Raccoon Stealer is again on the information once more. US officers arrested Mark Sokolovsky, one of many malware actors behind this program. In July 2022, after a number of months of the shutdown, a Raccoon Stealer V2 went viral. Final week, the Division of Justice’s press launch acknowledged that the malware collected 50 million credentials.
This text will give a fast information to the newest information stealer’s model.
What’s Raccoon infostealer V2?
Raccoon Stealer is a form of malware that steals varied knowledge from an contaminated pc. It is fairly a primary malware, however hackers have made Raccoon in style with glorious service and easy navigation.
In 2019, Raccoon infostealer was some of the mentioned malware. In alternate for $75 per week and $200 per 30 days, cybercriminals offered this straightforward however versatile information stealer as a MaaS. The malware was profitable in attacking various methods. In March 2022, nevertheless, menace authors ceased to function.
An up to date model of this malware was launched in July 2022. Because of this, Raccoon Stealer V2 has gone viral and gained a brand new title – RecordBreaker.
 |
| Raccoon v2’s ways & methods in ANY.RUN Sandbox |
Methods to analyze Raccoon stealer V2
|
Execution course of |
What Raccoon malware does |
|
Downloads WinAPI libraries |
Makes use of kernel32.dll!LoadLibraryW |
|
Will get WinAPI features’ addresses |
Makes use of kernel32.dll!GetProcAddress |
|
Strings and C2 servers encryption |
Encrypts with RC4 or XOR algorithm, might be no encryption in any respect, or mixture of various choice |
|
Crash triggers |
CIS nations locale, mutex |
|
System/LocalSystem degree privilege test |
Makes use of Advapi32.dll!GetTokenInformation and Advapi32.dll!ConvertSidToStringSidW evaluating StringSid with L “S-1-5-18” |
|
Course of enumeration |
Makes use of the TlHelp32 API (kernel32.dll!CreateToolhelp32Snapshot to seize processes and kernel32.dll!Process32First / kernel32.dll!Process32Next). |
|
Connecting to C2 servers |
Creates a string: Then sends a POST request |
|
Consumer and system knowledge assortment |
|
|
Sending of collected knowledge |
POST requests to C2. |
|
Getting a solution from the C2 |
C2 sends “obtained” |
|
Ending operations |
Takes a screenshot(s), releases the remaining allotted sources, unloads the libraries, and finishes its work |
We’ve triaged a number of Raccoon stealer V2 samples, collected typical habits actions, and briefly described its execution course of.
Learn deeper and extra detailed Raccoon stealer 2.0 malware evaluation. Within the article, you possibly can observe all steps and get an entire image of the information stealer’s habits. Moreover this profound analysis, you get an opportunity to extract malware configuration by yourselves – copy the Python script of Raccoon stealer and unpack reminiscence dumps to extract C&C servers and keys.
 |
| Raccoon v2 malware configuration |
The place to investigate malware
Do you need to analyze malicious information and hyperlinks? There’s a quick and simple resolution: get ready-made configurations in ANY.RUN on-line malware sandbox and examine suspicious information in and out. Attempt to crack any malware utilizing an interactive method:
Write the “HACKERNEWS” promo code at assist@any.run utilizing your online business e mail deal with and get 14 days of ANY.RUN premium subscription at no cost!
The ANY.RUN sandbox helps you to analyze malware rapidly, navigate by way of the analysis course of simply, detect even refined malware, and get detailed reviews. Use good instruments and hunt malware efficiently.
