This malware is a successor to Raccoon Stealer (also referred to as Raccoon Stealer 2.0), which is however a full rewrite in C/C++.
rule win_recordbreaker_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-01-25" version = "1" description = "Detects win.recordbreaker." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" malpedia_rule_date = "20230124" malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686" malpedia_version = "20230125" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8bd8 ba04010000 8bcb 895c2430 } // n = 4, score = 500 // 8bd8 | mov ebx, eax // ba04010000 | mov edx, 0x104 // 8bcb | mov ecx, ebx // 895c2430 | mov dword ptr [esp + 0x30], ebx $sequence_1 = { 59 53 ff15???????? 85db 7413 eb0a } // n = 6, score = 500 // 59 | pop ecx // 53 | push ebx // ff15???????? | // 85db | test ebx, ebx // 7413 | je 0x15 // eb0a | jmp 0xc $sequence_2 = { eb17 8b45f8 85c0 7407 } // n = 4, score = 500 // eb17 | jmp 0x19 // 8b45f8 | mov eax, dword ptr [ebp - 8] // 85c0 | test eax, eax // 7407 | je 9 $sequence_3 = { 58 8bd9 663bc8 7416 6a22 8bc2 5b } // n = 7, score = 500 // 58 | pop eax // 8bd9 | mov ebx, ecx // 663bc8 | cmp cx, ax // 7416 | je 0x18 // 6a22 | push 0x22 // 8bc2 | mov eax, edx // 5b | pop ebx $sequence_4 = { 83c706 89442420 3bf2 728c 837c241000 } // n = 5, score = 500 // 83c706 | add edi, 6 // 89442420 | mov dword ptr [esp + 0x20], eax // 3bf2 | cmp esi, edx // 728c | jb 0xffffff8e // 837c241000 | cmp dword ptr [esp + 0x10], 0 $sequence_5 = { 8bf0 8d85d0fdffff 50 57 56 ff15???????? } // n = 6, score = 500 // 8bf0 | mov esi, eax // 8d85d0fdffff | lea eax, [ebp - 0x230] // 50 | push eax // 57 | push edi // 56 | push esi // ff15???????? | $sequence_6 = { 8bd8 8d4dec a1???????? 8945ec e8???????? 8b4df8 8bf0 } // n = 7, score = 500 // 8bd8 | mov ebx, eax // 8d4dec | lea ecx, [ebp - 0x14] // a1???????? | // 8945ec | mov dword ptr [ebp - 0x14], eax // e8???????? | // 8b4df8 | mov ecx, dword ptr [ebp - 8] // 8bf0 | mov esi, eax $sequence_7 = { 8b4dec 8d75c8 8365d400 ff75f8 8945d0 8b01 } // n = 6, score = 500 // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 8d75c8 | lea esi, [ebp - 0x38] // 8365d400 | and dword ptr [ebp - 0x2c], 0 // ff75f8 | push dword ptr [ebp - 8] // 8945d0 | mov dword ptr [ebp - 0x30], eax // 8b01 | mov eax, dword ptr [ecx] $sequence_8 = { 50 ff15???????? 8d542410 e8???????? } // n = 4, score = 500 // 50 | push eax // ff15???????? | // 8d542410 | lea edx, [esp + 0x10] // e8???????? | $sequence_9 = { 8bcf 50 8d55f8 e8???????? 59 59 } // n = 6, score = 500 // 8bcf | mov ecx, edi // 50 | push eax // 8d55f8 | lea edx, [ebp - 8] // e8???????? | // 59 | pop ecx // 59 | pop ecx condition: 7 of them and filesize < 142336 }
import "pe" rule win_recordbreaker_w0 { meta: description = "Detect variants of Raccoon Stealer v2" author = "Jake Goldi" date = "2022-09-20" hash1 = "022432f770bf0e7c5260100fcde2ec7c49f68716751fd7d8b9e113bf06167e03" version="1.0" phase = "experimental" url = "https://d01a.github.io/raccoon-stealer/#iocs" references = "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family" source = "https://raw.githubusercontent.com/taogoldi/YARA/main/stealers/raccoon/raccoon_stealer.yara" credits = "@0xd01a" malware = "Win32.PWS.Raccoon" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" malpedia_rule_date = "20220921" malpedia_hash = "" malpedia_version = "20220921" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "ffcookies.txt" wide ascii nocase $s2 = "wallet.dat" wide ascii nocase $s3 = "ru" wide ascii nocase $s4 = "record" wide ascii nocase /* E8 CC 11 00 00 call mw_rc4_decrypt 6A 55 push 85 ; cchLocaleName 8D 8D 1C FF FF FF lea ecx, [ebp-0E4h] 89 45 D8 mov [ebp-28h], eax A1 50 E0 4F 00 mov eax, GetUserDefaultLocaleName 51 push ecx ; lpLocaleName FF D0 call eax ; GetUserDefaultLocaleName 85 C0 test eax, eax 74 24 jz short loc_4F75B5 BE 00 E0 4F 00 */ $op1 = { e8 cc 11 00 00 6a 55 8d 8d 1c ff ff ff 89 45 d8 a1 50 e0 ?? 00 51 ff d0 85 c0 74 24 be 00 e0 ?? 00 } /* 8B 3D 90 E0 4F 00 mov edi, lstrlenW 8B DA mov ebx, edx 53 push ebx ; lpString 89 4D FC mov [ebp+lpString], ecx FF D7 call edi ; lstrlenW FF 75 FC push [ebp+lpString] ; lpString 8B F0 mov esi, eax FF D7 call edi ; lstrlenW 8B 0D 48 E0 4F 00 mov ecx, LocalAlloc 8D B8 80 00 00 00 lea edi, [eax+80h] 03 FE add edi, esi 8D 04 3F lea eax, [edi+edi] 50 push eax ; uBytes 6A 40 push 64 ; uFlags FF D1 call ecx ; LocalAlloc */ $op2 = { 8b 3d 90 e0 ?? 00 8b da 53 89 4d fc ff d7 ff 75 fc 8b f0 ff d7 8b 0d 48 e0 ?? 00 8d b8 80 00 00 00 03 fe 8d 04 3f 50 6a 40 ff d1 } condition: uint16(0) == 0x5a4d and filesize < 5000KB and ((2 of ($s*)) and (all of ($op*))) }
rule win_recordbreaker_w1 { meta: description = "detect_Raccoon_Stealer_v2" author = "@malgamy12" date = "16/11/2022" license = "DRL 1.1" hash = "0123b26df3c79bac0a3fda79072e36c159cfd1824ae3fd4b7f9dea9bda9c7909" hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256" hash = "048c0113233ddc1250c269c74c9c9b8e9ad3e4dae3533ff0412d02b06bdf4059" hash = "89a718dacc3cfe4f804328cbd588006a65f4dbf877bfd22a96859bf339c6f8bc" hash = "516c81438ac269de2b632fb1c59f4e36c3d714e0929a969ec971430d2d63ac4e" hash = "0c722728ca1a996bbb83455332fa27018158cef21ad35dc057191a0353960256" hash = "3ae9d121aa4b989118d76e8b0ff941b9b72ccac746de8b3a5d9f7d037361be53" hash = "bd8c1068561d366831e5712c2d58aecb21e2dbc2ae7c76102da6b00ea15e259e" hash = "960ce3cc26c8313b0fe41197e2aff5533f5f3efb1ba2970190779bc9a07bea63" hash = "bc15f011574289e46eaa432f676e59c50a9c9c42ce21332095a1bd68de5f30e5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" malpedia_rule_date = "20230118" malpedia_hash = "" malpedia_version = "20230118" malpedia_license = "DRL 1.1" malpedia_sharing = "TLP:WHITE" strings: $s0 = "\\ffcookies.txt" wide $s1 = "wallet.dat" wide $s2 = "Network\\Cookies" wide $s3 = "Wn0nlDEXjIzjLlkEHYxNvTAXHXRteWg0ieGKVyD52CvONbW7G91RvQDwSZi/N2ISm" ascii $op1 = {6B F3 ?? 03 F7 8B 7D ?? [3] A5} $op2 = {8A 0C 86 8B 45 ?? 8B 7D ?? 32 0C 38 8B 7D ?? 8B 86 [4] 88 0C 07 8B C7 8B 7D ?? 40} condition: uint16(0) == 0x5A4D and (all of them) }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY