Genel Bakis
Bu ornek, PDB izinde Ring3 CRAT x64 adi gecen ve icinde warzoneTURBO string'i barindiran 156KB'lik credential harvesting RAT'dir. Chrome, Edge, Epic Privacy Browser ve Firefox'tan sifre cesni yaparken process injection ve Windows BCrypt API kullanan bu RAT, WarzoneRAT altyapisindan yararlanmaktadir.
Teknik Analiz
WarzoneRAT / Ring3 CRAT Tespiti
- PDB:
C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb warzoneTURBO— WarzoneRAT turbo modu goruntusuInjecting64— 64-bit injection metodu
Tarayici Kimlik Bilgisi Calma
select signon_realm, origin_url, username_value, password_value from logins
select signon_realm, origin_url, username_value, password_value from wow_logins
- Chrome:
\Google\Chrome\User Data\Default\Login Data - Edge:
\Microsoft\Edge\User Data\Local State - Epic Privacy Browser:
\Epic Privacy Browser\User Data\Default\Login Data - Firefox:
PK11SDR_Decrypt,PK11_CheckUserPassword encryptedUsername,encryptedPassword— Firefox sifreli alanlar
BCrypt API Sifre Cozme
BCryptDecrypt— Chrome sifre cozmeBCryptOpenAlgorithmProvider— algoritma saglayicisiBCryptSetProperty— AES-GCM ozelligiBCryptGenerateSymmetricKey— simetrik anahtar
Process Injection
VirtualAllocEx,WriteProcessMemory,CreateRemoteThreadURLDownloadToFileW— ikincil payload indirme
Izleri Silme
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
Teknik Ozellikler
| Ozellik | Deger |
|---|---|
| Format | PE32 GUI Intel 80386 |
| Boyut | 156.160 bayt |
| Entropi | 6.37 (normal) |
| Hedefler | Chrome, Edge, Epic, Firefox |
| Kripto | BCrypt (AES-GCM decryption) |
| Injection | VirtualAllocEx+WriteProcessMemory+CreateRemoteThread |
| Gelistirici | W7H64 |
IOC Ozeti
- SHA256:
fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f
WarzoneRAT — Malware Profile
WarzoneRAT Ave Maria RAT. 2026 itibariyla aktif. Tarih prefixli dagitim. Config karması 45A06E. Uclu anti-debug.
Technical Details
C++, AES-256 sifreleme, TCP, Hidden VNC, DVD kamera, Stealer, Privilege escalation, Anti-sandbox (CPUID kontrol), Bot iletisimi JSON tabanli
Attribution / Threat Actor
Daniel Meli (Malta) tarafindan yonetilen MaaS operasyonu. 2024'te FBI tarafindan tutuklanmis ve botnet altyapisi cokertilmistir.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f
| Type | Value | Note |
|---|---|---|
| sha256 | fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f |
C2 Servers (2 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 185.216.36.143 | ip | 4500 | TCP | inactive | BG |
| cloudflareprotected.xyz | domain | 5200 | TCP | inactive | RU |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.