SYMBOLCOMMON_NAMEaka. SYNONYMS
win.recordbreaker (Back to overview)

RecordBreaker


This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

References
2022-11-08cybleCyble
@online{cyble:20221108:massive:0ed7213, author = {Cyble}, title = {{Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer}}, date = {2022-11-08}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/}, language = {English}, urldate = {2022-11-09} } Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-16CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220916:recordbreaker:8c2d4b5, author = {Anandeshwar Unnikrishnan}, title = {{Recordbreaker: The Resurgence of Raccoon}}, date = {2022-09-16}, organization = {Cloudsek}, url = {https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon}, language = {English}, urldate = {2022-10-24} } Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-12d01aMohamed Adel
@online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
@online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
@online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-18Soc InvestigationBalaGanesh
@online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-07-29ZscalerSarthak Misraa
@online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-05SOC PrimeVeronika Telychko
@online{telychko:20220705:raccoon:72c6866, author = {Veronika Telychko}, title = {{Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities}}, date = {2022-07-05}, organization = {SOC Prime}, url = {https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/}, language = {English}, urldate = {2022-07-25} } Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities
RecordBreaker
Yara Rules
[TLP:WHITE] win_recordbreaker_auto (20230125 | Detects win.recordbreaker.)
rule win_recordbreaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.recordbreaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd8 ba04010000 8bcb 895c2430 }
            // n = 4, score = 500
            //   8bd8                 | mov                 ebx, eax
            //   ba04010000           | mov                 edx, 0x104
            //   8bcb                 | mov                 ecx, ebx
            //   895c2430             | mov                 dword ptr [esp + 0x30], ebx

        $sequence_1 = { 59 53 ff15???????? 85db 7413 eb0a }
            // n = 6, score = 500
            //   59                   | pop                 ecx
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85db                 | test                ebx, ebx
            //   7413                 | je                  0x15
            //   eb0a                 | jmp                 0xc

        $sequence_2 = { eb17 8b45f8 85c0 7407 }
            // n = 4, score = 500
            //   eb17                 | jmp                 0x19
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9

        $sequence_3 = { 58 8bd9 663bc8 7416 6a22 8bc2 5b }
            // n = 7, score = 500
            //   58                   | pop                 eax
            //   8bd9                 | mov                 ebx, ecx
            //   663bc8               | cmp                 cx, ax
            //   7416                 | je                  0x18
            //   6a22                 | push                0x22
            //   8bc2                 | mov                 eax, edx
            //   5b                   | pop                 ebx

        $sequence_4 = { 83c706 89442420 3bf2 728c 837c241000 }
            // n = 5, score = 500
            //   83c706               | add                 edi, 6
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   3bf2                 | cmp                 esi, edx
            //   728c                 | jb                  0xffffff8e
            //   837c241000           | cmp                 dword ptr [esp + 0x10], 0

        $sequence_5 = { 8bf0 8d85d0fdffff 50 57 56 ff15???????? }
            // n = 6, score = 500
            //   8bf0                 | mov                 esi, eax
            //   8d85d0fdffff         | lea                 eax, [ebp - 0x230]
            //   50                   | push                eax
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_6 = { 8bd8 8d4dec a1???????? 8945ec e8???????? 8b4df8 8bf0 }
            // n = 7, score = 500
            //   8bd8                 | mov                 ebx, eax
            //   8d4dec               | lea                 ecx, [ebp - 0x14]
            //   a1????????           |                     
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   e8????????           |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8bf0                 | mov                 esi, eax

        $sequence_7 = { 8b4dec 8d75c8 8365d400 ff75f8 8945d0 8b01 }
            // n = 6, score = 500
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8d75c8               | lea                 esi, [ebp - 0x38]
            //   8365d400             | and                 dword ptr [ebp - 0x2c], 0
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_8 = { 50 ff15???????? 8d542410 e8???????? }
            // n = 4, score = 500
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d542410             | lea                 edx, [esp + 0x10]
            //   e8????????           |                     

        $sequence_9 = { 8bcf 50 8d55f8 e8???????? 59 59 }
            // n = 6, score = 500
            //   8bcf                 | mov                 ecx, edi
            //   50                   | push                eax
            //   8d55f8               | lea                 edx, [ebp - 8]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

    condition:
        7 of them and filesize < 142336
}
[TLP:WHITE] win_recordbreaker_w0   (20220921 | Detect variants of Raccoon Stealer v2)
import "pe"

rule win_recordbreaker_w0 {
    meta:
        description = "Detect variants of Raccoon Stealer v2"
        author = "Jake Goldi"
        date = "2022-09-20"
        hash1 = "022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03"
        version="1.0"
        phase = "experimental"
        url = "https://d01a.github.io/raccoon-stealer/#iocs"
        references = "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
        source = "https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara"
        credits = "@0xd01a"
        malware = "Win32.PWS.Raccoon"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20220921"
        malpedia_hash = ""
        malpedia_version = "20220921"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
  strings:
        $s1 = "ffcookies.txt" wide ascii nocase
        $s2 = "wallet.dat" wide ascii nocase
        $s3 = "ru" wide ascii nocase
        $s4 = "record" wide ascii nocase

        /*
        E8 CC 11 00 00                          call    mw_rc4_decrypt
        6A 55                                   push    85              ; cchLocaleName
        8D 8D 1C FF FF FF                       lea     ecx, [ebp-0E4h]
        89 45 D8                                mov     [ebp-28h], eax
        A1 50 E0 4F 00                          mov     eax, GetUserDefaultLocaleName
        51                                      push    ecx             ; lpLocaleName
        FF D0                                   call    eax ; GetUserDefaultLocaleName
        85 C0                                   test    eax, eax
        74 24                                   jz      short loc_4F75B5
        BE 00 E0 4F 00
        */
        $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 }
        /* 
        8B 3D 90 E0 4F 00       mov     edi, lstrlenW
        8B DA                   mov     ebx, edx
        53                      push    ebx             ; lpString
        89 4D FC                mov     [ebp+lpString], ecx
        FF D7                   call    edi ; lstrlenW
        FF 75 FC                push    [ebp+lpString]  ; lpString
        8B F0                   mov     esi, eax
        FF D7                   call    edi ; lstrlenW
        8B 0D 48 E0 4F 00       mov     ecx, LocalAlloc
        8D B8 80 00 00 00       lea     edi, [eax+80h]
        03 FE                   add     edi, esi
        8D 04 3F                lea     eax, [edi+edi]
        50                      push    eax             ; uBytes
        6A 40                   push    64              ; uFlags
        FF D1                   call    ecx ; LocalAlloc
        */
        $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } 

    condition:
        uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*)))

}
[TLP:WHITE] win_recordbreaker_w1   (20230118 | detect_Raccoon_Stealer_v2)
rule win_recordbreaker_w1 {
    meta:
	    description = "detect_Raccoon_Stealer_v2"
	    author = "@malgamy12"
	    date = "16/11/2022"
	    license = "DRL 1.1"
        hash = "0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909"
	    hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
	    hash = "048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059"
	    hash = "89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc"
        hash = "516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e"
        hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
        hash = "3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53"
        hash = "bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e"
        hash = "960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63"
        hash = "bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "\\ffcookies.txt" wide
        $s1 = "wallet.dat" wide
        $s2 = "Network\\Cookies" wide
        $s3 = "Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm" ascii 

        $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5}
        $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40}

        
    condition:
        uint16(0) == 0x5A4D  and (all of them)

}
Download all Yara Rules