{"description": "Enterprise techniques used by Raccoon Stealer, ATT&CK software S1148 (v1.0)", "name": "Raccoon Stealer (S1148)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) checks the privileges of running processes to determine if the running user is equivalent to `NT Authority\\System`.(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) uses HTTP, and particularly HTTP POST requests, for command and control actions.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) archives collected system information in a text f ile, `System info.txt`, prior to exfiltration.(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) collects files and directories from victim systems based on configuration data downloaded from command and control servers.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) will automatically collect and exfiltrate data identified in received configuration files from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) collects passwords, cookies, and autocomplete information from various popular web browsers.(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) gathers information from repositories associated with cryptocurrency wallets and the Telegram messaging service.(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) collects data from victim machines based on configuration information received from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) uses RC4-encrypted, base64-encoded strings to obfuscate functionality and command and control servers.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) uses existing HTTP-based command and control channels for exfiltration.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) identifies target files and directories for collection based on a configuration file.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) can remove files related to use and installation.(Citation: Sekoia Raccoon1 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) dynamically links key WinApi functions during execution.(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) uses RC4 encryption for strings and command and control addresses to evade static detection.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) queries the Windows Registry to fingerprint the infected host via the `HKLM:\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid` key.(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) can capture screenshots from victim systems.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) is capable of identifying running software on victim machines.(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) attempts to steal cookies and related information in browser history.(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1195", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) has been distributed through cracked software downloads.(Citation: S2W Racoon 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) gathers information on infected systems such as operating system, processor information, RAM, and display information.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) collects the `Locale Name` of the infected device via `GetUserDefaultLocaleName` to determine whether the string `ru` is included, but in analyzed samples no action is taken if present.(Citation: S2W Racoon 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) gathers information on the infected system owner and user.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Raccoon Stealer](https://attack.mitre.org/software/S1148) gathers victim machine timezone information.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Raccoon Stealer", "color": "#66b1ff"}]}