# Raccoon Stealer Under the Lens: A Deep-dive Analysis **[blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/](https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/)** October 21, 2021 Stealer malware is becoming the weapon of choice for Threat Actors (TA) to steal credentials from victims’ devices. This malware family has the capability to steal the cookies, credentials, credit card (CC) information, crypto wallets, and other sensitive details stored on the victim’s device. To accomplish this task, the malware uses various techniques to extract information from the victim’s machine. Cyble Research Labs has harvested the latest variant of Raccoon Stealer to study the stealer malware family behavior and the techniques that it uses for infection. The TA behind the Raccoon Stealer has posted the malware’s capabilities on a cybercrime forum, wherein he has mentioned that the malware can run on both 32- and 64-bit systems without .NET dependencies, and the logs are collected in RAM instead of the disk, among others. ----- _Figure 1 TA Post on Cyber Crime Forum_ Racoon Stealer has been observed in the wild since April 2019. Until then, the TA behind the Stealer had been working on enhancing the techniques used by this malware. At the time of writing this analysis, Virus Total has more than 9K samples of Racoon Stealer with 5+ positive detection. The figure below shows the high-level execution flow of the Raccoon stealer malware. Initially, it connects to the TA’s Telegram channel to get the Command and Control (C&C) IP. Further, the malware downloads the configuration data and other payloads/modules to extract the credentials from the victim’s device and conduct the data exfiltration. _Figure 2 High-Level Execution Flow of the malware_ ## Technical Analysis Cyble Research Labs analyzed this sample. Upon performing the static analysis, we found that the malware is x86 architecture Portable Executable (PE) binary written in C/C++ and compiled on 2020-06-24 05:58:17. ----- _Figure 3 Static Information of Malware_ Upon the initial execution of the malware in our research environment, we noticed that the malware was trying to communicate to a telegatt[.]top domain and did not show any other behavior, as shown in the below figure. _Figure 4 Traffic Analysis of Malware_ Upon further investigation, we determined that the malware was trying to access the “jdiamond13” channel on Telegram using the services provided by telegatt[.]top, as shown in the figure below. ----- _Figure 5 TA’s_ _Telegram channel_ The figure below showcases the infection flow of Raccoon stealer malware. _Figure 6 Infection flow of malware_ The figure below depicts the Process tree created by the malware. ----- _Figure 7 Process Tree created by malware_ After data exfiltration is completed, the Stealer removes its foothold by removing malware binaries and data files. The following command is executed to perform self-delete. cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q “C:\Users\MalWorkstation\Desktop\e28a6d3bdcfdad9ff4c37e6c22c1a52018e5076ec65b128614bcf0e8eb711171.exe” ### Code Analysis and Debugging Initially, during the code analysis, Cyble Research Labs found that the malware was packed. The malware decrypts each segment during execution, performs self-injection, and does dynamic import loading. The figure below shows that the malware has created a new binary in a newly allocated memory, and file execution will be transferred to the decrypted binary. _Figure 8 Malware unpacking_ Further, the malware performs a GET request to telegatt[.]top/jdiamond13 to access the Telegram bot profile page. If the telegatt service is down, it uses other hardcoded domains to reach the profile, as shown below figure. _Figure 9 Services to access TA’s Telegram channel_ ----- The malware copies the value _e7dd0fV46cjQG7jcdYm3TS3xk8CWP0R0zIw_ _25 v1f from the Telegram bot_ description page shown in Figure 5, and then shifts characters to align in proper encrypted data. i.e., “fV46cjQG7jcdYm3TS3xk8CWP0R0zIw==”. Then the malware uses RC4 encryption to decrypt the above string using the hardcoded key “c5d49434634bb8485382d61999573882“. A quick RC4 decryption revealed the URL of C&C, which is http[:]//185[.]163[.]45[.]162. _Figure 10 Decryption of encrypted data received from TA’s Telegram channel_ Once the malware has the C&C URL, it generates a unique ID for the victim device and encrypts it using RC4 encryption using the key “iV8+pT5$yP7{“, then it sends the unique ID to the attacker’s C&C. _Figure 11 Victim’s Unique ID sent to C&C_ As shown in below figure, Once the C&C receives the above Victim ID as a request, it sends the RC4 encrypted configuration data to the victim’s machine, which is then decrypted using the same key shown above. _Figure 12 Encrypted Configuration data received from C&C_ The configuration data contains the below details, which Stealer uses to perform further actions. **Configuration** **Description** ----- URL Paths URL Paths to download additional modules Victim Details IP, Location, Longitude, Latitude, etc Browser Path Various paths from which stealers can extract sensitive details. Crypto Wallet Crypto Wallet details for extraction _Table 1 Configuration data present in the table._ Upon parsing the configuration file, the malware extracts the URL Paths for the first module and sends a request to download the module. _Figure 13 Additional Payload Download from C&C_ Upon receiving the PE file as a response, the malware uses CreateFile/WriteFile Application Programming Interface (API) to write the binary onto the “AppData\LocalLow” location as “sqlite3.dll”. _Figure 14 Saving the PE file as sqlite3.dll_ At this stage, the stealer copies various SQLite DB files from application locations like the browser present in the victim machine and then uses “sqlite3.dll” to parse and extract the sensitive contents from the DB file, as shown in the figure below. ----- _Figure 15 Malware Parsing the Browser SQLite DB file for credentials extraction_ Later, the malware sends another request to the C&C URL to download the additional modules. The figure below shows that the malware downloads the modules compressed as a ZIP file. _Figure 16 Additional payloads downloaded from C&C_ The below figure shows the additional modules (2nd Modules) required by the Stealer to extract credentials. ----- _Figure 17 Modules required by malware for extraction of credentials._ Once the credential extraction is done, the Stealer creates a ZIP file and stores the victim’s credentials. Then, it sends these credentials to the attacker’s C&C, as shown below. _Figure 18 Malware sends the victims details to the attacker C&C_ In the below figure, we can see the data uploaded by the malware on our emulated environment. _Figure 19 Content received from_ _malware_ ----- The figure below shows sample data that the Raccoon stealer has uploaded on the C&C. _Figure 20 Sample Logs uploaded by Raccoon Stealer_ Finally, the malware calls CreateProcess API to execute the command for self-destruct. cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q \”C:\\Users\\MalWorkstation\\Desktop\\xxx\\Fileexe.bin\ Code for self-destruction _Figure 21 Malware is calling command for self-delete._ ## Conclusion Threat Actors use similar kinds of stealer malware to steal sensitive data from victim devices. Presently, these Stealers have been misused for malicious purposes across the globe. The malware has explicitly been spread through pirated software and phishing campaigns. In the past, we have observed that the TAs behind such stealers have targeted many businesses via their employees for stealing credentials. Cyble Research Labs will continuously monitor emerging threats and targeted cyber-attacks. ## Our Recommendations - We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: - Use strong passwords and enforce multi-factor authentication wherever possible. -Turn on the automatic software update feature on your computer, mobile, and other connected devices. -Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile. -Refrain from opening untrusted links and email attachments without verifying their authenticity. -Conduct regular backup practices and keep those backups offline or on a separate network. ## MITRE ATT&CK® Techniques ----- **Tactic** **Technique ID** **Technique Name** **Initial Access** [T1566](https://attack.mitre.org/techniques/T1566/) Phishing **Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution **Credential Access** [T1555](https://attack.mitre.org/techniques/T1555/) [T1539](https://attack.mitre.org/techniques/T1539/) [T1552](https://attack.mitre.org/techniques/T1552/) Credentials from Password Stores Steal Web Session Cookie Unsecured Credentials **Collection** [T1113](https://attack.mitre.org/techniques/T1113/) Screen Capture **Discovery** [T1087](https://attack.mitre.org/techniques/T1087/) [T1518](https://attack.mitre.org/techniques/T1518/) [T1057](https://attack.mitre.org/techniques/T1057/) [T1007](https://attack.mitre.org/techniques/T1007/) [T1614](https://attack.mitre.org/techniques/T1614/) Account Discovery Software Discovery Process Discovery System Service Discovery System Location Discovery **Command and Control** [T1095](https://attack.mitre.org/techniques/T1095/) Non-Application Layer Protocol **Exfiltration** [T1041](https://attack.mitre.org/techniques/T1041/) Exfiltration Over C2 Channel ## Indicators of Compromise (IoCs): **Indicators** **Indicator** **type** **e28a6d3bdcfdad9ff4c37e6c22c1a52018e5076ec65b128614bcf0e8eb711171** SHA256 **/jdiamond13** Channel Name **Description** Raccoon Stealer Telegram Bot ID for getting the C2 URL **http[:]//185[.]163[.]45[.]162** C&C C&C URL ## About Us [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and](https://cyble.com/) exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [www.cyble.com.](https://cyble.com/) -----