{ "id": "d4569585-6237-42a6-af1b-5ebd7d0c46a9", "created_at": "2026-04-06T01:30:59.491538Z", "updated_at": "2026-04-10T03:21:06.849119Z", "deleted_at": null, "sha1_hash": "e552089c3e3ef1d344fe1499b171b404d8e3a4d6", "title": "Raccoon Infostealer Malware Returns with New TTPS – Detection \u0026 Response - Security Investigation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 119567, "plain_text": "Raccoon Infostealer Malware Returns with New TTPS – Detection\r\n\u0026 Response - Security Investigation\r\nBy BalaGanesh\r\nPublished: 2022-08-18 · Archived: 2026-04-06 00:10:39 UTC\r\nRaccoon is an info stealer type malware available as malware-as-a-service on underground forums since early\r\n2019. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over\r\n100,000 devices and became one of the most mentioned viruses on the underground forums.\r\nAlso Read: Latest IOCs – Threat Actor URLs , IP’s \u0026 Malware Hashes\r\nThe Raccoon Malware is a robust stealer that allows the stealing of data such as passwords, cookies, and autofill\r\ndata from browsers. Raccoon stealers also support theft from all cryptocurrency wallets. Raccoons are often\r\ninfected through phishing campaigns or exploit kits.\r\nMalware Spread:\r\nFirstly malware binary drops into the temp directory in any random name\r\n“\\AppData\\Local\\Temp\\ecc322f22da7cee63fb2ee0bfd5df59c.exe” and later it leverages RegSvcs.exe genuine\r\nsoftware component of Microsoft. NET Framework by Microsoft which is located at\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe \r\nhttps://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/\r\nPage 1 of 4\n\nMalicious File name ecc322f22da7cee63fb2ee0bfd5df59c.exe running as a background process and executes the\r\nRegSvcs.exe. \r\nRegsvcs.exe connects to CnC and downloads another malicious DLL\r\nhttp://85[.]192.63.46/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll  and file downloaded to temp\r\ndirectory “C:\\Users\\Balaganesh\\AppData\\LocalLow\\nss3.dll”\r\nAlso Read: Latest Cyber Security News – Hacker News !\r\nDownloaded Dropper “nss3.dll” allows stealing of data such as passwords, cookies, and autofill data from\r\nbrowsers.\r\nSome other DLLs also dropped on the same AppData folder containing Bitcoin addresses\r\n“C:\\Users\\Balaganesh\\AppData\\LocalLow\\mozglue.dll” Dropper “mozglue.dll” object may contain Bitcoin\r\naddresses and supports cryptocurrency wallets thefts.\r\nData Exfiltration\r\nHTTP post method is used and stolen data is sent to attackers’ IP addresses.http://85[.]192.63.46/ ASN (\r\nInformacines sistemos ir technologijos, UAB)  \u0026 http://85[.]192.63.46/ ASN ( JSC Digital Network )\r\nIndicators of Compromise\r\nIPs:\r\nhttp://85[.]192.63.46/\r\nhttp://88[.]119.170.241/\r\nFile hashes:\r\n51c33c00a3823180a7b39ab838542d9d\r\n7a1618c1616dae2aa4402b2f9f0febc7\r\n1de2a5e94f070e9d6e8d70fe63e87175\r\nc8f9b86af75c8cb9f973683dbee27f93\r\n704cb6b7d8863165857bca2c33283fa0\r\nhttps://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/\r\nPage 2 of 4\n\ne490eacd7d52073891790cd3411a1221\r\n52b4394897b2ddd3c47ec410ea1ff869\r\n52b4394897b2ddd3c47ec410ea1ff869\r\n2eb2d4dc60b185e1961746b120d45f97\r\necc322f22da7cee63fb2ee0bfd5df59c\r\nSplunk:\r\nsource=\"WinEventLog:*\" AND ((Image=\"*\\*.exe\") AND Image=\"*\\\\RegSvcs.exe\" AND TargetFilename=\"*\\\\AppData\\\\Local\\\r\nQradar:\r\nSELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and\r\nElastic Query:\r\n(process.executable.text:*\\*.exe AND process.executable.text:*\\\\RegSvcs.exe AND file.path.text:*\\\\AppData\\\\Loca\r\nCarbonBlack:\r\n(process_name:*\\*.exe AND process_name:*\\\\RegSvcs.exe AND filemod_name:*\\\\AppData\\\\Local\\\\Temp\\*.exe* AND filem\r\nCrowdstike:\r\n(((ImageFileName=\"*\\*.exe\") AND ImageFileName=\"*\\\\RegSvcs.exe\") AND (TemporaryFileName=\"*\\\\AppData\\\\Local\\\\Temp\r\nGraylog:\r\n(Image.keyword:*\\*.exe AND Image.keyword:*\\\\RegSvcs.exe AND TargetFilename.keyword:*\\\\AppData\\\\Local\\\\Temp\\*.ex\r\nLogpoint:\r\n(Image IN \"*\\*.exe\" Image=\"*\\\\RegSvcs.exe\" TargetFilename=\"*\\\\AppData\\\\Local\\\\Temp\\*.exe*\" TargetFilename IN \"*\r\nMicrosoft Defender:\r\nDeviceProcessEvents | where ((FolderPath matches regex @\".*\\.*\\.exe\") and FolderPath endswith @\"\\RegSvcs.exe\" a\r\nhttps://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/\r\nPage 3 of 4\n\nMicrosoft Sentinel:\r\nSecurityEvent | where EventID == 1 | where ((NewProcessName matches regex '(?i).*\\.*.exe') and NewProcessName\r\nSumoLogic:\r\n(_sourceCategory=*windows* AND (Image = \"*\\*.exe\") AND Image=\"*\\RegSvcs.exe\" AND (\"\\AppData\\Local\\Temp\\\" AND \"\r\nGoogle Chronicle:\r\ntarget.process.file.full_path = /.*\\\\.*\\.exe$/ and target.process.file.full_path = /.*\\\\RegSvcs\\.exe$/ and targ\r\nSecuronix:\r\nindex = archive AND (rg_functionality = \"Microsoft Windows\" AND ((@customstring54 = \"**.exe\") OR (@destinationp\r\nSource: https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/\r\nhttps://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/" ], "report_names": [ "raccoon-infostealer-malware-returns-with-new-ttps-detection-response" ], "threat_actors": [], "ts_created_at": 1775439059, "ts_updated_at": 1775791266, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e552089c3e3ef1d344fe1499b171b404d8e3a4d6.pdf", "text": "https://archive.orkl.eu/e552089c3e3ef1d344fe1499b171b404d8e3a4d6.txt", "img": "https://archive.orkl.eu/e552089c3e3ef1d344fe1499b171b404d8e3a4d6.jpg" } }