Threat Research

RecordBreaker Infostealer Disguised as a .NET Installer – ASEC BLOG

Securonix

RecordBreaker (Raccoon Stealer V2) Infostealer is distributed concealed as cracked software, using a mix of normal files inside archives and a legitimate .NET installer to bypass sandboxes. In non-virtual environments it downloads an encrypted malware payload from the threat actor’s server, while in virtual environments the installer is fetched from Microsoft and executed instead.
#RecordBreaker #RaccoonStealer #WinRecordStealer #ASEC #AhnLabTIP

Keypoints

  • Malware distributions now bundle normal files with the malicious payload to mislead users and analysts.
  • The sample is Rust-based, relatively compact (20–50 MB) compared to earlier bloated versions, and is identified as RecordBreaker (Raccoon Stealer V2).
  • Extensive anti-analysis techniques detect virtualized or sandboxed environments (e.g., debug checks, memory/driver scans, VM strings).
  • In non-VM environments, a PowerShell workflow delays execution and downloads an encrypted payload from a C2, which is then decrypted and injected.
  • The loader injects the decrypted malware into a legitimate process (addinprocess32.exe) and exfiltrates stolen data to the C2 before terminating.
  • Process-tree differences exist between virtual and normal environments, with virtual environments triggering a normal .NET installer download.

MITRE Techniques

  • [T1204] User Execution – The malware is executed by the user as a cracked installer, leading to subsequent malicious activity. “If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed.”
  • [T1497.001] Virtualization/Sandbox Evasion – Anti-analysis checks to detect virtual environments. “Scan debugging status”; “Scan for strings related to virtual environment in the memory”; “Scan driver (.sys) related to virtual environment”.
  • [T1059.001] PowerShell – Used to delay and facilitate the download of the encrypted payload. ““C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=” and “-enc Start-Sleep -s 5”.
  • [T1105] Ingress Tool Transfer – The encrypted payload is downloaded from the C2 after the environment checks. “the encrypted malware file is ultimately downloaded from the C2.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload is XOR-encrypted with a specified key. “The downloaded file is encrypted with XOR and the key is “Fm6L4G49fGoTN5Qg9vkEqN4THHncGzXRwaaSuzg2PZ8BXqnBHyx9Ppk2oDB3UEcY”.”
  • [T1055] Process Injection – Decrypted payload is injected into addinprocess32.exe. “injection is carried out after the normal process (addinprocess32.exe) is executed.”
  • [T1071.001] Web Protocols – C2 communication with HTTP/Web protocols. “RecordBreaker C2 communication” and “C2: 94.142.138[.]74”.
  • [T1082] System Information Discovery – Scans for system info before or during execution. “System information (Disk size, process information, memory size, etc.)

Indicators of Compromise

  • [MD5] context – 9fed0b55798d1ffd9b44820b3fec080c, 8248d62ec402f42251e5736b33da1d4d, 19e491dfe1ab656f715245ec9401bdd1, and 2 more hashes
  • [IP Address] context – 94.142.138.74, 89.185.85.117
  • [URL] context – http://89.208.103[.]225/client14/enc2no.exe, hxxp://85.192.40[.]245/fol1paf2nyg0/bn1.exe, and 2 more URLs
  • [Process] context – addinprocess32.exe
  • [File Name] context – setup.exe, Pangl.exe
  • [User-Agent] context – Zadanie

Read more: https://asec.ahnlab.com/en/54658/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint