FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.


Raccoon Stealer is an information stealing trojan which is distributed as Malware-as-a-service (MaaS) model for $75/week or $200/month. Once they have purchased access, a threat actor will get access to an admin panel. This admin panel lets them customize the malware, retrieve logs stolen through their deployments of the tool and create new builds of the malware.  This service has been sold on underground forums since early 2019. The stealer temporarily stopped operations suddenly in March 2022, assumed to be due to the  loss of a developer in the Russian conflict in Ukraine (unverified). Prior to this pause in operations a user profile (username: raccoonstealer)  related to the Raccoon Stealer service stated on the Russian language cybercrime forum 'Exploit’, “Don’t say goodbye forever” and “they are working on second version”.

Since this operational pause FortiGuard Threat Research team identified a new post from ‘racconstealer’ on the ‘Exploit’ forum', advertising a credential stealer named 'Raccoon Stealer 2.0'. The stealer is an updated version of the original Raccoon stealer. The user mentions having set up a beta version of the stealer, which has received positive responses from regular clientele on the forum.



Figure 1. Raccoon Stealer 2.0 underground forum post outlining details of the Raccoon Stealer 2.0 malware. This is in Cyrillic (Russian) but a translated version is available below.


The new version of Racoon Stealer appears to have been rewritten from scratch, retaining the old features while adding to the appearance and functionality of the admin dashboard. According to the developer, this has apparently reduced the size of the build and made the logs more informative. The following features were said to be present in the new version of the malware (translated from the original post shown above):

  • The build has been rewritten in C++, which can now dynamically send the collected logs into divided parts, thereby alleviating the risk of losing the information if flagged by the antivirus
  • Smaller build size of 55 kB, as opposed to the previously hefty 580 kB build
  • Common proxies have been replaced, reducing the lag in dynamic transmission of the log files
  • Users can patch the build with up to 5 unique IP addresses and can monitor them from the admin panel
  • Logs can be sent directly to one's Telegram account via the new Telegram bot
  • Build now supports collecting data from almost all browsers
  • The decryption of passwords and cookies is now performed on the server-side
  • Addresses on crypto wallets such as Coinbase, MetaMask, Brave, and Ronin, are now recognized automatically, with Phantom browser to follow suit.
  • SSL support added
  • Modern and minimal style
  • Flexibility in the search system
  • Mass deletion from the dashboard itself
  • News and Comments sections added
  • Frequently Asked Questions (FAQ) section
  • A statistical representation of logs
  • The actor has quoted a price of $150 USD per week, $275 USD per month, and an additional $50 USD for a unique build with an additional tag.


Figure 2. Raccoon Stealer v2.0 Admin dashboard acquired by FortiRecon researchers.


Above screenshots and darknet post information are excerpts taken from a report created on Raccoon V2 by the FortiRecon team. For FortiRecon subscribers, detailed Threat Intelligence report can be accessed at


Understanding a Racoon Stealer Intrusion

When Raccoon Stealer malicious file is executed by the targeted user, the created process communicates with command and control server (C2) and attempts to download additional DLL files required to support stealer functions. The attack diagram for this whole process is shown in Figure 3 below. To demonstrate FortiEDR’s ability to detect post-execution behavior we have executed the sample in a test environment with FortiEDR in log only mode. In protect mode FortiEDR will block all activity that results in the creation of a security event.



Figure 3 Raccoon V2 Attack diagram


The most common method of distribution observed by the FortiGuard Responder team is through the use of fake cracked software websites. This differs from the more common phishing based attacks we see with other malware stealers such as Agent Tesla and redline . One such sample is still being served through an active fake website and was retrieved and analyzed as part of this article. Any software download links for this website redirect to <7 alpha numeric characters>.cfd link which provides a MediaFire link of the final download RAR file. All the RAR files have name like pattern: PA$$w0rds_1234__MainFiles<1number>—<2alphanumeric>.rar



Figure 4 Malicious setup download steps for fake cracked software download that results in a Racoon Stealer payload.


The downloaded RAR file is password protected and contains two files, one text file which has name “PA$$W0RDz is ==  1234.txt” and other executable file “SetupsCracked1.exe”. Even if user click download link for any cracked software on this website same file is downloaded. When the enclosed executable is executed FortiEDR  detects and mitigates the attemptedexecution. This event is detected but the “Suspicious File Detected” rule within the ‘Execution Prevention’ security policy. An example of one of these generated security events is shown in Figure 5 below.


Figure 5 FortiEDR execution prevention policy event related to user execution of RaccoonV2.


FortiEDR detects and mitigates  the malware sample’s attempts to communicate with it’s C2. This block triggers two rules; “PUP - Potentially Unwanted Program” and “Suspicious Packer” both under the Exfiltration Prevention policy. The event generated as part of our analysis can be seen in Figure 6 below.


Figure 6. RaccoonV2 C2 connection blocked


The main raccoon stealer executable contains a number of strings encrypted in the malware exe when it is stored as file on the disk which are decrypted at runtime.  The strings are base64 encoded and then encrypted with the RC4 encryption algorithm. The encryption key for the RC4 encryption is stored in the exe itself and in the case of this sample the key was “edinayarossiya”. A blog by ZeroFox Intelligence on Raccoon stealer suggests that translated, Edinaya Rossiya means “United Russia,” which is currently the largest political party in Russia.[1]

The malware C2 IP address is also hardcoded into the exe in a similar encrypted form. But the C2 address is encrypted with a separate encryption key, which in our case was “403f7b121a3afd9e8d27f945140b8a92”. This can be observed in the Figure 7 when the file was run in debug mode for analysis.



Figure 7. C2 IP runtime decryption while debugging the executable. Analyzed with the x32dbg tool[2].


The malware creates a unique machine-Id of infected machine and sends this machine-Id, username, hard coded encryption key(in field ‘configId’), as a parameter when connecting to the C2 server. The machine-Id is unique per infected host and does not change even if malware executed multiple times on same host.  The C2 IP address is encrypted with same encryption key in the malware sample. Malware sends this data via a HTTP post request like the example provided below in Figure 8.



Figure 8 HTTP post request made to Raccoon C2


Then C2 server sends configuration to the malware sample, this configuration has custom but plain text format. The data format for configuration is {Field-categary}_{Field-name}:{Field-Value}.Examples of each type of config are shown in Table 1 below.

Config Component



Firefox DLL Library file name and URL for download

sstmnfo_System Info.txt:System Information:

Collect system information

|Installed applications:|

Get list of Installed applications


Firefox DLL Library file name and URL download address

wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*

Collect data from Wallet software Daedalus

ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings

Collect data from Browser extension for Metax


Take screenshot  of computer and send as jpeg file

tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*

Collect data of Telegram Chat software


Page address used for exfiltration

Table 1. C2 configuration explainations


The malware downloads the DLL files specified in the configuration data provided by C2, in the case of our sample, the following DLL files were downloaded:


DLL File

Download Path




Firefox DLL Library file



Microsoft C DLL file



Microsoft VC++ Runtime DLL file



Firefox DLL Library file



Firefox DLL Library file



NSS PKCS library DLL file



DLL Library for sqlite database

Table 2. Download paths and Description of DLL files downloaded by Malware


The files are 3rd party DLL files from various software. All of these files are shown as clean by all Antivirus engines on Virustotal.


Following download of these files, the malware sends system information and list of installed applications to C2 in format shown below in Figure 9. After sending system information the malware sends the cookies from web-browser to C2.


Figure 9 System information sent to C2 as stealer communication


After sending the system info and cookies the malware takes a  screenshot of the infected machine and sends it to the C2 server. There is a field scrnsht_Screenshot.jpeg  in the config data. The malware takes screenshots and sends the screenshot with the filename “---Screenshot.jpeg”.  The screenshot jpeg file is not written on the disk it only present in memory.



In this article we have analyzed RaccoonV2 sample and observed how the FortiEDR detects the malicious sample and blocks communication of malicious sample with its C2 server.


Threat Hunting


Execution of the above analyzed Racoon Stealer sample can be detected using the following Threat Hunting query. This query identifies 'Process Creation' events that match the provided hashes of two known Racoon Stealer hashes. This query will only detect the analyzed samples and may not detect future variants as hash of those variants would change. :


Type:"Process Creation" AND Target.Process.File.SHA1:("b4cf85691dcc7c6e2d709b292056d404e7fb58f0" OR "19d9fbfd9b23d4bd435746a524443f1a962d42fa" OR "7cead6f1e4c4b0824365268cdd5d168acf56265c" OR "19d9fbfd9b23d4bd435746a524443f1a962d42fa")




Network connections to known Racoon Stealer C2 can be found using following Threat Hunting query. The query will find events of type “Socket Connect” where remote IP address matches known C2. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:


Type:"Socket Connect" AND RemoteIP: ( OR




The HTTP request made by malware to C2 can be searched using following Threat Hunting query. This C2 server is associated with analyzed samples and this query would not detect future C2 server communication:


Type:"HTTP Request" AND  URL:""




The Malware downloads DLL files for modules execution, file creation events generated as a result of these downloads can be find in network threat hunting data using following threat hunting query. This query will find file creation events and where the file path has a specific folder in it and the created file is one of the dlls downloaded by the Raccon Stealer malware:


Type:"File Create" AND Target.File.Path:(\\AppData\\LocalLow) AND Target.File.Name:(nss3.dll OR msvcp140.dll OR vcruntime140.dll OR mozglue.dll OR freebl3.dll OR softokn3.dll OR sqlite3.dll OR nssdbm3.dll)




The most prominent distribution of Raccoon V2 malware was download as fake cracked setup file in RAR file format. We can search the network for similar malicious file download events. The file download event some times creates file with “.partial” extension and then after completion renames the file. To detect both these type of events the following query will look for both “File Create” or “File Rename” events with the specific filename pattern employed by the Racoon Stealer distribution website.


 (Type:"File Create" AND PA$$w0rds_1234__* AND Target.File.Ext:"rar") OR (Type:"File Rename" AND Target.File.Ext:"partial" AND PA$$w0rds_1234__* )  





TA0005 - Defense Evasion

Technique ID

Technique Description

Observed Activity



Creates files inside the user directory


TA0006 - Credential Access

Technique ID

Technique Description

Observed Activity


OS Credential Dumping

Tries to harvest and steal browser information (history, passwords, etc)



TA0007 – Discovery

Technique ID

Technique Description

Observed Activity


System Information Discovery

1) Queries the cryptographic machine GUID

2) Reads software policies


File and Directory Discovery

Enumerates the file system


TA0009 - Collection

Technique ID

Technique Description

Observed Activity


Data from Local System

1) Tries to harvest and steal browser information (history, passwords, etc)

2) Tries to steal Crypto Currency Wallets


TA0011 – Command and Control

Technique ID

Technique Description

Observed Activity


Application Layer Protocol

1) Downloads executable code via HTTP

2) Downloads files from webservers via HTTP

3) Posts data to webserver


Non-Application Layer Protocol

1) Downloads files from webservers via HTTP

2) Posts data to webserver


Ingress Tool Transfer

1) Downloads executable code via HTTP

2) Downloads files from webservers via HTTP




IOCs (Indicators Of Compromise)


Indicator Description


Indicator Type

Associated Tactic


First Observed



IP Address

Command and Control

This C2 IP was contacted by Raccon Stealer following execution of the main payload.




IP Address

Command and Control

This C2 IP was contacted by  Raccon Stealer following execution of the main payload.


SHA1 Hash



SHA1 Hash


Execution, Command and Control


Racoon Stealer main executable file hash


SHA1 Hash



SHA1 Hash


Execution, Command and Control


 Racoon Stealer main executable file hash


SHA1 Hash


SHA1 Hash


Execution, Command and Control


Raccoon Stealer sample with similar behavior and connecting to same C2


SHA1 Hash


SHA1 Hash


Execution, Command and Control


Raccoon Stealer sample with similar behavior and connecting to same C2