binary, as expected. This\r\nfunction simply uses the GetProcAddress API function to load the address of the functions it will need. A few of\r\nthese functions immediately catch my eye, those being the internet related functions highlighted below in figure 3.\r\nPress enter or click to view image in full size\r\nFigure 3. Internet-related functions in the import resolver function.\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 3 of 13\n\nDecrypting Strings and C2 IP Address\r\nThe malware also obfuscates its strings using Base64 encoding and RC4 encryption. The RC4 encrypted strings\r\nare stored in the Base64 encoded form. These strings are Base64 decoded, then decrypted using the RC4 key\r\n“edinayarossiya”, which means “United Russia” in Russian. Once the strings are decrypted, the malware then\r\nperforms the same decryption routine for the C2 IP address, but using a different RC4 key.\r\nPress enter or click to view image in full size\r\nFigure 4. Decoding and decrypting the C2 IP address.\r\nWith this RC4 key and Base64 encoded data, I could use cyberchef to get the IP address of the C2 node.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 4 of 13\n\nFigure 5. Extracting the C2 IP address in cyberchef.\r\nChecking Mutex\r\nNext, the malware checks to see if another instance of it is already running on the infected machine by opening a\r\nmutex with the value of 8724643052. If the OpenMutexW function fails and returns a 0, the malware creates a\r\nmutex with the value, then continues execution. If the function succeeds and returns 1 (true), the malware exits.\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 5 of 13\n\nFigure 6. Checking for open mutex.\r\nSYSTEM Check and Process Enumeration\r\nThe malware also checks if it is running as SYSTEM by comparing the current process’s token to the SYSTEM\r\nSID, S-1–5–18.\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 6 of 13\n\nFigure 7. Malware checking if it is running with SYSTEM privileges.\r\nIf the malware is running as SYSTEM, it then calls a process enumeration function using\r\nCreateToolHelpSnapshot32, Process32First, and Process32Next.\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 7 of 13\n\nFigure 8. Enumerating the functions on the infected machine.\r\nIf the malware is not running with SYSTEM privileges, it simply skips over the process enumeration function and\r\ncontinues with its execution.\r\nHost GUID and Username\r\nBefore connecting to the C2 node, the malware will retrieve the host’s GUID by querying the\r\nSOFTWARE\\Microsoft\\Cryptography registry key.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 8 of 13\n\nFigure 9. Retrieving the host GUID from the registry.\r\nThe malware also retrieves the current user’s username, and moves it along with the machine ID, onto the heap\r\nbefore contacting the C2 node.\r\nC2 Communication\r\nFirst the malware uses the WideCharToMultiByte API function to form all of the parameters it needs in order to\r\nconnect to the C2 node, including the machineID, username, and configID parameters which will be sent to the C2\r\nnode via POST request. Of note, the configID parameter is just the RC4 key that was used to decrypt the C2 IP\r\naddress earlier in the execution.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 9 of 13\n\nFigure 10. POST request to the C2 node containing the machineID, username, and configID\r\nparameters.\r\nThe malware then checks to see if the response from the C2 node is larger than 0x3f (63 in decimal) characters\r\nlong. If it is, the malware continues execution. If not, the malware breaks out of the loop and exits.\r\nFigure 11. Checking the length of the C2 node’s response.\r\nUnfortunately, at the time I performed my analysis, the C2 IP address did not appear to be up anymore, as Shodan\r\nshowed that port 3389 (RDP) was the only listening port. Assuming that the C2 node was still operational and able\r\nto communicate with the infected host, the C2 node would return several different DLL’s for download to the\r\ninfected host. Those DLL’s would then be placed in the “C:\\Documents and Settings\\Administrator\\Local\r\nSettings\\Application Data” folder.\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 10 of 13\n\nFigure 12. Note the function setting the folder path before moving the downloaded DLL’s to that\r\npath (C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data)\r\nPress enter or click to view image in full size\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 11 of 13\n\nFigure 13. Setting the folder path for the DLL’s to be placed into.\r\nIt is at this point that the malware would perform the bulk of its stealing functionality, including cookies,\r\npasswords, credit card data, passwords, browser history, etc. [2] Some of this functionality would automatically be\r\nexecuted, and some would require a command from an operator in control of the C2 node.\r\nConclusion\r\nIn conclusion, Raccoon Stealer v2 is a relatively simple, yet very capable info stealer just like v1. Both versions of\r\nthis stealer pose a threat to organizations of all types, as well as individuals. The information stolen by this\r\nmalware can be used to take over accounts of all types, financial, social media, corporate, etc.\r\nGet Aaron Stratton’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI hope you enjoyed this post, and that you’ll come back again! A follow and share would be super appreciated.\r\nFeedback is certainly welcome as well.\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 12 of 13\n\nReferences\r\n[1] https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/\r\n[2] https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/#h-mutex\r\nFrom Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with.\r\nJoin our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3\r\nvideos, 2 Github Repos and tools, and 1 job alert for FREE!\r\nSource: https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nhttps://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8\r\nPage 13 of 13\n\nFigure 7. Malware If the malware is running checking if as SYSTEM, it is running with it then calls SYSTEM privileges. a process enumeration function using\nCreateToolHelpSnapshot32, Process32First, and Process32Next. \n   Page 7 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8"
	],
	"report_names": [
		"raccoon-stealer-v2-malware-analysis-55cc33774ac8"
	],
	"threat_actors": [],
	"ts_created_at": 1775791285,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/319a41d5f954a95d93717e3ddae66c422af5fdf5.pdf",
		"text": "https://archive.orkl.eu/319a41d5f954a95d93717e3ddae66c422af5fdf5.txt",
		"img": "https://archive.orkl.eu/319a41d5f954a95d93717e3ddae66c422af5fdf5.jpg"
	}
}