{
	"id": "d5efad87-f1c6-427e-8035-08e81f128d76",
	"created_at": "2026-04-06T01:29:00.396627Z",
	"updated_at": "2026-04-10T13:11:34.969223Z",
	"deleted_at": null,
	"sha1_hash": "6998cad31b5fb0192308827f407adba208fccb62",
	"title": "Cyble - ​​Raccoon Stealer\u0026nbsp;Under the\u0026nbsp;Lens:\u0026nbsp;A\u0026nbsp;Deep-dive Analysis\u0026nbsp;\u0026nbsp;",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3734925,
	"plain_text": "Cyble - Raccoon Stealer\u0026nbsp;Under\r\nthe\u0026nbsp;Lens:\u0026nbsp;A\u0026nbsp;Deep-dive Analysis\u0026nbsp;\u0026nbsp;\r\nBy cybleinc\r\nPublished: 2021-10-21 · Archived: 2026-04-06 00:42:48 UTC\r\nA deep-dive analysis of the Raccoon variant of Stealer malware.\r\n \r\nStealer malware is becoming the weapon of choice for Threat Actors (TA) to steal credentials from victims’ devices.\r\nThis malware family has the capability to steal the cookies, credentials, credit card (CC) information, crypto wallets, and\r\nother sensitive details stored on the victim’s device. To accomplish this task, the malware uses various techniques to\r\nextract information from the victim’s machine.  \r\nCyble Research Labs has harvested the latest variant of Raccoon Stealer to study the stealer malware family behavior and\r\nthe techniques that it uses for infection. The TA behind the Raccoon Stealer has posted the malware’s capabilities on\r\na cybercrime forum, wherein he has mentioned that the malware can run on both 32- and 64-bit systems without .NET\r\ndependencies, and the logs are collected in RAM instead of the disk, among others.   \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 1 of 11\n\nFigure 1 TA Post on Cyber Crime Forum \r\nRacoon Stealer has been observed in the wild since April 2019. Until then, the TA behind the Stealer had been working\r\non enhancing the techniques used by this malware. At the time of writing this analysis, Virus Total has more than 9K\r\nsamples of Racoon Stealer with 5+ positive detection.  \r\nThe figure below shows the high-level execution flow of the Raccoon stealer malware. Initially, it connects to the TA’s\r\nTelegram channel to get the Command and Control (C\u0026C) IP. Further, the malware downloads the configuration data and\r\nother payloads/modules to extract the credentials from the victim’s device and conduct the data exfiltration. \r\nFigure 2 High-Level Execution Flow of the malware \r\nTechnical Analysis \r\nCyble Research Labs analyzed this sample. Upon performing the static analysis, we found that the malware is x86\r\narchitecture Portable Executable (PE) binary written in C/C++ and compiled on 2020-06-24 05:58:17. \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 2 of 11\n\nFigure 3 Static Information of Malware \r\nUpon the initial execution of the malware in our research environment, we noticed that the malware was trying to\r\ncommunicate to a telegatt[.]top domain and did not show any other behavior, as shown in the below figure. \r\nFigure 4 Traffic Analysis of Malware\r\nUpon further investigation, we determined that the malware was trying to access the “jdiamond13” channel on\r\nTelegram using the services provided by telegatt[.]top, as shown in the figure below.  \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 3 of 11\n\nFigure 5 TA’s Telegram channel \r\n The figure below showcases the infection flow of Raccoon stealer malware. \r\n \r\nFigure 6 Infection flow of malware \r\n The figure below depicts the Process tree created by the malware.  \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 4 of 11\n\nFigure 7 Process Tree created by malware \r\nAfter data exfiltration is completed, the Stealer removes its foothold by removing malware binaries and data files. The\r\nfollowing command is executed to perform self-delete.  \r\ncmd.exe /C timeout /T 10 /NOBREAK \u003e Nul \u0026 Del /f /q\r\n“C:\\Users\\MalWorkstation\\Desktop\\e28a6d3bdcfdad9ff4c37e6c22c1a52018e5076ec65b128614bcf0e8eb711171.exe” \r\nCode Analysis and Debugging \r\nInitially, during the code analysis, Cyble Research Labs found that the malware was packed. The malware decrypts each\r\nsegment during execution, performs self-injection, and does dynamic import loading. The figure below shows that the\r\nmalware has created a new binary in a newly allocated memory, and file execution will be transferred to the\r\ndecrypted binary. \r\nFigure 8 Malware unpacking \r\nFurther, the malware performs a GET request to telegatt[.]top/jdiamond13 to access the Telegram bot profile page. If\r\nthe telegatt service is down, it uses other hardcoded domains to reach the profile, as shown below figure.  \r\nFigure 9 Services to access TA’s Telegram channel \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 5 of 11\n\nThe malware copies the value “e7dd0fV46cjQG7jcdYm3TS3xk8CWP0R0zIw==25-v1f” from the Telegram bot\r\ndescription page shown in Figure 5, and then shifts characters to align in proper\r\nencrypted data. i.e., “fV46cjQG7jcdYm3TS3xk8CWP0R0zIw==”. \r\nThen the malware uses RC4 encryption to decrypt the above string using\r\nthe hardcoded key “c5d49434634bb8485382d61999573882“.  \r\nA quick RC4 decryption revealed the URL of C\u0026C, which is http[:]//185[.]163[.]45[.]162.   \r\nFigure 10 Decryption of encrypted data received from TA’s Telegram channel \r\nOnce the malware has the C\u0026C URL, it generates a unique ID for the victim device and encrypts it using RC4 encryption\r\nusing the key “iV8+pT5$yP7{“, then it sends the unique ID to the attacker’s C\u0026C.  \r\nFigure 11 Victim’s Unique ID sent to C\u0026C \r\nAs shown in below figure, Once the C\u0026C receives the above Victim ID as a request, it sends the RC4 encrypted\r\nconfiguration data to the victim’s machine, which is then decrypted using the same key shown above.\r\nFigure 12 Encrypted Configuration data received from C\u0026C \r\nThe configuration data contains the below details, which Stealer uses to perform further actions.\r\nConfiguration Description \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 6 of 11\n\nURL Paths URL Paths to download additional modules \r\nVictim Details IP, Location, Longitude, Latitude, etc \r\nBrowser Path Various paths from which stealers can extract sensitive details. \r\nCrypto Wallet Crypto Wallet details for extraction \r\nTable 1 Configuration data present in the table. \r\nUpon parsing the configuration file, the malware extracts the URL Paths for the first module and sends a request to\r\ndownload the module.  \r\nFigure 13 Additional Payload Download from C\u0026C \r\nUpon receiving the PE file as a response, the malware uses CreateFile/WriteFile Application Programming Interface\r\n(API) to write the binary onto the “AppData\\LocalLow” location as “sqlite3.dll”.  \r\nFigure 14 Saving the PE file as sqlite3.dll \r\nAt this stage, the stealer copies various SQLite DB files from application locations like the browser present in the victim\r\nmachine and then uses “sqlite3.dll” to parse and extract the sensitive contents from the DB file, as shown in the figure\r\nbelow.  \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 7 of 11\n\nFigure 15 Malware Parsing the Browser SQLite DB file for credentials extraction \r\nLater, the malware sends another request to the C\u0026C URL to download the additional modules. The figure below shows\r\nthat the malware downloads the modules compressed as a ZIP file.  \r\nFigure 16 Additional payloads downloaded from C\u0026C \r\n The below figure shows the additional modules (2nd Modules) required by the Stealer to extract credentials. \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 8 of 11\n\nFigure 17 Modules required by malware for extraction of credentials. \r\nOnce the credential extraction is done, the Stealer creates a ZIP file and stores the victim’s credentials. Then, it sends\r\nthese credentials to the attacker’s C\u0026C, as shown below.   \r\nFigure 18 Malware sends the victims details to the attacker C\u0026C \r\nIn the below figure, we can see the data uploaded by the malware on our emulated environment.   \r\nFigure 19 Content received from malware \r\nThe figure below shows sample data that the Raccoon stealer has uploaded on the C\u0026C.  \r\nFigure 20 Sample Logs uploaded by Raccoon Stealer \r\nFinally, the malware calls CreateProcess API to execute the command for self-destruct.  \r\ncmd.exe /C timeout /T 10 /NOBREAK \u003e Nul \u0026 Del /f /q\r\n\\”C:\\\\Users\\\\MalWorkstation\\\\Desktop\\\\xxx\\\\Fileexe.bin\\ \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 9 of 11\n\nCode for self-destruction\r\nFigure 21 Malware is calling command for self-delete. \r\nConclusion  \r\nThreat Actors use similar kinds of stealer malware to steal sensitive data from victim devices. Presently, these Stealers\r\nhave been misused for malicious purposes across the globe. The malware has explicitly been spread through pirated\r\nsoftware and phishing campaigns. \r\nIn the past, we have observed that the TAs behind such stealers have targeted many businesses via their employees for\r\nstealing credentials. \r\nCyble Research Labs will continuously monitor emerging threats and targeted cyber-attacks. \r\nOur Recommendations \r\n-We have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below: \r\n -Use strong passwords and enforce multi-factor authentication wherever possible. \r\n-Turn on the automatic software update feature on your computer, mobile, and other connected devices.  \r\n-Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and\r\nmobile.     \r\n-Refrain from opening untrusted links and email attachments without verifying their authenticity. \r\n-Conduct regular backup practices and keep those backups offline or on a separate network. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic Technique ID Technique Name \r\nInitial Access T1566 Phishing \r\nExecution T1204 User Execution \r\nCredential Access \r\nT1555 \r\nT1539 \r\nT1552 \r\nCredentials from Password Stores \r\nSteal Web Session Cookie \r\nUnsecured Credentials \r\nCollection T1113 Screen Capture \r\nDiscovery T1087 \r\nT1518 \r\nAccount Discovery  \r\nSoftware Discovery  \r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 10 of 11\n\nT1057 \r\nT1007 \r\nT1614 \r\nProcess Discovery  \r\nSystem Service Discovery \r\nSystem Location Discovery \r\nCommand and Control T1095 Non-Application Layer Protocol \r\nExfiltration T1041 Exfiltration Over C2 Channel   \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\ne28a6d3bdcfdad9ff4c37e6c22c1a52018e5076ec65b128614bcf0e8eb711171 \r\nSHA-256 Raccoon\r\nStealer \r\n/jdiamond13 \r\nChannel\r\nName \r\nTelegram\r\nBot ID for\r\ngetting the\r\nC2 URL \r\nhttp[:]//185[.]163[.]45[.]162 C\u0026C C\u0026C URL \r\n About Us  \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint.\r\nBacked by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top\r\n20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia,\r\nSingapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   \r\nSource: https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nhttps://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/"
	],
	"report_names": [
		"raccoon-stealer-under-the-lens-a-deep-dive-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775438940,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6998cad31b5fb0192308827f407adba208fccb62.pdf",
		"text": "https://archive.orkl.eu/6998cad31b5fb0192308827f407adba208fccb62.txt",
		"img": "https://archive.orkl.eu/6998cad31b5fb0192308827f407adba208fccb62.jpg"
	}
}