SYMBOLCOMMON_NAMEaka. SYNONYMS
win.recordbreaker (Back to overview)

RecordBreaker


This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

References
2023-10-12SpamhausSpamhaus Malware Labs
@techreport{labs:20231012:spamhaus:cc0ff5c, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2023}}, date = {2023-10-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-10-17} } Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-07-11SpamhausSpamhaus Malware Labs
@techreport{labs:20230711:spamhaus:4e2885e, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2023}}, date = {2023-07-11}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-07-22} } Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-05-03AhnLabASEC
@online{asec:20230503:recordbreaker:402a5e6, author = {ASEC}, title = {{RecordBreaker Stealer Distributed via Hacked YouTube Accounts}}, date = {2023-05-03}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/52072/}, language = {English}, urldate = {2023-08-07} } RecordBreaker Stealer Distributed via Hacked YouTube Accounts
RecordBreaker
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
@online{glyer:20230202:lions:b21e15a, author = {Christopher Glyer and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Lions, Tigers, and Infostealers - Oh my!}}, date = {2023-02-02}, organization = {YouTube (SLEUTHCON)}, url = {https://www.youtube.com/watch?v=NI_Yw2t9zoo}, language = {English}, urldate = {2023-04-25} } Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2022-11-08cybleCyble
@online{cyble:20221108:massive:0ed7213, author = {Cyble}, title = {{Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer}}, date = {2022-11-08}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/}, language = {English}, urldate = {2022-11-09} } Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-16CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220916:recordbreaker:8c2d4b5, author = {Anandeshwar Unnikrishnan}, title = {{Recordbreaker: The Resurgence of Raccoon}}, date = {2022-09-16}, organization = {Cloudsek}, url = {https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon}, language = {English}, urldate = {2022-10-24} } Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-12d01aMohamed Adel
@online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
@online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
@online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-18Soc InvestigationBalaGanesh
@online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-07-29ZscalerSarthak Misraa
@online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-22MalwareBookReportsmuzi
@online{muzi:20220722:trash:35e5803, author = {muzi}, title = {{THE TRASH PANDA REEMERGES FROM THE DUMPSTER: RACCOON STEALER V2}}, date = {2022-07-22}, organization = {MalwareBookReports}, url = {https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/}, language = {English}, urldate = {2023-08-07} } THE TRASH PANDA REEMERGES FROM THE DUMPSTER: RACCOON STEALER V2
RecordBreaker
2022-07-05SOC PrimeVeronika Telychko
@online{telychko:20220705:raccoon:72c6866, author = {Veronika Telychko}, title = {{Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities}}, date = {2022-07-05}, organization = {SOC Prime}, url = {https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/}, language = {English}, urldate = {2022-07-25} } Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities
RecordBreaker
Yara Rules
[TLP:WHITE] win_recordbreaker_auto (20230808 | Detects win.recordbreaker.)
rule win_recordbreaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.recordbreaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bf7 8bcf d1fe 56 53 e8???????? }
            // n = 6, score = 700
            //   2bf7                 | sub                 esi, edi
            //   8bcf                 | mov                 ecx, edi
            //   d1fe                 | sar                 esi, 1
            //   56                   | push                esi
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_1 = { 42 66890c38 8d0412 0fb70c30 663bcb }
            // n = 5, score = 700
            //   42                   | inc                 edx
            //   66890c38             | mov                 word ptr [eax + edi], cx
            //   8d0412               | lea                 eax, [edx + edx]
            //   0fb70c30             | movzx               ecx, word ptr [eax + esi]
            //   663bcb               | cmp                 cx, bx

        $sequence_2 = { 59 85c0 7408 6afe }
            // n = 4, score = 700
            //   59                   | pop                 ecx
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   6afe                 | push                -2

        $sequence_3 = { 6a02 ff75fc ff15???????? 6a03 ff75fc ff15???????? 6a04 }
            // n = 7, score = 700
            //   6a02                 | push                2
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a03                 | push                3
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a04                 | push                4

        $sequence_4 = { 8bd7 8bc8 e8???????? 8b15???????? 8bc8 e8???????? 8bd3 }
            // n = 7, score = 700
            //   8bd7                 | mov                 edx, edi
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8bd3                 | mov                 edx, ebx

        $sequence_5 = { 6a1a 53 6a00 8bf8 }
            // n = 4, score = 700
            //   6a1a                 | push                0x1a
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   8bf8                 | mov                 edi, eax

        $sequence_6 = { 881e 46 49 83ea01 }
            // n = 4, score = 700
            //   881e                 | mov                 byte ptr [esi], bl
            //   46                   | inc                 esi
            //   49                   | dec                 ecx
            //   83ea01               | sub                 edx, 1

        $sequence_7 = { 8b15???????? 8bc8 e8???????? 8b55ec }
            // n = 4, score = 700
            //   8b15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_8 = { 2bc6 d1f8 56 8d3c46 33c0 }
            // n = 5, score = 700
            //   2bc6                 | sub                 eax, esi
            //   d1f8                 | sar                 eax, 1
            //   56                   | push                esi
            //   8d3c46               | lea                 edi, [esi + eax*2]
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 8b4d0c 8b07 5f 5e }
            // n = 4, score = 700
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

    condition:
        7 of them and filesize < 232312
}
[TLP:WHITE] win_recordbreaker_w0   (20220921 | Detect variants of Raccoon Stealer v2)
import "pe"

rule win_recordbreaker_w0 {
    meta:
        description = "Detect variants of Raccoon Stealer v2"
        author = "Jake Goldi"
        date = "2022-09-20"
        hash1 = "022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03"
        version="1.0"
        phase = "experimental"
        url = "https://d01a.github.io/raccoon-stealer/#iocs"
        references = "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
        source = "https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara"
        credits = "@0xd01a"
        malware = "Win32.PWS.Raccoon"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20220921"
        malpedia_hash = ""
        malpedia_version = "20220921"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
  strings:
        $s1 = "ffcookies.txt" wide ascii nocase
        $s2 = "wallet.dat" wide ascii nocase
        $s3 = "ru" wide ascii nocase
        $s4 = "record" wide ascii nocase

        /*
        E8 CC 11 00 00                          call    mw_rc4_decrypt
        6A 55                                   push    85              ; cchLocaleName
        8D 8D 1C FF FF FF                       lea     ecx, [ebp-0E4h]
        89 45 D8                                mov     [ebp-28h], eax
        A1 50 E0 4F 00                          mov     eax, GetUserDefaultLocaleName
        51                                      push    ecx             ; lpLocaleName
        FF D0                                   call    eax ; GetUserDefaultLocaleName
        85 C0                                   test    eax, eax
        74 24                                   jz      short loc_4F75B5
        BE 00 E0 4F 00
        */
        $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 }
        /* 
        8B 3D 90 E0 4F 00       mov     edi, lstrlenW
        8B DA                   mov     ebx, edx
        53                      push    ebx             ; lpString
        89 4D FC                mov     [ebp+lpString], ecx
        FF D7                   call    edi ; lstrlenW
        FF 75 FC                push    [ebp+lpString]  ; lpString
        8B F0                   mov     esi, eax
        FF D7                   call    edi ; lstrlenW
        8B 0D 48 E0 4F 00       mov     ecx, LocalAlloc
        8D B8 80 00 00 00       lea     edi, [eax+80h]
        03 FE                   add     edi, esi
        8D 04 3F                lea     eax, [edi+edi]
        50                      push    eax             ; uBytes
        6A 40                   push    64              ; uFlags
        FF D1                   call    ecx ; LocalAlloc
        */
        $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } 

    condition:
        uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*)))

}
[TLP:WHITE] win_recordbreaker_w1   (20230118 | detect_Raccoon_Stealer_v2)
rule win_recordbreaker_w1 {
    meta:
	    description = "detect_Raccoon_Stealer_v2"
	    author = "@malgamy12"
	    date = "16/11/2022"
	    license = "DRL 1.1"
        hash = "0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909"
	    hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
	    hash = "048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059"
	    hash = "89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc"
        hash = "516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e"
        hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
        hash = "3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53"
        hash = "bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e"
        hash = "960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63"
        hash = "bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "\\ffcookies.txt" wide
        $s1 = "wallet.dat" wide
        $s2 = "Network\\Cookies" wide
        $s3 = "Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm" ascii 

        $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5}
        $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40}

        
    condition:
        uint16(0) == 0x5A4D  and (all of them)

}
Download all Yara Rules