Dosya Kimligi
| SHA256 | fee959ff12e4ac5df67164ed83565a768d12812bb5e4d21e4e0f1bc3f7ce2a01 |
|---|---|
| String Sayisi | 1.740 |
Aile Teyit Stringleri
| String | Anlami |
|---|---|
warzoneTURBO | WarzoneRAT mutex adi — aile teyidi |
Ring3 CRAT x64 (PDB) | Ring3 = kullanici modu (kernel surucusu olmayan) RAT |
Gelistirici Izi — PDB Analizi
| Gercek PDB | C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb |
|---|---|
| Yaniltici PDB | C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe |
Vitali Kremez, tanimli bir guvenlik arastirmacisidir. Bu yolun binary'ye eklenmesi analistleri yaniltmaya yonelik kasitli bir false flag stratejisidir. Gercek gelistirici kimlik bilgisi: W7H64
RDP Etkinlestirme (fDenyTSConnections)
fDenyTSConnections (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server)
WarzoneRAT, hedef sistemde RDP'yi etkinlestirmek icin bu registry degerini 0'a ayarlar. Bu, saldirganin kalici uzaktan erisime sahip olmasini saglar.
NT API Kullanimı (Anti-Debug / Derin Sistem Erisimi)
NtQuerySystemInformation — Sistem/surec bilgisi (sandbox tespiti icin kullanilabilir) NtQueryDirectoryFile — Dosya sistemi sorgulama NtQueryValueKey — Registry deger sorgulama NtQueryKey — Registry anahtar sorgulama VirtualAllocEx / VirtualProtect — Bellek ayirma/koruma (injection icin) CreateThread — Thread olusturma
WarzoneRAT Yetenekleri
- Uzaktan kabuk (reverse shell)
- Keylogger
- HVNC (Gizli VNC — kurban ekrani gorunmeden)
- UAC bypass
- RDP etkinlestirme
- Dosya yonetimi
- Tarayici sifre calma
- Webcam erisiimi
- Process injection
IOC
| SHA256 | fee959ff12e4ac5df67164ed83565a768d12812bb5e4d21e4e0f1bc3f7ce2a01 |
|---|---|
| Mutex | warzoneTURBO |
| PDB (Gercek) | C:\Users\W7H64\source\repos\Ring3 CRAT x64\...\nope.pdb |
| RDP Kayit | fDenyTSConnections = 0 |
| C2 | Sifrelenmis (dinamik analiz gerekli) |
WarzoneRAT — Malware Profile
WarzoneRAT Ave Maria RAT. 2026 itibariyla aktif. Tarih prefixli dagitim. Config karması 45A06E. Uclu anti-debug.
Technical Details
C++, AES-256 sifreleme, TCP, Hidden VNC, DVD kamera, Stealer, Privilege escalation, Anti-sandbox (CPUID kontrol), Bot iletisimi JSON tabanli
Attribution / Threat Actor
Daniel Meli (Malta) tarafindan yonetilen MaaS operasyonu. 2024'te FBI tarafindan tutuklanmis ve botnet altyapisi cokertilmistir.
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
fee959ff12e4ac5df67164ed83565a768d12812bb5e4d21e4e0f1bc3f7ce2a01
| Type | Value | Note |
|---|---|---|
| sha256 | fee959ff12e4ac5df67164ed83565a768d12812bb5e4d21e4e0f1bc3f7ce2a01 |
C2 Servers (2 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 185.216.36.143 | ip | 4500 | TCP | inactive | BG |
| cloudflareprotected.xyz | domain | 5200 | TCP | inactive | RU |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.