SYMBOLCOMMON_NAMEaka. SYNONYMS
win.recordbreaker (Back to overview)

RecordBreaker

VTCollection    

This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

References
2024-12-18Bleeping ComputerSergiu Gatlan
Raccoon Stealer malware operator gets 5 years in prison after guilty plea
Raccoon RecordBreaker
2024-09-19GooglePraveeth DSouza
Finding Malware: Unveiling RECORDSTEALER with Google Security Operations
RecordBreaker
2024-02-08Cybercrime DiariesOleg
Russian Language Cybercriminal Forums – Analyzing The Most Active And Renowned Communities.
Raccoon RecordBreaker
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-11-24Medium g0njxag0njxa
Approaching stealers devs : a brief interview with Recordbreaker
Raccoon RecordBreaker
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-05-03AhnLabASEC
RecordBreaker Stealer Distributed via Hacked YouTube Accounts
RecordBreaker
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-03CloudsekDeepanjli Paulraj, Pavan Karthick M
Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware
Alfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker RedLine Stealer Stealc STOP Vidar zgRAT
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2022-11-08cybleCyble
Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-16CloudsekAnandeshwar Unnikrishnan
Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-09-12d01aMohamed Adel
Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-18Soc InvestigationBalaGanesh
Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-08-10Avast DecodedThreat Research Team
Avast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer, and more Ransomware Attacks
Conti Raccoon RecordBreaker Zloader Caramel Tsunami
2022-07-29ZscalerSarthak Misraa
Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-22MalwareBookReportsmuzi
THE TRASH PANDA REEMERGES FROM THE DUMPSTER: RACCOON STEALER V2
RecordBreaker
2022-07-05SOC PrimeVeronika Telychko
Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities
RecordBreaker
Yara Rules
[TLP:WHITE] win_recordbreaker_auto (20241030 | Detects win.recordbreaker.)
rule win_recordbreaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.recordbreaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bc8 e8???????? 8bd3 8bc8 e8???????? 8b15???????? 8bc8 }
            // n = 7, score = 700
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bd3                 | mov                 edx, ebx
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_1 = { 85d2 7425 8b450c b9feffff7f 2bc6 57 }
            // n = 6, score = 700
            //   85d2                 | test                edx, edx
            //   7425                 | je                  0x27
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   b9feffff7f           | mov                 ecx, 0x7ffffffe
            //   2bc6                 | sub                 eax, esi
            //   57                   | push                edi

        $sequence_2 = { 6a00 8d4514 50 6aff ff35???????? }
            // n = 5, score = 700
            //   6a00                 | push                0
            //   8d4514               | lea                 eax, [ebp + 0x14]
            //   50                   | push                eax
            //   6aff                 | push                -1
            //   ff35????????         |                     

        $sequence_3 = { 8365f800 a1???????? c745f464000000 53 56 }
            // n = 5, score = 700
            //   8365f800             | and                 dword ptr [ebp - 8], 0
            //   a1????????           |                     
            //   c745f464000000       | mov                 dword ptr [ebp - 0xc], 0x64
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_4 = { ff35???????? 57 ff15???????? 8b7508 83c410 8bd7 }
            // n = 6, score = 700
            //   ff35????????         |                     
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   83c410               | add                 esp, 0x10
            //   8bd7                 | mov                 edx, edi

        $sequence_5 = { 33c0 50 6800000008 6a02 50 50 }
            // n = 6, score = 700
            //   33c0                 | xor                 eax, eax
            //   50                   | push                eax
            //   6800000008           | push                0x8000000
            //   6a02                 | push                2
            //   50                   | push                eax
            //   50                   | push                eax

        $sequence_6 = { 83c414 85c0 790f 53 ff15???????? }
            // n = 5, score = 700
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   790f                 | jns                 0x11
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_7 = { 57 8906 ff15???????? 53 ff15???????? 33c0 }
            // n = 6, score = 700
            //   57                   | push                edi
            //   8906                 | mov                 dword ptr [esi], eax
            //   ff15????????         |                     
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_8 = { c1e704 037d14 40 8901 }
            // n = 4, score = 700
            //   c1e704               | shl                 edi, 4
            //   037d14               | add                 edi, dword ptr [ebp + 0x14]
            //   40                   | inc                 eax
            //   8901                 | mov                 dword ptr [ecx], eax

        $sequence_9 = { ff7510 ff750c 56 e8???????? 83c414 56 ff15???????? }
            // n = 7, score = 700
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   56                   | push                esi
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 232312
}
[TLP:WHITE] win_recordbreaker_w0   (20220921 | Detect variants of Raccoon Stealer v2)
import "pe"

rule win_recordbreaker_w0 {
    meta:
        description = "Detect variants of Raccoon Stealer v2"
        author = "Jake Goldi"
        date = "2022-09-20"
        hash1 = "022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03"
        version="1.0"
        phase = "experimental"
        url = "https://d01a.github.io/raccoon-stealer/#iocs"
        references = "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
        source = "https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara"
        credits = "@0xd01a"
        malware = "Win32.PWS.Raccoon"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20220921"
        malpedia_hash = ""
        malpedia_version = "20220921"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
  strings:
        $s1 = "ffcookies.txt" wide ascii nocase
        $s2 = "wallet.dat" wide ascii nocase
        $s3 = "ru" wide ascii nocase
        $s4 = "record" wide ascii nocase

        /*
        E8 CC 11 00 00                          call    mw_rc4_decrypt
        6A 55                                   push    85              ; cchLocaleName
        8D 8D 1C FF FF FF                       lea     ecx, [ebp-0E4h]
        89 45 D8                                mov     [ebp-28h], eax
        A1 50 E0 4F 00                          mov     eax, GetUserDefaultLocaleName
        51                                      push    ecx             ; lpLocaleName
        FF D0                                   call    eax ; GetUserDefaultLocaleName
        85 C0                                   test    eax, eax
        74 24                                   jz      short loc_4F75B5
        BE 00 E0 4F 00
        */
        $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 }
        /* 
        8B 3D 90 E0 4F 00       mov     edi, lstrlenW
        8B DA                   mov     ebx, edx
        53                      push    ebx             ; lpString
        89 4D FC                mov     [ebp+lpString], ecx
        FF D7                   call    edi ; lstrlenW
        FF 75 FC                push    [ebp+lpString]  ; lpString
        8B F0                   mov     esi, eax
        FF D7                   call    edi ; lstrlenW
        8B 0D 48 E0 4F 00       mov     ecx, LocalAlloc
        8D B8 80 00 00 00       lea     edi, [eax+80h]
        03 FE                   add     edi, esi
        8D 04 3F                lea     eax, [edi+edi]
        50                      push    eax             ; uBytes
        6A 40                   push    64              ; uFlags
        FF D1                   call    ecx ; LocalAlloc
        */
        $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } 

    condition:
        uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*)))

}
[TLP:WHITE] win_recordbreaker_w1   (20230118 | detect_Raccoon_Stealer_v2)
rule win_recordbreaker_w1 {
    meta:
	    description = "detect_Raccoon_Stealer_v2"
	    author = "@malgamy12"
	    date = "16/11/2022"
	    license = "DRL 1.1"
        hash = "0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909"
	    hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
	    hash = "048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059"
	    hash = "89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc"
        hash = "516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e"
        hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
        hash = "3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53"
        hash = "bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e"
        hash = "960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63"
        hash = "bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "\\ffcookies.txt" wide
        $s1 = "wallet.dat" wide
        $s2 = "Network\\Cookies" wide
        $s3 = "Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm" ascii 

        $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5}
        $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40}

        
    condition:
        uint16(0) == 0x5A4D  and (all of them)

}
Download all Yara Rules