Raccoon Stealer - How to Detect

Last updated: 2026-04-01

Raccoon Stealer Malware: Detection Guide

Behavioral Indicators

Raccoon Stealer exhibits several distinct runtime behaviors that can be detected through process monitoring and API call analysis. Upon execution, the malware typically spawns from a parent process like a web browser, document reader, or archive utility, often through social engineering lures. It frequently creates a child process, commonly cmd.exe or powershell.exe, to execute commands for disabling security software, such as using netsh to modify firewall rules or sc to stop services.

Key API calls to monitor include those related to credential harvesting. Raccoon Stealer extensively uses CredEnumerateW and CredReadW to dump credentials from the Windows Credential Manager. It also calls CryptUnprotectData to decrypt saved browser passwords, cookies, and autofill data from profiles of Chrome, Firefox, Edge, and other Chromium-based browsers. The malware accesses SQLite database files in browser directories using sqlite3 library calls or direct file reads.

Look for processes reading sensitive files from paths like %LocalAppData%\\Google\\Chrome\\User Data\\Default\\Login Data and %AppData%\\Mozilla\\Firefox\\Profiles\\. It also enumerates and reads from cryptocurrency wallet directories (e.g., for Electrum, Exodus, Atomic Wallet) and FTP client configuration files like FileZilla. A spike in read operations on these paths from a single process, especially one with a low reputation score, is a strong indicator.

The malware may attempt to evade detection by using process hollowing or injecting code into legitimate processes like explorer.exe. Monitor for unusual code injection patterns, particularly if a process suddenly loads modules related to data encryption or network communication without a clear reason.

Network Indicators

Raccoon Stealer communicates with its command-and-control (C2) servers primarily over HTTPS, using TLS to encrypt traffic. The malware beacons to its C2 at regular intervals, often between 5 to 15 minutes, to send stolen data and receive updates or additional payloads. The initial beacon typically includes a system fingerprint-such as a victim ID, OS version, and geolocation data-encoded in the POST request body or as URL parameters.

DNS queries often reveal malicious domains generated by domain generation algorithms (DGAs) or purchased disposable domains. These domains frequently mimic legitimate cloud storage or software update services (e.g., using “drive,” “update,” or “api” in the subdomain). Look for DNS requests to newly registered domains (NRDs) with low reputation scores, especially if they resolve to IP addresses in hosting providers known for malicious activity.

Exfiltration traffic usually occurs over HTTPS POST requests to paths like /gate.php, /panel/upload.php, or /api/collect. The data is often compressed (using gzip) and may be base64-encoded or encrypted with XOR or AES before transmission. Packet analysis may show consistent User-Agent strings-sometimes spoofed as common browsers (e.g., “Mozilla/5.0”) but with minor anomalies-or empty Referer headers.

Outbound connections to IP addresses on non-standard ports (e.g., 8443, 8080) using SSL/TLS should be scrutinized. Additionally, failed connection attempts to sinkholed or dead C2s may result in repeated retries with incremental delays, creating a pattern of periodic outbound traffic to unreachable IPs.

File System Artifacts

Raccoon Stealer drops several files during execution, primarily in temporary directories or the user’s AppData folder. Common paths include:

  • %Temp%\\ or %LocalAppData%\\Temp\\ with random alphanumeric names (e.g., f3a8b1c.exe, setup.tmp)
  • %AppData%\\ or %LocalAppData%\\ under folders named after legitimate software (e.g., Google\\Update\\, Microsoft\\Edge\\)

The initial dropper often has a small size (100-500 KB) and may be packed or obfuscated. After execution, it may extract a larger payload (500 KB-2 MB) that contains the core stealer module. Look for recently created files with timestamps clustered around the infection time, especially if they have mismatched version information or lack digital signatures.

The malware creates log files or temporary data dumps containing stolen information before exfiltration. These are typically stored in hidden files or folders with names like log.txt, data.bin, or tmp.dat in %Temp%. It also may drop configuration files (e.g., config.json, settings.ini) that contain C2 addresses, encryption keys, or exclusion lists.

After data theft, Raccoon Stealer often self-deletes its executable but may leave behind residual DLLs or scripts in %Windir%\\System32\\ or %ProgramData%\\. Use file system monitoring to detect creation and rapid deletion of files in these locations.

Registry and Persistence Mechanisms

Raccoon Stealer employs multiple persistence mechanisms to survive reboots. Common registry modifications include:

  • Adding an entry in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run or HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value pointing to the malware path, often disguised with a name like “GoogleUpdate” or “WindowsSecurity.”
  • Creating a service via HKLM\\System\\CurrentControlSet\\Services\\ with a service name that blends in, such as “WinDefendHelper” or “SysMonLog.”

It may also use scheduled tasks for persistence, creating tasks via the Task Scheduler with XML files or command-line tools like schtasks.exe. Look for tasks with names like “OneDriveSync” or “JavaUpdater” that trigger on user logon or system idle, executing a script or binary from a writable directory.

Other persistence techniques include:

  • Modifying HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell to load a malicious DLL alongside explorer.exe.
  • Using fileless methods like registering a COM object in HKCR\\CLSID\\ or leveraging WMI event subscriptions to execute payloads.

Check for unusual autorun locations, such as HKCU\\Environment\\UserInitMprLogonScript or startup folders (%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\). Persistence artifacts often have recent last-write timestamps and may reference files in temporary paths.

YARA Rule Guidance

When developing YARA rules for Raccoon Stealer, focus on unique string patterns, byte sequences, and structural features. The malware often contains hardcoded strings related to its functionality, such as:

  • C2 URLs or IPs embedded in plaintext or encoded form (e.g., “https://”, “/gate.php”).
  • References to stolen data types: “cryptocurrency,” “wallet,” “credit_card,” “password,” “cookies.”
  • Browser paths: “\Google\Chrome\User Data\”, “\Mozilla\Firefox\Profiles\”.
  • API function names: “CredEnumerateW,” “CryptUnprotectData,” “WinHttpSendRequest.”

Look for specific encryption or encoding routines. Raccoon Stealer has used XOR with a single-byte key (e.g., 0x2A) for strings and AES in CBC mode for configuration data. Byte patterns like the magic bytes for ZIP headers (PK) may indicate embedded resources.

Target the PE structure: Raccoon Stealer samples often have a small number of sections (typically 3-5), with names like .text, .rdata, .data. The entry point may be in the first section, and the import table frequently includes winhttp.dll, crypt32.dll, and sqlite3.dll functions.

Avoid over-reliance on single strings, as these may change between versions. Instead, combine multiple low-prevalence strings with structural conditions, such as file size (often under 2 MB) and entropy (moderate to high due to packing). Use case-insensitive and wide-character string matching where applicable, as the malware may store strings in UTF-16.

For the latest samples and IOCs, refer to the provided links: Current Samples, Current IOCs, and Raccoon Stealer Overview. Regularly update rules based on new variants to maintain detection efficacy.

Related

← Raccoon Stealer Overview Removal Guide Incident Response Protection Guide IOCs Detection Rate All Families