Dosya Kimligi
| SHA256 | 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec |
|---|---|
| Orijinal Ad | first_payload.exe |
| Boyut | 515.584 byte (~503 KB) |
| MD5 | f801b47ec91f5f75b0f5804506665b14 |
| Tespit Edilen Bilesenler | WarzoneRAT (warzoneTURBO) + Snake Keylogger (embed) |
C2 Altyapisi
Sunucu:
h1.icoremail.net
Hedef:
kolego@kolego.com / lybrothcrs@gmail.com
https://api.telegram.org/bot[TOKEN]/sendMessage?chat_id=[ID]
(Token sifreli/gizli, endpoint cleartext)
| SMTP Sunucu | h1.icoremail.net (Cin merkezli e-posta servis) |
|---|---|
| Exfiltrasyon Email 1 | kolego@kolego.com |
| Exfiltrasyon Email 2 | lybrothcrs@gmail.com (yedek) |
| Telegram API | https://api.telegram.org/bot + sendMessage/sendDocument |
| FTP | FTP modulu mevcut (FTP bilgileri sifrelenmis) |
| IP Tespiti | http://checkip.dyndns.org/ (kurban IP ogrenme) |
| Portlar | 5583, 5599, 6241 (WarzoneRAT TCP) |
Kalicilik
| Registry Run | software\microsoft\windows\currentversion\run |
|---|---|
| Startup Dir | %STARTUPDIR% |
| Registry NT | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Load |
| Temizleme | cmd.exe /C choice /C Y /N /D Y /T 3 & Del (gecikmeli self-delete) |
Teknik Yetenekler
WarzoneRAT Modulu
- Proses Injection:
Injecting64(64-bit proses enjeksiyonu) - Chrome Sifre Hirsizligi:
SELECT signon_realm, username_value, password_value FROM logins - Wow64 Chromium:
SELECT ... FROM wow_logins - Firefox NSS Sifre:
PK11_Authenticate,PK11SDR_Decrypt,NSSBase64_DecodeBuffer - Keylogger (Windows Hook):
SetWindowsHookExA,GetRawInputData,MapVirtualKeyA - AV/Analiz Tespiti: Olydbg, Wireshark, Avast, keyscrambler, bdagent, anubis + 30+ AV ismi
- Anti-Debug: 127.0.0.2 ile loop detection
Snake Keylogger Modulu
- Keylogger:
\SnakeKeylogger\dizinine log kaydeder - Clipboard: Pano iceriklerini yakalar
- Ekran Goruntuleri: Screenshot modulu
- SMTP Exfiltrasyon: Ceyrilen veriyi e-posta ile gonderir
- Telegram: Bildirimler + belge yuklemeleri (sendDocument)
- FTP: FTP yuklemesi (bilgiler sifrelenmis)
- HTTP: Dyndns IP tespiti
Tespit Edilen Tehdit Aktoru Bilgileri
| Email Alici | kolego@kolego.com |
|---|---|
| Yedek Email | lybrothcrs@gmail.com |
| SMTP Sunucu | h1.icoremail.net (Cin iCore Mail) |
| Telegram | Bot API (token binary'de gizlenmis) |
| Hedef Tarayicilar | Chrome, Firefox (NSS decryption), zlclient |
IOC'lar
| SHA256 | 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec |
|---|---|
| MD5 | f801b47ec91f5f75b0f5804506665b14 |
| SMTP | h1.icoremail.net |
| Email C2 | kolego@kolego.com / lybrothcrs@gmail.com |
| Telegram | api.telegram.org/bot (token gizli) |
| Portlar | 5583, 5599, 6241 (TCP) |
Nasil Kaldirilir?
- Ag engeli:
h1.icoremail.net,kolego.comveapi.telegram.orguzerine gelen/giden baglantilari filtrele - Registry temizle: Run, Run Once ve Windows NT Load kayitlarini kontrol et
- SnakeKeylogger:
%AppData%\SnakeKeylogger\dizinini sil - Sifre degistir: Chrome/Firefox kayitli tüm sifreleri degistir (hirsizlanmis olabilir)
- Tam AV tarama: Güncel imzali tarama yapilsin
Teknik Ozet
Bu ornek, WarzoneRAT (warzoneTURBO) ve Snake Keylogger bileskenlerini
bir arada iceren cift-katli bir dropper'dir. WarzoneRAT modulu 64-bit proses enjeksiyonu, Chrome/Firefox
sifre hirsizligi ve hook tabanli keylogger sunarken; Snake Keylogger modulu ceyrilen verileri
h1.icoremail.net SMTP sunucu araciligiyla kolego@kolego.com ve
lybrothcrs@gmail.com adreslerine gondermektedir. Telegram bot API de ikinci C2 kanali
olarak kullanilmaktadir. Otuz'dan fazla AV aracini tespit eden gelismis anti-analiz mekanizmasi içermektedir.
WarzoneRAT — Malware Profile
WarzoneRAT Ave Maria RAT. 2026 itibariyla aktif. Tarih prefixli dagitim. Config karması 45A06E. Uclu anti-debug.
Technical Details
C++, AES-256 sifreleme, TCP, Hidden VNC, DVD kamera, Stealer, Privilege escalation, Anti-sandbox (CPUID kontrol), Bot iletisimi JSON tabanli
Attribution / Threat Actor
Daniel Meli (Malta) tarafindan yonetilen MaaS operasyonu. 2024'te FBI tarafindan tutuklanmis ve botnet altyapisi cokertilmistir.
Capabilities & Behavior
IOC List (9 indicators)
#
5583
#
5599
#
6241
# SHA256
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
# MD5
f801b47ec91f5f75b0f5804506665b14
# DOMAIN
h1.icoremail.net
# DOMAIN
kolego.com
# EMAIL
kolego@kolego.com
# EMAIL
lybrothcrs@gmail.com
| Type | Value | Note |
|---|---|---|
| 5583 | ||
| 5599 | ||
| 6241 | ||
| sha256 | 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec | |
| md5 | f801b47ec91f5f75b0f5804506665b14 | |
| domain | h1.icoremail.net | |
| domain | kolego.com | |
| kolego@kolego.com | ||
| lybrothcrs@gmail.com |
C2 Servers (2 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 185.216.36.143 | ip | 4500 | TCP | inactive | BG |
| cloudflareprotected.xyz | domain | 5200 | TCP | inactive | RU |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.