BRIEF: Raccoon Stealer Version 2.0

14 minute read

ZeroFox Intelligence has observed the following information as of June 28, 2022, and has released the following.

Executive Summary

On June 4, 2022, ZeroFox Intelligence discovered a then-unknown information stealer being distributed by ProCrackerz, a website distributing fake software cracks and key generators (keygens). The earliest known instance of this information stealer observed by ZeroFox Intelligence was a sample uploaded to VirusTotal on April 19, 2022. Twitter user @James_inthe_box suggested the name “Recordbreaker” for it based on the use of “record” as the User-Agent string in each sample. In May 2022, logs for sale with “Raccoon Stealer V2.0” branding were discovered that matched what ZeroFox Intelligence was observing with Recordbreaker. Due to this and multiple other private confirmations, ZeroFox Intelligence asserts with MEDIUM confidence that Raccoon Stealer has returned and that Recordbreaker is actually Raccoon Stealer version 2.0.


Raccoon Stealer version 2.0 is capable of targeting Chromium and Mozilla-based browsers by looking for well-known file names in specific directories. For Chromium-based browsers, threat actors using Raccoon Stealer 2.0 have the ability to specify a list of Chrome extension IDs and associated files as well. In ZeroFox Intelligence’s observations, these consisted entirely of cryptocurrency extensions. Raccoon Stealer 2.0 attempts to collect credentials, cookies, autofill data, credit cards, and data associated with specified Chrome extensions. For Mozilla browsers such as Firefox, only credentials, cookies, and autofill data were targeted. Other applications like Telegram and specific cryptocurrency applications can be targeted as well. To ensure that all cryptocurrency wallets are collected, a separate function exists solely to collect “wallet.dat” files. For any applications or files without specific support, a generic “grbr_” function exists to allow actors to specify files by path and a name or pattern.

Technical Analysis

ZeroFox Intelligence first discovered Raccoon Stealer version 2.0 disguised as a crack for Microsoft Office on the ProCrackerz website. Clicking on any of the download links redirected the viewer through various advertisements and click trackers until they were eventually shown a set of directions and a Discord CDN link hosting the fake crack. The download links on ProCrackerz change regularly as the Discord links are removed.

Figure 1. ProCrackerz listing for a Microsoft Office crack
Source: ZeroFox Intelligence
Figure 2. Instructions on downloading a compressed Raccoon Stealer version 2.0 sample
Source: ZeroFox Intelligence

The compressed files are small in size but inflate to hundreds of megabytes when decompressed. This is due to the samples being padded with large amounts of repeating bytes.

Samples ZeroFox Intelligence observed distributed in this way were obfuscated or packed; the unique string “edinayarossiya” was visible and used to pivot to other samples uploaded to VirusTotal. This allowed ZeroFox Intelligence to download much smaller (~56KB) unprotected samples and greatly sped up our analysis. Translated, Edinaya Rossiya means “United Russia,” which is currently the largest political party in Russia. Later analysis of the string decryption routine determined this is an encryption key for the protected strings used by the stealer.

Raccoon Stealer version 2.0 begins by importing all of the Windows API calls it needs (and some it does not). Importing API calls at runtime is a common tactic used by malware to avoid adding them to the import table to be used as a signature.

Figure 3. Raccoon Stealer version 2.0 resolves Windows API calls at runtime
Source: ZeroFox Intelligence

Afterwards, all protected strings are base64 decoded and RC4 decrypted as shown in Figure 4.

Figure 4. Strings are protected by RC4 encryption and base64 encoding
Source: ZeroFox Intelligence

The RC4 key “edinayarossiya” was consistent across most samples, though some also used “credit19” instead. ZeroFox Intelligence is currently unsure if this is specified by each actor deploying the stealer or if this is decided by the authors for each build.

Unlike the RC4 key used to decrypt strings, the RC4 key used to decrypt command and control (C2) servers is a fixed length and changes with every sample. Aside from this, C2 servers are protected in much the same way the other strings are. Up to five C2s can be configured per sample, with each C2 slot hardcoded to be 65 bytes long. Addresses that are shorter than 65 bytes after being encrypted and base64 encoded are padded with spaces.

Figure 5. C2s are RC4 encrypted, base64 encoded, and padded with spaces
Source: ZeroFox Intelligence

The locale on the victim’s machine is checked against two locales that can be hard-coded in the binary. ZeroFox did observe a check for a “ru” locale, but the language check does not affect the execution in any way. A second locale was not configured in the samples we observed.

Figure 6. Checking the victim’s locale
Source: ZeroFox Intelligence

Raccoon Stealer 2.0 also ensures that only one instance is running at a time by checking and creating a mutex. ZeroFox Intelligence observed this to be “8724643052” with every sample obtained. If it cannot open a handle to the mutex, Raccoon Stealer 2.0 will exit with Error Code 2.

Figure 7. Raccoon Stealer 2.0 ensures that only one instance is running at a time
Source: ZeroFox Intelligence

The victim’s security identifier (SID) is checked against the value “S-1-5-18” to determine if the process happens to be running as the SYSTEM or LOCAL SYSTEM user. If so, Raccoon Stealer 2.0 will enumerate the list of running processes on the infected machine.

Figure 8. Enumerate running processes if running as SYSTEM
Source: ZeroFox Intelligence

The first real action Raccoon Stealer 2.0 takes is to get the machine GUID and username, which are then sent as an HTTP POST request to the C2. As seen in Figure 9 below, the GUID and username are sent together in the URL parameter “machineId” separated by a pipe character. The “configId” parameter shown is the RC4 key used to decrypt C2 addresses.

Figure 9. Sending a unique identifier to a Raccoon Stealer C2 server
Source: ZeroFox Intelligence

If the C2 is still available, the server will respond with a simple, newline-separated configuration. If no C2 is available, Raccoon Stealer 2.0 simply exits.

Figure 10. A Raccoon Stealer 2.0 C2 responds with a configuration
Source: ZeroFox Intelligence

There are currently nine options that can be processed from the settings shown in Figure 10. A sample configuration returned by one of the C2 servers can be found here.

ews_Targeted Chrome browser extensions
grbr_Targeted files to steal
ldr_A command, DLL, or executable to run
libs_DLLs to download
scrnsht_Screenshot file name
sstmnfo_Send system information to the C2 with this file name and add this template text
tlgrm_Telegram-specific files and folders to target
tokenURL path to POST stolen data
wlts_Cryptocurrency wallets and associated files and folders to target

DLL files downloaded using the “libs_” option are saved to the AppData\LocalLow directory. Raccoon Stealer 2.0 attempts to add this directory to the PATH environment variable but does not verify if it was successful. In our observations, this actually failed, and the sample continued to run without issue.

The following system information is collected during a run:

  • User locale
  • System time zone
  • Operating system
  • System architecture (32-bit or 64-bit)
  • CPU core count
  • Installed RAM
  • Screen resolution
  • All display devices (GPUs)
  • Installed software and versions

Once each of these functions has run, another POST request is made to /<token>.

Figure 11. System information being sent to the C2 server
Source: ZeroFox Intelligence

Rather than look for specific browsers, Raccoon Stealer version 2.0 targets any Chromium or Mozilla-based browsers by the name of the directories in which each respective browser stores its data. For Chromium, this is “User Data” while Mozilla/Gecko uses “Profiles.”

Figure 12. Raccoon Stealer 2.0 targets browsers based on Chromium and Mozilla’s Gecko
Source: ZeroFox Intelligence

In order for Raccoon Stealer 2.0 to be able to read the data threat actors are interested in, it must load the DLLs from the “libs_” options earlier.

Figure 13. Raccoon stealer resolving external imports to read browser data later
Source: ZeroFox Intelligence

Data targeted from Chromium-based browsers includes:

  • Credentials
  • Cookies
  • Autofill data
  • Credit cards
  • Extensions listed in the configuration retrieved from the C2

Data targeted from Mozilla/Gecko-based browsers includes:

  • Credentials
  • Cookies
  • Autofill data

Although the “ews_” option is not necessarily limited to only cryptocurrency-related browser extensions, ZeroFox Intelligence has only observed this to be the use case. Figure 14 below shows two more functions dedicated to stealing cryptocurrency wallets. The first, “wlts_”, exfiltrates files based on the configuration option of the same name. Other cryptocurrency wallets may still be stolen by the next function, which looks for “wallet.dat” files.

Figure 14. The last several functions of Raccoon Stealer version 2.0
Source: ZeroFox Intelligence

The “grbr_” function uses directory paths, file names or patterns, and other options such as file size specified in the configuration to decide which files it should exfiltrate.

The “tlgrm_” function is similar to “grbr_” but has fewer options. It is meant to target  Telegram data, though the same functionality could have been achieved with the generic file grabber.

Taking a screenshot is separated into two functions. The first, “scrnsht_” checks to see if the configuration wants it to take one, and the second function actually takes and sends the screenshot.

Finally, the “ldr_” function is capable of allowing Raccoon Stealer version 2.0 to act as a loader for secondary payloads or execute commands. Each “ldr_” option contains multiple parts. It could contain a command to execute or the URL of a file to download, and if a URL is given a directory is specified to which the file should be downloaded. The last part specifies which action should be taken (e.g., execute a command, run EXE or DLL).

Figure 15. The “ldr_” function can download and execute secondary payloads
Source: ZeroFox Intelligence


ZeroFox Intelligence highly discourages seeking out pirated software of any kind. As in this case, such downloads are often completely fake and will not install the software the victim wanted. In some cases, the download may contain the actual software—as well as a hidden malicious component to infect the victim.

ZeroFox Intelligence also highly recommends that organizations take reports of pirated software on corporate machines seriously. With each download, the risk of infection increases. 


ZeroFox Intelligence has created a public YARA rule that can be found on GitHub.


ReconnaissanceT1592.001Gather Victim Host Information: HardwareThe sstmnfo_ function collects information about the infected system’s CPU, installed RAM, and display devices.
ReconnaissanceT1592.002Gather Victim Host Information: SoftwareThe sstmnfo_ function collects installed applications and their version numbers.
Gather Victim Identity Information: Credentials
Raccoon Stealer 2.0 retrieves stored credentials from targeted web browsers.
Command and Scripting Interpreter
The ldr_ function can be used to run commands. 
ExecutionT1559.001Inter-Process Communication: Component Object ModelRaccoon Stealer 2.0 makes use of COM objects in the grbr_ function.
User Execution
Samples discovered so far relied on victims seeking out pirated software.
Defense EvasionT1027.002
Software Packing
Raccoon Stealer 2.0 can be found packed in the wild.
Defense EvasionT1140
Deobfuscate/Decode Files or Information
Strings and hosts to reach out to are RC4 encrypted and base64 encoded.
Defense EvasionPath Interception by PATH Environment VariableRaccoon Stealer 2.0 attempts to add AppData\LocalLow to the PATH variable. 
Defense EvasionT1070.004
Indicator Removal on Host: File Deletion
Several files are copied into the AppData\LocalLow directory and subsequently deleted after use.
Credential AccessT1539Steal Web Session CookieRaccoon Stealer 2.0 steals cookies from targeted web browsers.
Process Discovery
If the process is running as SYSTEM, it will enumerate running processes.
DiscoveryT1012Query RegistryThe registry is used to gather system info, such as the operating system and currently-installed software.
System Information Discovery
Raccoon Stealer 2.0 gathers system information, such as the victim operating system, system architecture, user locale, installed applications, and more.
DiscoveryT1614.001System Location Discovery: System Language DiscoveryUser locale is checked, but no specific action is taken.
DiscoveryT1124System Time DiscoveryThe victim’s time zone is checked and compared to GMT/UTC.
Data from Local System
Raccoon Stealer 2.0 offers configurable file-stealing capabilities for actors to choose based on their interests.
Screen Capture
Raccoon Stealer 2.0 takes a screenshot near the end of its execution.
Command and ControlT1071.001Application Layer Protocol: Web ProtocolsRaccoon Stealer 2.0 uses standard HTTP requests to exfiltrate data and download files.
Command and ControlT1105Ingress Tool TransferRaccoon Stealer 2.0 downloads a set of legitimate DLL files to read browser data.
ExfiltrationT1020Automated ExfiltrationData exfiltration is customizable by the actor through specified directories and file name patterns.
ExfiltrationT1030Data Transfer Size LimitsActors have the ability to only steal files within a configurable size limit.
ExfiltrationT1041Exfiltration Over C2 ChannelData is exfiltrated over HTTP and in plain text.


URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
URLhxxp://<c2 address>/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll


ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 12:00 PM (EDT) on June 28, 2022; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

See ZeroFox in action