Genel Bakis
Bu ornek, PDB izinde Ring3 CRAT x64 adi gecen ve icinde warzoneTURBO string'i barindiran 156KB'lik credential harvesting RAT'dir. Chrome, Edge, Epic Privacy Browser ve Firefox'tan sifre cesni yaparken process injection ve Windows BCrypt API kullanan bu RAT, WarzoneRAT altyapisindan yararlanmaktadir.
Teknik Analiz
WarzoneRAT / Ring3 CRAT Tespiti
- PDB:
C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb warzoneTURBO— WarzoneRAT turbo modu goruntusuInjecting64— 64-bit injection metodu
Tarayici Kimlik Bilgisi Calma
select signon_realm, origin_url, username_value, password_value from logins
select signon_realm, origin_url, username_value, password_value from wow_logins
- Chrome:
\Google\Chrome\User Data\Default\Login Data - Edge:
\Microsoft\Edge\User Data\Local State - Epic Privacy Browser:
\Epic Privacy Browser\User Data\Default\Login Data - Firefox:
PK11SDR_Decrypt,PK11_CheckUserPassword encryptedUsername,encryptedPassword— Firefox sifreli alanlar
BCrypt API Sifre Cozme
BCryptDecrypt— Chrome sifre cozmeBCryptOpenAlgorithmProvider— algoritma saglayicisiBCryptSetProperty— AES-GCM ozelligiBCryptGenerateSymmetricKey— simetrik anahtar
Process Injection
VirtualAllocEx,WriteProcessMemory,CreateRemoteThreadURLDownloadToFileW— ikincil payload indirme
Izleri Silme
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
Teknik Ozellikler
| Ozellik | 值 |
|---|---|
| Format | PE32 GUI Intel 80386 |
| 大小 | 156.160 bayt |
| Entropi | 6.37 (normal) |
| Hedefler | Chrome, Edge, Epic, Firefox |
| Kripto | BCrypt (AES-GCM decryption) |
| Injection | VirtualAllocEx+WriteProcessMemory+CreateRemoteThread |
| Gelistirici | W7H64 |
IOC Ozeti
- SHA256:
fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f
WarzoneRAT — 恶意软件档案
WarzoneRAT Ave Maria RAT. 2026 itibariyla aktif. Tarih prefixli dagitim. Config karması 45A06E. Uclu anti-debug.
技术细节
C++, AES-256 sifreleme, TCP, Hidden VNC, DVD kamera, Stealer, Privilege escalation, Anti-sandbox (CPUID kontrol), Bot iletisimi JSON tabanli
归因 / 威胁行为者
Daniel Meli (Malta) tarafindan yonetilen MaaS operasyonu. 2024'te FBI tarafindan tutuklanmis ve botnet altyapisi cokertilmistir.
能力与行为
IOC列表 (1 个指标)
# SHA256
fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | fee959ff12e4ac5df67164ed83565a768d1286263bed759a32dcbe668ef6390f |
C2服务器 (该家族共有 2 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| 185.216.36.143 | ip | 4500 | TCP | inactive | BG |
| cloudflareprotected.xyz | domain | 5200 | TCP | inactive | RU |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。