{
	"id": "563df4e3-4c73-4569-a8d8-afafb2545fec",
	"created_at": "2026-04-06T00:09:36.515479Z",
	"updated_at": "2026-04-10T03:21:57.425491Z",
	"deleted_at": null,
	"sha1_hash": "deee97958fad3230f49814add391771437fe375a",
	"title": "Agent Racoon (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 30183,
	"plain_text": "Agent Racoon (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:29:42 UTC\r\nAgent Racoon\r\nAgent Racoon is a .NET-based backdoor malware that leverages DNS for covert C2 communication, employing\r\nrandomized subdomains and Punycode encoding to evade detection. It features encrypted communication using a\r\nunique key per sample, supports remote command execution, and facilitates file transfers. Despite lacking an\r\ninherent persistence mechanism, it relies on external methods like scheduled tasks for execution. The malware,\r\nactive since at least 2020, has targeted organizations in the U.S., Middle East, and Africa, including non-profits\r\nand government sectors. It disguises itself as legitimate binaries such as Google Update and MS OneDrive\r\nUpdater, using obfuscation techniques like Base64 encoding and timestamp modifications to avoid detection.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_racoon\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_racoon\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_racoon"
	],
	"report_names": [
		"win.agent_racoon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/deee97958fad3230f49814add391771437fe375a.pdf",
		"text": "https://archive.orkl.eu/deee97958fad3230f49814add391771437fe375a.txt",
		"img": "https://archive.orkl.eu/deee97958fad3230f49814add391771437fe375a.jpg"
	}
}