SYMBOLCOMMON_NAMEaka. SYNONYMS
win.recordbreaker (Back to overview)

RecordBreaker


This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.

References
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-02-27PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20230227:rig:72076aa, author = {PRODAFT}, title = {{RIG Exploit Kit: In-Depth Analysis}}, date = {2023-02-27}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf}, language = {English}, urldate = {2023-05-08} } RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-02YouTube (SLEUTHCON)Christopher Glyer, Microsoft Threat Intelligence Center (MSTIC)
@online{glyer:20230202:lions:b21e15a, author = {Christopher Glyer and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Lions, Tigers, and Infostealers - Oh my!}}, date = {2023-02-02}, organization = {YouTube (SLEUTHCON)}, url = {https://www.youtube.com/watch?v=NI_Yw2t9zoo}, language = {English}, urldate = {2023-04-25} } Lions, Tigers, and Infostealers - Oh my!
RecordBreaker RedLine Stealer Vidar
2022-11-08cybleCyble
@online{cyble:20221108:massive:0ed7213, author = {Cyble}, title = {{Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer}}, date = {2022-11-08}, organization = {cyble}, url = {https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/}, language = {English}, urldate = {2022-11-09} } Massive YouTube Campaign Targeting Over 100 Applications To Deliver Info Stealer
RecordBreaker Vidar
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-16CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220916:recordbreaker:8c2d4b5, author = {Anandeshwar Unnikrishnan}, title = {{Recordbreaker: The Resurgence of Raccoon}}, date = {2022-09-16}, organization = {Cloudsek}, url = {https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon}, language = {English}, urldate = {2022-10-24} } Recordbreaker: The Resurgence of Raccoon
Raccoon RecordBreaker
2022-09-12d01aMohamed Adel
@online{adel:20220912:raccoon:f423625, author = {Mohamed Adel}, title = {{Raccoon Stealer V2 in depth Analysis}}, date = {2022-09-12}, organization = {d01a}, url = {https://d01a.github.io/raccoon-stealer/}, language = {English}, urldate = {2022-09-14} } Raccoon Stealer V2 in depth Analysis
Raccoon RecordBreaker
2022-09-12Infosec WriteupsAaron Stratton
@online{stratton:20220912:raccoon:3a04b24, author = {Aaron Stratton}, title = {{Raccoon Stealer v2 Malware Analysis}}, date = {2022-09-12}, organization = {Infosec Writeups}, url = {https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8}, language = {English}, urldate = {2022-09-26} } Raccoon Stealer v2 Malware Analysis
Raccoon RecordBreaker
2022-08-30ANY.RUNANY.RUN
@online{anyrun:20220830:raccoon:5e2f00f, author = {ANY.RUN}, title = {{Raccoon Stealer 2.0 Malware analysis}}, date = {2022-08-30}, organization = {ANY.RUN}, url = {https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/}, language = {English}, urldate = {2022-08-31} } Raccoon Stealer 2.0 Malware analysis
Raccoon RecordBreaker
2022-08-18Soc InvestigationBalaGanesh
@online{balaganesh:20220818:raccoon:3678767, author = {BalaGanesh}, title = {{Raccoon Infostealer Malware Returns with New TTPS – Detection & Response}}, date = {2022-08-18}, organization = {Soc Investigation}, url = {https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/}, language = {English}, urldate = {2022-08-28} } Raccoon Infostealer Malware Returns with New TTPS – Detection & Response
Raccoon RecordBreaker
2022-07-29ZscalerSarthak Misraa
@online{misraa:20220729:raccoon:6937d2e, author = {Sarthak Misraa}, title = {{Raccoon Stealer v2: The Latest Generation of the Raccoon Family}}, date = {2022-07-29}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family}, language = {English}, urldate = {2022-08-02} } Raccoon Stealer v2: The Latest Generation of the Raccoon Family
Raccoon RecordBreaker
2022-07-05SOC PrimeVeronika Telychko
@online{telychko:20220705:raccoon:72c6866, author = {Veronika Telychko}, title = {{Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities}}, date = {2022-07-05}, organization = {SOC Prime}, url = {https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/}, language = {English}, urldate = {2022-07-25} } Raccoon Stealer Detection: A Novel Malware Version 2.0 Named RecordBreaker Offers Hackers Advanced Password-Stealing Capabilities
RecordBreaker
Yara Rules
[TLP:WHITE] win_recordbreaker_auto (20230407 | Detects win.recordbreaker.)
rule win_recordbreaker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.recordbreaker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 57 ff750c 8bf0 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   57                   | push                edi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   8bf0                 | mov                 esi, eax

        $sequence_1 = { 53 56 8bf2 8bc7 66833800 7408 83c002 }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8bf2                 | mov                 esi, edx
            //   8bc7                 | mov                 eax, edi
            //   66833800             | cmp                 word ptr [eax], 0
            //   7408                 | je                  0xa
            //   83c002               | add                 eax, 2

        $sequence_2 = { 8b45fc 33d2 f7f1 8bc2 5e c9 c3 }
            // n = 7, score = 600
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   f7f1                 | div                 ecx
            //   8bc2                 | mov                 eax, edx
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_3 = { 3bc7 7e29 8b0b 8bd6 e8???????? 8b15???????? 8bc8 }
            // n = 7, score = 600
            //   3bc7                 | cmp                 eax, edi
            //   7e29                 | jle                 0x2b
            //   8b0b                 | mov                 ecx, dword ptr [ebx]
            //   8bd6                 | mov                 edx, esi
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { ff15???????? 6a02 ff75fc ff15???????? 6a03 }
            // n = 5, score = 600
            //   ff15????????         |                     
            //   6a02                 | push                2
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6a03                 | push                3

        $sequence_5 = { 51 8b4dfc 8975d0 e8???????? }
            // n = 4, score = 600
            //   51                   | push                ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi
            //   e8????????           |                     

        $sequence_6 = { 8bd7 8bc8 e8???????? 8b15???????? 8bc8 e8???????? }
            // n = 6, score = 600
            //   8bd7                 | mov                 edx, edi
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   8b15????????         |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_7 = { 8b5510 8d8d98fdffff e8???????? 85c0 }
            // n = 4, score = 600
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8d8d98fdffff         | lea                 ecx, [ebp - 0x268]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { e8???????? eb05 b857000780 5f 5d }
            // n = 5, score = 600
            //   e8????????           |                     
            //   eb05                 | jmp                 7
            //   b857000780           | mov                 eax, 0x80070057
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp

        $sequence_9 = { 53 ff15???????? 6a00 ff15???????? 5f 5e 5b }
            // n = 7, score = 600
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

    condition:
        7 of them and filesize < 232312
}
[TLP:WHITE] win_recordbreaker_w0   (20220921 | Detect variants of Raccoon Stealer v2)
import "pe"

rule win_recordbreaker_w0 {
    meta:
        description = "Detect variants of Raccoon Stealer v2"
        author = "Jake Goldi"
        date = "2022-09-20"
        hash1 = "022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03"
        version="1.0"
        phase = "experimental"
        url = "https://d01a.github.io/raccoon-stealer/#iocs"
        references = "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family"
        source = "https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara"
        credits = "@0xd01a"
        malware = "Win32.PWS.Raccoon"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20220921"
        malpedia_hash = ""
        malpedia_version = "20220921"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
  strings:
        $s1 = "ffcookies.txt" wide ascii nocase
        $s2 = "wallet.dat" wide ascii nocase
        $s3 = "ru" wide ascii nocase
        $s4 = "record" wide ascii nocase

        /*
        E8 CC 11 00 00                          call    mw_rc4_decrypt
        6A 55                                   push    85              ; cchLocaleName
        8D 8D 1C FF FF FF                       lea     ecx, [ebp-0E4h]
        89 45 D8                                mov     [ebp-28h], eax
        A1 50 E0 4F 00                          mov     eax, GetUserDefaultLocaleName
        51                                      push    ecx             ; lpLocaleName
        FF D0                                   call    eax ; GetUserDefaultLocaleName
        85 C0                                   test    eax, eax
        74 24                                   jz      short loc_4F75B5
        BE 00 E0 4F 00
        */
        $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 }
        /* 
        8B 3D 90 E0 4F 00       mov     edi, lstrlenW
        8B DA                   mov     ebx, edx
        53                      push    ebx             ; lpString
        89 4D FC                mov     [ebp+lpString], ecx
        FF D7                   call    edi ; lstrlenW
        FF 75 FC                push    [ebp+lpString]  ; lpString
        8B F0                   mov     esi, eax
        FF D7                   call    edi ; lstrlenW
        8B 0D 48 E0 4F 00       mov     ecx, LocalAlloc
        8D B8 80 00 00 00       lea     edi, [eax+80h]
        03 FE                   add     edi, esi
        8D 04 3F                lea     eax, [edi+edi]
        50                      push    eax             ; uBytes
        6A 40                   push    64              ; uFlags
        FF D1                   call    ecx ; LocalAlloc
        */
        $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } 

    condition:
        uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*)))

}
[TLP:WHITE] win_recordbreaker_w1   (20230118 | detect_Raccoon_Stealer_v2)
rule win_recordbreaker_w1 {
    meta:
	    description = "detect_Raccoon_Stealer_v2"
	    author = "@malgamy12"
	    date = "16/11/2022"
	    license = "DRL 1.1"
        hash = "0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909"
	    hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
	    hash = "048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059"
	    hash = "89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc"
        hash = "516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e"
        hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256"
        hash = "3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53"
        hash = "bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e"
        hash = "960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63"
        hash = "bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker"
        malpedia_rule_date = "20230118"
        malpedia_hash = ""
        malpedia_version = "20230118"
        malpedia_license = "DRL 1.1"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "\\ffcookies.txt" wide
        $s1 = "wallet.dat" wide
        $s2 = "Network\\Cookies" wide
        $s3 = "Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm" ascii 

        $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5}
        $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40}

        
    condition:
        uint16(0) == 0x5A4D  and (all of them)

}
Download all Yara Rules