{
	"id": "f90b1ab6-bf19-4a44-ae8f-2fab05e372eb",
	"created_at": "2026-04-06T00:08:28.994825Z",
	"updated_at": "2026-04-10T03:30:32.960868Z",
	"deleted_at": null,
	"sha1_hash": "3633e29266d2d5dd245da243878fe3e393062521",
	"title": "Ave Maria and the Chambers of Warzone RAT | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 17216728,
	"plain_text": "Ave Maria and the Chambers of Warzone RAT | Huntress\r\nArchived: 2026-04-05 19:10:56 UTC\r\nFriday, September 30, 2022, seemed a day like any other--until a large amount of PowerShell malware came\r\ncharging through seeking immediate attention. Sparing no time, I jumped right in.\r\nAt first, this was troubling. Are the detectors working?? Is something broken?? In order to verify our detector\r\n'ExecutionFromEnvironmentVariable' had triggered correctly for all these autoruns, I did a quick search:\r\ndetails.path:powershell.exe +details.command:\"GetEnvironmentVariable\"\r\nThis gave the result for 40 autoruns. 😬 *cracks knuckles*  Time to get down to business.\r\nPro Tip: Doing a quick search helps analysts develop a better understanding of the Elastic search\r\nsyntax. This gives analysts a better understanding of common characteristics and could potentially\r\nassist in finding additional footholds. \r\nNow let's dive into the autorun we are checking out. \r\nWe can see GetEnvironmentVariable('60493fbacedcfbcabe', 'User') along with the User Run Key Name. They\r\nboth use a Base-16 (HEX) formatting, which means alphabetic characters of A - F and numbers 0 - 9 with a\r\nlength of 12 to 18. Using regex we can use [a-f0-9]{12,18}. \r\nNow, on to implementing our findings in RIOs data within ELK. We use a similar but modified search query (seen\r\nbelow) which provided six additional hits. This information tells us this is an active threat still present on the host.\r\nRead: time is of the essence.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 1 of 16\n\n+process.command_line.text:\"GetEnvironmentVariable\"  +process.command_line.text:/[a-f0-9]{12,18}/\r\nReviewing the Foothold Details, we are able to see the persistence created within the Hive Current Users Run\r\nKey. (HKU\\SID\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run)\r\nThe command ran by the Users Run Key launches PowerShell and invokes expressions in the host's environments\r\nregistry with the value 60493fbacedcfbcabe. \r\nFrom here we will take to tasking the user's Hive Current Users Environment: (HKU\\SID\\Environment). We\r\nobtain the next stage within the registry location HKU\\SID\\Software\\\u003cvalue\u003e.\r\nIt’s important to note: These additional registry keys will be required in the report for the customer to\r\nremove.\r\nViewing the HKU\\SID\\Software\\27842badfbdabe, we see four values (default, 0, 1 and 3) which show\r\nPowerShell variables and encoding. Save the values 0, 1 and 3 for later and isolate the script for further analysis.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 2 of 16\n\nLet’s start digging further into the script.\r\nWithin the script, it has encoded variables with Base64, a reverse array that joins the data. What could it be\r\nhiding? And make no mistake--it's always hiding something.\r\nUsing Cyberchef, we can attempt to quickly decode the base64 strings with the formula of Subsection and\r\nFrombase64. This should grab the majority of strings but will still need some manual intervention. This is where\r\nanalysts come into play.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 3 of 16\n\nAfter replacing the encoded Base64 script, we quickly see it has a key, padding, IV, and other common encryption\r\nfunctions. Let’s replace the variables with the corresponding value to make the functions of the script easier to\r\nread, thus attempting to reveal the secret embedded within.\r\nNow with the script variables replaced, we can see the payload is using AES Encryption using cipher mode\r\nElectronic CodeBook (ECB), dropping 16 bytes to create the IV, and it has also been compressed.\r\nNote: Some samples use different cipher modes so make sure to verify this (for example, we have seen ECB\r\nand CBC).\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 4 of 16\n\nTo get the IV for our AES encryption, we need to place the payload in Cyberchef. Since we can see the padding =\r\nfor Base64, we reverse the payload. Then we use From Base64 after which we drop the bytes from 16 bytes (start\r\nat 16 and a large length). Now we convert the IV back To Base64.\r\nThis results in our IV: duNJnxEFm0/Nw/W34mpGMg==\r\nLet's combine everything together now. Make sure to reverse the payload From Base64 and drop the first 16\r\nBytes. With the AES decrypt we require the Base64 Key 9fJygHL[...], an IV that was obtained earlier\r\nduNJnx[...], then change the AES cipher mode to ECB, input as Raw,and the output as Raw. Since the payload\r\nhas also been compressed we will be required to use Raw Inflate to get our final output.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 5 of 16\n\nWhen inspecting the output we can already see the next stage is another script. This script of the payload is\r\nidentical to the previous one. This is a rinse-and-repeat stage. Hope you weren't expecting this to be\r\nstraightforward; that'd be too easy!\r\nAfter cementing what we just learned, we gain a new output.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 6 of 16\n\nTo go further, it’s required to download the payload from a Discord link. This comes down to analysts' choice in\r\nhow they download malicious samples.\r\nNote: If a script has Reflection.Assembly (assembly), this loads a .NET payload. Therefore anytime we see\r\nReflection.Assembly we know we’re dealing with a .NET malware.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 7 of 16\n\nAfter downloading the Discord payload, we will allow the script to do the heavy lifting. We just need to modify\r\nparts out of the script after we downloaded and isolated the payload:\r\n[string] $xoredText = Get-Content \"C:\\\\users\\\\Burgers\\\\Desktop\\\\mkv.txt\"\r\n[io.file]::writeallbytes(\"C:\\\\users\\\\burgers\\\\desktop\\\\mkv_decoded.bin\", $bytes)\r\nWith the decoded mkv_decoded.bin it’s important to still do a quick static analysis of the payload within\r\npestudio. The signature confirms our suspicions of it being .NET. Along with the description and version of the\r\nfile, it gives us additional information that the payload may be a netLoaderDll. We also see the entropy is only\r\n2.980, showing this payload may not be packed.\r\nInspecting the netLoaderDll within dnSpy we see a few classes: Main, runPayload and StringToByteArray.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 8 of 16\n\nThis application stores the next stage of the malware within Main(), which we see has a large byte array within it.\r\nThe netLoaderDll requires StringToByteArray to convert the hex to an application and runPayload will launch\r\nthe next stage.\r\nExtract the hex string from dnSpy and place it within Cyberchef and convert From Hex to gain our next stage.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 9 of 16\n\nOnce more place the next stage within pestudio for a quick static analysis of the file's contents. We can see the\r\noriginal files named RunPE.exe. With a description of SyscallPEloader, we can somewhat safely assume this is\r\npotentially a tool to modify the syscall. This file is now packed heavily with an entropy of 7.766.\r\nSadly this is not the last stage of the malware, and it appears that it is using a common evasion tactic of unhooking\r\nAPIs within the host and thus spawns a process for Notepad.exe. Needing further insight, we turn to one of our\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 10 of 16\n\nneighborhood experts to finish off this investigation.\r\n➡️ Big thanks to @Matthew Brennan for his insight on this next stage.\r\nThe following is basically a TL;DR of Matthew's findings. Let's check it out!\r\nAfter the execution of the RunPE.exe, we open ResourceHacker to see available processes on the host.\r\nWithin properties, we open the Threads tab. Instantly a TID of 3488 flashes in front of us and changes its start\r\naddress from 0x1da511e0000 to 0x0.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 11 of 16\n\nInspect the thread, if you will: here we see SleepEx+0x9e which sleeps the host. Also, there is an address of\r\n0x1da52c4acdf that is close to the start address that flashed at the beginning. This could be the decryption piece\r\nof the software. Copy the thread 0x1da52c4acdf. Go ahead. It's okay.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 12 of 16\n\nNow attach the Notepad.exe process to x64dbg and Go to Expression with Ctrl + G. Now paste the thread\r\naddress 0x1da52c4acdf and set an execution breakpoint. We'll wait. \r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 13 of 16\n\nChange the thread to the value closest to the address; in this case, it is the thread using 000001DA511E0000.\r\nNow we run the debugger until it hits the Hardware BreakPoint. We hit the key g and get a glimpse of what the\r\nloops are doing on this host. This is potentially the decryptor algorithm.\r\nWe also set a Hardware on Execution breakpoint on the address 000001DA52C4AD2B and run the application.\r\nNow step in the code a few times and we get our C2 information: organitations[.]com/Preserve/stat/3E8YZFXJ\r\n(69.28.84.201).\r\nReview ELK for the process notepad.exe that is spawned by the parent process powershell.exe with the\r\ncommand from the user's environment.\r\nNote: It’s important to remove this process from the client as this is a cobalt strike beacon.\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 14 of 16\n\nTLDR:\r\nThe Initial payload for this malware is:\r\n- a user downloads a maldocx from a phishing email\r\n- they execute the executable which runs an encoded base64 command that disables the firewall and installs\r\nenvironment persistence within the user's AutoRun key and creates a process that has RAT capabilities.\r\nIt’s found some samples that have this form of execution pattern:\r\nMaldocx → Javascript (Wscript) → Powershell Environment → Cobaltstrike\r\nMaldocx → Powershell Environment → Cobaltstrike\r\nFinal Thoughts\r\nWe hope you found this deconstruction helpful and useful. Below are some additional resources for you to get\r\nyour hands dirty and gain a deeper understanding of what we did here in this blog today. The more analysts play\r\naround with malware in a safe environment, the better they can become at spotting the nastier, greasier, well-hidden activity lurking within environments.\r\nDiscord URLs \r\nhttps://cdn[.]discordapp[.]com/attachments/1004902785772441697/1004915801771495495/ppp\r\nhttps://cdn[.]discordapp[.]com/attachments/1013559875034415135/1014369421629857882/sdwwcKkjnwsdw.mkv\r\nAutorun \r\nHKU\\SID\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nHKU\\SID\\Environment\r\nHKU\\SID\\Software\\\u003cvalue\u003e\r\nC:\\Users\\User\\appdata\\local\\temp\\\u003cvalue\u003e.js - Some Variants\r\nSearch Queries \r\n+details.path:powershell.exe +details.command:\"GetEnvironmentVariable\"\r\n+process.command_line.text:\"GetEnvironmentVariable\" +process.command_line.text:/[a-f0-9]{12,18}/\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 15 of 16\n\n+process.name:notepad.exe +process.parent.name:powershell.exe +process.parent.args_count:7\r\n+process.cleartext:(cdn.discordapp.com AND attachments)\r\nSource: https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nhttps://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat"
	],
	"report_names": [
		"ave-maria-and-the-chambers-of-warzone-rat"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434108,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3633e29266d2d5dd245da243878fe3e393062521.pdf",
		"text": "https://archive.orkl.eu/3633e29266d2d5dd245da243878fe3e393062521.txt",
		"img": "https://archive.orkl.eu/3633e29266d2d5dd245da243878fe3e393062521.jpg"
	}
}