RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft.

_Technical Analysis

RecordBreaker usually appears in infected repositories or in attachments as a compressed file that when opened will execute a binary, which depending on the version, will make connections outside in different ways in order to geolocate, check for internet connection or download files, if this phase is fulfilled, it will execute an injection in a legitimate binary, usually related to .NET as RegAsm, InstallUtil or Regsvcs from where it will perform the information theft.


An example of execution flow is the following in which after a zip, a binary is executed that makes a request to a malicious IP and then launches a sleep encoded of 12 seconds to inject RegAsm.exe


In some versions it performs fake PNG/JPG downloads, if it fails to make the connection, the next phase is not performed.


RecordBreaker generates persistence by creating a task with a name similar to the structure of a CLSID


Task name example:


After this initial phase, it performs an injection, commonly using processes related to .NET, we can see how it will perform a process suspension, and then write in the (WriteProcessMemory) modify the thread context to get all the info of this (SetThreadContext) and when it has done all the operation release the thread in which it is writing.


Processes to be considered for injection:

  • RegSvcs.exe
  • RegAsm.exe
  • AppLaunch.exe
  • InstallUtil.exe
  • aspnet_compiler.exe

Once injected into the legitimate process, RecordBreaker will start working, in the first phase, it will resolve imports, since by itself, it only has the ability to load other APIs/libraries with GetProcAddress + LoadLibraryW. When it has all the new libraries and APIs loaded, we will get a better understanding of the code, and the malware, new capabilities.


We can see how it performs a reinfection control using Mutex with a hardcoded string


And we can see how it obtains data that will be used later encrypted in RC4.


After a decryption phase, it collects data from the machine, user, search engines, etc. Which it will collect on the basis of an internal configuration.

In this phase, we can also see, depending on versions, how it performs download requests to malicious IPs to bring more functionalities to the code.


To obtain the data, RecordBreaker will use SQLite to perform queries and obtain all the information it is interested in, and then save it in files that it will send to the C&C.


The main information that RecordBreaker usually steals is:

  • Browser (Cookies, User info, Passwords)
  • Telegram info
  • Bank Information (Cards/Accounts)
  • CrytpoWallets

All this information will be sent to a C&C server and since you have performed a persistence, it can continue to increase this information :)