Raccoon Stealer - Removal Guide

Last updated: 2026-04-01

Raccoon Stealer Malware Removal Guide

Signs of Infection

Raccoon Stealer is an infostealer that focuses on harvesting credentials, financial data, and cryptocurrency wallets. Look for these specific indicators of compromise.

File System Artifacts:

  • Executables with random, alphanumeric names (e.g., f7s83n2.exe, setup_tmp.exe) in user profile temporary directories (%TEMP%, %APPDATA%\Local\Temp).
  • Recently created log or data files in %APPDATA%, %LOCALAPPDATA%, or %USERPROFILE%\Documents with names like logs.dat, system.txt, or data.bin.
  • A copy of the malware executable in a subfolder of %APPDATA% or %LOCALAPPDATA%, often mimicking legitimate software folders.
  • Modified or newly created browser files, such as Login Data, Web Data, or Cookies files in browser profile paths being accessed by non-browser processes.

Process and Behavior Indicators:

  • A suspicious process with a random name consuming unexpected CPU or memory, often seen spawning cmd.exe or powershell.exe briefly.
  • The malware may inject into legitimate processes (like explorer.exe or svchost.exe). Look for these processes making anomalous network connections or accessing browser data paths.
  • Antivirus or EDR alerts for processes attempting credential access from browser memory or wallet file directories.
  • Scheduled tasks or Windows services created with random or deceptive names (e.g., “GoogleUpdateService”, “OneDriveSync”).

Network Indicators:

  • Outbound HTTPS connections to domains with random subdomains or newly registered domains (often using top-level domains like .xyz, .top, .club).
  • Beaconing traffic to a command-and-control (C2) server at regular intervals, often with encrypted payloads.
  • Connections to IP addresses associated with known bulletproof hosting providers or previously flagged infrastructure.
  • Attempts to exfiltrate data via POST requests to paths like /gate.php, /panel/index.php, or /api/collect.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to prevent further data theft and lateral movement.

  1. Network Isolation: Immediately disconnect the infected host from the network. Disable its network adapters via the operating system or through network access control. If complete disconnection isn’t feasible, implement strict firewall rules at the network perimeter to block all inbound/outbound traffic from the host’s IP, except for management traffic from your security jump host.
  2. Credential Rotation Priority: Identify the scope of potential theft. With highest priority, reset credentials for:
    • Any accounts actively logged into the infected system (local admin, domain user, Microsoft 365).
    • Privileged domain and cloud administrative accounts.
    • Any credentials for financial services, SSH keys, or database access that may have been stored on or accessible from the host.
    • All web browser-saved passwords and autofill data. Utilize your enterprise password management solution to force resets.
  3. Process Termination: On the isolated host, use your EDR console or a trusted command-line tool from a clean source to terminate the primary malicious process. Identify it by its random name, high resource use, or parent-child relationship with cmd.exe. Also, kill any associated spawned processes like powershell.exe or wscript.exe that were launched by the malware.
  4. Preserve Evidence: Before remediation, if possible, capture a memory dump of the malicious process and make a forensic copy of any identified malicious files, registry keys, and scheduled tasks. Store these in a secure, isolated location for later analysis.

Manual Removal Process

Perform these steps on the isolated host, preferably from a clean, trusted boot or using a forensic live CD/USB.

Step 1: Terminate Malicious Processes.

  1. Open the Task Manager or a trusted process explorer tool.
  2. Identify and end the task for the primary Raccoon Stealer executable (random name in %TEMP% or %APPDATA%).
  3. Also end any suspicious instances of cmd.exe, powershell.exe, wscript.exe, or rundll32.exe that have a command line pointing to a suspicious script or DLL in a temp folder.

Step 2: Remove Persistence Mechanisms.

  1. Scheduled Tasks: Open the Task Scheduler. Look for and delete tasks with random names or names impersonating legitimate software (e.g., “AdobeUpdate”, “JavaUpdateScheduler”) that point to an executable in a user’s AppData or Temp folder.
  2. Registry Run Keys: Open the Registry Editor (regedit). Navigate to and inspect the following keys. Delete any entries where the data value points to the path of the malicious executable:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  3. Service Persistence: Check for suspicious services. Open an administrative command prompt and run sc query state= all. Look for services with random names or poor descriptions. For any suspect service, note its name, then run sc delete [ServiceName] to remove it.

Step 3: Delete Dropped Files.

  1. Navigate to and delete the primary malware executable, typically found in:
    • %TEMP%\ (e.g., C:\Users\[Username]\AppData\Local\Temp\)
    • %APPDATA%\ (e.g., C:\Users\[Username]\AppData\Roaming\)
    • %LOCALAPPDATA%\ (e.g., C:\Users\[Username]\AppData\Local\)
  2. Search for and delete any associated configuration or log files (e.g., config.json, logs.txt, data.bin) in these same directories or in %USERPROFILE%\Documents.
  3. Delete any malicious DLLs or VBS/JS scripts that may have been dropped in these folders.

Step 4: Clean Registry Entries.

  1. In the Registry Editor, search (Ctrl+F) for the file paths and names of the malicious executables you deleted. Pay particular attention to keys under:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (used for process hijacking).
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects (for persistence via browser extensions).
    • HKLM\SOFTWARE\Classes\CLSID\ and HKCU\Software\Classes\CLSID\ (for COM hijacking).
  2. Delete any keys or values that reference the malware.

Verifying Removal

After completing the manual removal, confirm the host is clean.

  1. Full System Scan: Perform a full, deep scan of the system using your updated endpoint security solution. Use a dedicated anti-malware scanning tool for a second opinion.
  2. Log Analysis: Review Windows Event Logs (especially Security, System, and Application logs) for any recent errors or warnings related to the deleted files, services, or scheduled tasks. Look for failed attempts by the malware to restart.
  3. Persistence Check: Re-examine all persistence locations: Scheduled Tasks, Registry Run keys, Services, Startup folder. Ensure no remnants remain.
  4. Network Monitoring: Before reconnecting the host to the production network, monitor its outbound traffic in an isolated test environment. Use a network monitoring tool to confirm there are no more beaconing attempts to known Raccoon C2 servers or other suspicious domains. Check for the specific IOCs listed on the Current Raccoon Stealer IOCs page.
  5. Browser Artifact Check: Verify that browser profiles have not been modified with malicious extensions. Check the Extensions folders for Chrome (%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\) and Firefox (%APPDATA%\Mozilla\Firefox\Profiles\).

Post-Removal Security Hardening

To prevent reinfection and improve resilience against infostealers like Raccoon Stealer:

  1. Application Control: Implement application allowlisting policies via Group Policy or your EDR solution. Block execution from high-risk locations like %TEMP%, %APPDATA%, and %LOCALAPPDATA% for non-trusted, unsigned executables.
  2. Enhanced Monitoring Rules: Configure your SIEM or EDR platform to generate alerts for:
    • Processes making read access attempts to browser Login Data or Cookies files.
    • Creation of executable files in user writable directories followed by immediate network connections.
    • New scheduled tasks or services created with random names or pointing to user profile paths.
    • Outbound network connections to IPs or domains with a low reputation score or matching the patterns in the IOC list.
  3. Policy Updates:
    • Enforce the principle of least privilege. Standard users should not have local administrative rights.
    • Deploy a credentialed password manager enterprise-wide to discourage the storage of passwords in browsers.
    • Implement network segmentation to restrict outbound internet traffic from standard user workstations to only necessary services.
    • Mandate and enforce the use of multi-factor authentication (MFA) for all user accounts, especially for email, cloud services, and remote access.
  4. User Training: Educate users on the primary infection vectors for stealers: phishing emails with malicious attachments, drive-by downloads from compromised sites, and pirated software/cracks. Reinforce reporting procedures for suspicious activity.

For more information on this malware family, refer to the Raccoon Stealer Overview. To assess your defensive coverage, review the Detection Rate data.

Related

← Raccoon Stealer Overview How to Detect Incident Response Protection Guide IOCs Samples All Families