Recently, a malware campaign was observed to be using YouTube and Crack Software downloading sites, to push infostealers, primarily the Raccoon malware.

This malware is also known as Raccoon Stealer or Racealer or Mohazo and is one of the most prevalent types of information stealers. Raccoon was 1st introduced in November 2019. As the name implies, the Raccoon steals personal sensitive information from its victims. 

Figure 1: Raccoon_Recent_Update

In this blog, we are going to give an in-depth analysis of the latest Racoon stealer sample which is Raccoon Stealer 1.8.2 at the time of writing this blog.


Raccoon mostly performs stealing activities such as grabbing System details,Credentials/passwords,Browser credentials,CryptoWallets etc.

Analysed Sample MD5


The samples analyzed were compiled with VC++. It consists of 4 sections. ‘.text’,’.data’,’.rsrc’,’.reloc’. It was found that the text section has a high entropy indicating a packed file.

The unpacking begins with the malware employing TEA ( Tiny encryption algorithm ) to decrypt itself and write to a new memory region. This decrypted data has yet another level of decryption resulting in an exe executed after overwriting the actual payload. It then proceeds to perform its primary activity which is to steal data.The malware distributors use different types of packers/protectors for evading security products.

Figure 2: Suspicious_debug_path

In this, the malware initially allocates some memory using GlobalAlloc() API.

Figure 3: Allocating the memory using GlobalAlloc()

And  it copies some bytes from its text section having a size of  0x4BDB0.

The copy is done as shown in Figure 4 and the dump is as shown in Figure 5.

Figure 4: Copy bytes from text section in allocated memory
Figure 5: Copied bytes in memory dump

Once the counter value reaches 0x4BDB0, the loop breaks and gets into another function where the decryption takes place. This is done using Tiny Encryption Algorithm.

Figure 6: Tiny Encryption Algorithm

From Figure 7, we can see that it stores 2 key values and starts decrypting the value from the dump which was initially created. The decrypted values are stored in the same dump location. It loops 32 times (0x20) for decryption to take place. Once it reaches 32 times, it stores the DWORD value in the dump. The dump after decryption is shown in Figure 8.

Figure 7: Crypt Routine
Figure 8: Memory dump after decrypt

Once it decrypts the bytes onto the memory, the execution sequence is passed over to the dumped data.. From Figure 9 we can see that there is a relative jump.

Figure 9: Jump address takes instruction pointer to memory for execution
Figure 10: Second Crypt Routine

Once the decryption is completed, the dump in memory comes to execution.The above figure represents the entrypoint of the memory dump created and second level of decryption happening in the memory. It is done by  XOR operation (byte to byte). After decrypting the bytes one by one , we can see an MZ is created in the dump after some bytes. It tries to copy the file from this dump to another memory location. So it allocates the memory to create a file using VirtualAlloc(). After that, it copies the bytes from MZ in a newly allocated memory.The memory dump is shown in Figure 11. 

Figure 11: Memory Dump after SecondCrypt

Then, it alters the original file by filling it with 0x00. Figure 12 shows the changes taking place in memory.

Figure 12: Original File Modification

After the modification is completed, the execution takes place. This binary was actually doing stealer activity. Initially, it connects with the C2 server where the C2 ip is “”. Also, it connects to a malicious ip and performs HTTP connection[GET/POST]. There is a json file which looks like a configuration file. Once the C2 connection is established, it downloads a zip file which contains some dll modules. This will help the stealer to steal information from the infected victim’s machine. After collecting the details from the victim’s machine, it zips the collected information and posts it to the C&C. In the below figure we can see a telegram channel “agrybirdsgamerept”.

Figure 13: Malicious ip (HTTP GET/POST)

Json file consists of following details like 

  • Botnet Id of the victim
  • Location
  • IP address
  • Browser Cookies
  • Wallets 
  • Bitcoin Address
  • Social communicating apps like stream,Telegram (Webogram) etc. 

Figure 14 gives  a brief idea like what this stealer is trying to grab and what additional features are added in this variant. It consists of following details like 

  •  ‘_id ‘_which refers to infected botnet id created after infection
  • ‘au’_refers to url of the C2 server to download attachments
  • ‘ip‘_refers to the ip address of the infected machine
  • ‘Location’_refers to the location of the infected machine and some system details
  • ‘rm’_refers to self-removal is enabled (i.e. self-destruction)
  • ‘stm’ _refers to access enabled from Steam Application
  • ‘tg ’_refers to access enabled from Telegram
Figure 14: JSON file having system config details

It checks for wallets like ‘Binance’, ’Atomic’, ’Daedalus’, ’electrum’, ’Electrum-LTC’, ’ElectronCash’, ’Partitio’,’Blockstream’,’Guarda’,’JaxxLiberty’,’Jaxx’,’MyMonero’,’Wasabi’,’Monero’,’Ledr_Live’. Also it looks for information being transferred via Telegram app. It also steals passwords of  gaming accounts through steam applications.

Figure 15: Checks for a list of wallets,keys,passwords,account details

Also, it searches for cryptowallet address like  ‘MetaMask’, ’Brave’, ’Ronin’, ’TronLink’, ’BinanceChain, ’MyEtherWalletCX’, ’Guarda’, ’Yoroi’, ’Math’, ’Equal’, iWallet’, ’JaxxLiberty’, ’WomBat’, ’Nifty, ’Phantom’, ’GuildWallet, ’SaturnWallet’, ’Liquality’, ’TerraStation’, ’keplr’, ’Neoline’, ’PolymeshWallet’, ’CloverWallet’, ’Sollet’, ’ICONex’, ’Temple’, ’coin98’, ’Tezbox’, ’KHC’, ’AuroWallet’, ’coinbase’, ’cyanowallet’.

Figure 16: Checks for a list of wallets

It also checks for data from various browsers and apps like”edge”, “chrome”, “chromeBeta”, “chromeSxS”, “chromium”, “xpom”, “comodo”, “amigo”, “orbitum”, “bromium”, “brave”, “nichrome”, “rockmelt”, “360browser”, “vivaldi”, “go”, “sputnik”, “kometa”, “uran”, “qipSurf”, “epicprivacy”, “coccoc”, “7star”, “elements”, “torbro”, “saferbrowser”, “mustang”, “superbird”, “chedot”, “torch”, “UC Browser”, “QQ Browser”, “opera”,”thunderbird”.

        Figure 17: Extract details related to browser data like cookies, user data, login data

Network Activity

It tries to download a PE module from a malicious ip (C&C server).

Figure 18: HTTP connection established with C&C server(GET/POST)
Figure 19: Downloads PE module from C&C server
Figure 20: Stolen data compressed as zip and sent to C&C server(Http/POST)

Figure 21 indicates the list of some legitimate dll’s which were downloaded from the C2 server to extract the information from the compromised systems. These modules provide the same code routines used by clean applications to extract stored credentials/data from the machine. In effect, Raccoon utilizes the trusted application to evade detection.

Figure 21: Legitimate dlls downloaded  by malware to extract details from compromised systems

We at K7 have detection for these kinds of malware. Use a reputed security product like K7 Total Security. Ensure your security product is updated to get the latest definitions.

Indicators of Compromise (IOCs)

MD5 : F1521FF38743CA05CC8C6F25CD95309C 
K7 Detection Name: Trojan ( 0058990a1 )


“cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q “C:\Users\admin\AppData\Local\Temp\*** exe”
Defensive Evasion
Credential Access
Steal web cookies
Credentials from web browsers
Credentials from password stores
Unsecured credentials ( passwords, account details in text files or bills )
Discovers system info and query registries
CryptoWallet related texts
Info related to Security settings
History /Screen Capture Feature is Enabled/Disabled
Email Collection
Telegram messenger

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Raccoon-The Info Stealer”