Manuel Statik Analiz (LLM Okumali) — WarzoneRAT + Snake Keylogger Dropper | Tehdit: CRITICAL

Dosya Kimligi

SHA25662ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
Orijinal Adfirst_payload.exe
Boyut515.584 byte (~503 KB)
MD5f801b47ec91f5f75b0f5804506665b14
Tespit Edilen BilesenlerWarzoneRAT (warzoneTURBO) + Snake Keylogger (embed)

C2 Altyapisi

SMTP Exfiltrasyon (cleartext tespit):
Sunucu: h1.icoremail.net
Hedef: kolego@kolego.com / lybrothcrs@gmail.com
Telegram Bot C2 (cleartext): https://api.telegram.org/bot[TOKEN]/sendMessage?chat_id=[ID] (Token sifreli/gizli, endpoint cleartext)
SMTP Sunucuh1.icoremail.net (Cin merkezli e-posta servis)
Exfiltrasyon Email 1kolego@kolego.com
Exfiltrasyon Email 2lybrothcrs@gmail.com (yedek)
Telegram APIhttps://api.telegram.org/bot + sendMessage/sendDocument
FTPFTP modulu mevcut (FTP bilgileri sifrelenmis)
IP Tespitihttp://checkip.dyndns.org/ (kurban IP ogrenme)
Portlar5583, 5599, 6241 (WarzoneRAT TCP)

Kalicilik

Registry Runsoftware\microsoft\windows\currentversion\run
Startup Dir%STARTUPDIR%
Registry NTHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows /v Load
Temizlemecmd.exe /C choice /C Y /N /D Y /T 3 & Del (gecikmeli self-delete)

Teknik Yetenekler

WarzoneRAT Modulu

  • Proses Injection: Injecting64 (64-bit proses enjeksiyonu)
  • Chrome Sifre Hirsizligi: SELECT signon_realm, username_value, password_value FROM logins
  • Wow64 Chromium: SELECT ... FROM wow_logins
  • Firefox NSS Sifre: PK11_Authenticate, PK11SDR_Decrypt, NSSBase64_DecodeBuffer
  • Keylogger (Windows Hook): SetWindowsHookExA, GetRawInputData, MapVirtualKeyA
  • AV/Analiz Tespiti: Olydbg, Wireshark, Avast, keyscrambler, bdagent, anubis + 30+ AV ismi
  • Anti-Debug: 127.0.0.2 ile loop detection

Snake Keylogger Modulu

  • Keylogger: \SnakeKeylogger\ dizinine log kaydeder
  • Clipboard: Pano iceriklerini yakalar
  • Ekran Goruntuleri: Screenshot modulu
  • SMTP Exfiltrasyon: Ceyrilen veriyi e-posta ile gonderir
  • Telegram: Bildirimler + belge yuklemeleri (sendDocument)
  • FTP: FTP yuklemesi (bilgiler sifrelenmis)
  • HTTP: Dyndns IP tespiti

Tespit Edilen Tehdit Aktoru Bilgileri

Email Alicikolego@kolego.com
Yedek Emaillybrothcrs@gmail.com
SMTP Sunucuh1.icoremail.net (Cin iCore Mail)
TelegramBot API (token binary'de gizlenmis)
Hedef TarayicilarChrome, Firefox (NSS decryption), zlclient

IOC'lar

SHA25662ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
MD5f801b47ec91f5f75b0f5804506665b14
SMTPh1.icoremail.net
Email C2kolego@kolego.com / lybrothcrs@gmail.com
Telegramapi.telegram.org/bot (token gizli)
Portlar5583, 5599, 6241 (TCP)

Nasil Kaldirilir?

  1. Ag engeli: h1.icoremail.net, kolego.com ve api.telegram.org uzerine gelen/giden baglantilari filtrele
  2. Registry temizle: Run, Run Once ve Windows NT Load kayitlarini kontrol et
  3. SnakeKeylogger: %AppData%\SnakeKeylogger\ dizinini sil
  4. Sifre degistir: Chrome/Firefox kayitli tüm sifreleri degistir (hirsizlanmis olabilir)
  5. Tam AV tarama: Güncel imzali tarama yapilsin

Teknik Ozet

Bu ornek, WarzoneRAT (warzoneTURBO) ve Snake Keylogger bileskenlerini bir arada iceren cift-katli bir dropper'dir. WarzoneRAT modulu 64-bit proses enjeksiyonu, Chrome/Firefox sifre hirsizligi ve hook tabanli keylogger sunarken; Snake Keylogger modulu ceyrilen verileri h1.icoremail.net SMTP sunucu araciligiyla kolego@kolego.com ve lybrothcrs@gmail.com adreslerine gondermektedir. Telegram bot API de ikinci C2 kanali olarak kullanilmaktadir. Otuz'dan fazla AV aracini tespit eden gelismis anti-analiz mekanizmasi içermektedir.

WarzoneRAT — Malware Profile

WarzoneRAT Ave Maria RAT. 2026 itibariyla aktif. Tarih prefixli dagitim. Config karması 45A06E. Uclu anti-debug.

Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP
Target Systems
Windows
Also Known As (AKA)
Ave Maria

Technical Details

C++, AES-256 sifreleme, TCP, Hidden VNC, DVD kamera, Stealer, Privilege escalation, Anti-sandbox (CPUID kontrol), Bot iletisimi JSON tabanli

Attribution / Threat Actor

Daniel Meli (Malta) tarafindan yonetilen MaaS operasyonu. 2024'te FBI tarafindan tutuklanmis ve botnet altyapisi cokertilmistir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (9 indicators)

IOC — WarzoneRAT
# 5583 # 5599 # 6241 # SHA256 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec # MD5 f801b47ec91f5f75b0f5804506665b14 # DOMAIN h1.icoremail.net # DOMAIN kolego.com # EMAIL kolego@kolego.com # EMAIL lybrothcrs@gmail.com
TypeValueNote
5583
5599
6241
sha256 62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
md5 f801b47ec91f5f75b0f5804506665b14
domain h1.icoremail.net
domain kolego.com
email kolego@kolego.com
email lybrothcrs@gmail.com

C2 Servers (2 recorded servers for this family)

Address Type Port Protocol Status Country
185.216.36.143 ip 4500 TCP inactive BG
cloudflareprotected.xyz domain 5200 TCP inactive RU

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
warzoneratsnake-keyloggerdroppersmtp-c2telegram-c2kolego-comh1-icoremail-netchrome-stealerfirefox-stealerprocess-injectionstatik-analiz