{
	"id": "4b85a4bd-a9d0-470f-9b48-a725b5b7e67d",
	"created_at": "2026-04-06T00:14:22.73623Z",
	"updated_at": "2026-04-10T03:20:47.261296Z",
	"deleted_at": null,
	"sha1_hash": "655f3f998feb6f04bf2bae01718a26eef5af7a34",
	"title": "[QuickNote] Decrypting the C2 configuration of Warzone RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 844873,
	"plain_text": "[QuickNote] Decrypting the C2 configuration of Warzone RAT\r\nPublished: 2023-03-25 · Archived: 2026-04-05 21:24:21 UTC\r\n2 Votes\r\n1. Introduction\r\nWarzone RAT is a type of malware that is capable of infiltrating a victim’s computer and giving attackers remote\r\naccess and control over the system. The malware has gained notoriety for its advanced capabilities and ability to\r\nevade detection, making it a serious threat to computer security.\r\nWarzone RAT is typically spread through phishing emails or other social engineering techniques, where attackers\r\ntrick victims into downloading and installing the malware on their systems. Once the malware is installed, it can\r\nperform a variety of malicious actions, including stealing passwords, taking screenshots, and logging keystrokes.\r\nIt can also download and execute additional malware, giving attackers even more control over the victim’s system.\r\nOne of the key features of Warzone RAT is its ability to encrypt its configuration data, making it difficult for\r\nsecurity experts to analyze and understand how the malware operates. Currently, there are two variants of the\r\nmalware in circulation, each using a different method to decode its configuration. The first variant uses standard\r\nRC4 encryption, while the second variant uses a modified version of RC4. This modification makes it even more\r\nchallenging to decrypt and analyze the malware’s configuration data.\r\n2. Analysis\r\nSample1: 00930cccd81e184577b1ffeebf08ee6a32dd0ef416435f551c64d2bcb61d46cf (use standard RC4)\r\nSample2: 61f8bf26e80b6d6a7126d6732b072223dfc94203bb7ae07f493aad93de5fa342 (use modified RC4)\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 1 of 10\n\nIn Warzone RAT, the configuration info is stored in the .bss PE section of the malware’s code. The .bss\r\nsection is typically used for storing uninitialized data. The format of the configuration is as follows: [Key\r\nlength] [RC4 key] [Encrypted data] . Below is an illustration of the configuration stored in the .bss section in\r\nboth samples.\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 2 of 10\n\nThe steps to perform the process of retrieving information and copying data from the .bss section to memory\r\nare the same in both samples. The pseudo-code is shown below:\r\nThe pseudo code in function wzr_decrypt_config in both samples is the same, which involves extracting the\r\nRC4 Key and Encrypted data, and then using RC4 to decrypt the configuration. The difference lies in function\r\nwzr_perform_rc4 .\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 3 of 10\n\nThe function wzr_perform_rc4 in sample 1 uses standard RC4 to decrypt the configuration. Its pseudocode is\r\nshown below:\r\nThus, we can easily use CyberChef to perform configuration decoding or write a Python script to automate for\r\nsimilar samples.\r\nThe pseudocode for function wzr_perform_rc4 in sample 2 as shown below. Prior to decryption, it allocates an\r\narray of 250 bytes, filled with zero values. Then, it copies the extracted rc4_key into this array. Finally, it calls\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 4 of 10\n\nthe wzr_rc4_crypt function, which uses the modified RC4 algorithm to decrypt the configuration.\r\nThe complete pseudocode of the wzr_rc4_crypt function is as follows:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\nvoid __thiscall wzr_rc4_crypt(wzr_rc4_data *rc4_info, _BYTE *data)\r\n{\r\nidx = 0;\r\nif ( rc4_info-\u003erc4Sbox )\r\n{\r\nif ( rc4_info-\u003erc4_key_250b )\r\n{\r\nrc4_info-\u003ecounter2 = 0;\r\nLOBYTE(i) = 0;\r\nrc4_info-\u003ecounter1 = 0;\r\ndo\r\n{\r\nrc4_info-\u003erc4Sbox[i] = rc4_info-\u003ecounter1;\r\ni = rc4_info-\u003ecounter1 + 1;\r\nrc4_info-\u003ecounter1 = i;\r\n}\r\nwhile ( i \u003c 256 );\r\nrc4_info-\u003ecounter1 = 0;\r\nfor ( i = 0; i \u003c 256; rc4_info-\u003ecounter1 = i )\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 5 of 10\n\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n{\r\nrc4Sbox = rc4_info-\u003erc4Sbox;\r\nrc4_info-\u003ecounter2 += rc4Sbox[i] + rc4_info-\u003erc4_key_250b[i % 250];\r\nrc4Sbox[i] ^= rc4Sbox[rc4_info-\u003ecounter2];\r\nrc4_info-\u003erc4Sbox[LOBYTE(rc4_info-\u003ecounter2)] ^= rc4_info-\r\n\u003erc4Sbox[LOBYTE(rc4_info-\u003ecounter1)];\r\nrc4_info-\u003erc4Sbox[LOBYTE(rc4_info-\u003ecounter1)] ^= rc4_info-\r\n\u003erc4Sbox[LOBYTE(rc4_info-\u003ecounter2)];\r\ni = rc4_info-\u003ecounter1 + 1;\r\n}\r\nrc4_info-\u003ecounter1 = 0;\r\nrc4_info-\u003ecounter2 = 0;\r\nif ( rc4_info-\u003edata_length )\r\n{\r\nj = 0;\r\ndo\r\n{\r\nrc4_info-\u003ecounter1 = j + 1;\r\nrc4Sbox = rc4_info-\u003erc4Sbox;\r\nk = (j + 1);\r\nrc4Sbox_value1 = rc4Sbox[k];\r\nrc4_info-\u003ecounter2 += rc4Sbox_value1;\r\nrc4Sbox_value1_ = rc4Sbox_value1;\r\nrc4Sbox_value2 = rc4Sbox[rc4_info-\u003ecounter2];\r\nrc4Sbox[k] = rc4Sbox_value2;\r\nrc4_info-\u003erc4Sbox[LOBYTE(rc4_info-\u003ecounter2)] = rc4Sbox_value1;\r\nrc4Sbox_ = rc4_info-\u003erc4Sbox;\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 6 of 10\n\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\ndata[idx] ^= rc4Sbox_[(rc4_info-\u003ecounter2 + rc4Sbox_value2)] ^\r\n(rc4Sbox_[(rc4Sbox_value2 + rc4Sbox_value1_)]\r\n+\r\nrc4Sbox_[(rc4Sbox_[((0x20 * rc4_info-\u003ecounter2) ^ (rc4_info-\u003ecounter1 \u003e\u003e 3))]\r\n+\r\nrc4Sbox_[((0x20 * rc4_info-\u003ecounter1) ^ (rc4_info-\u003ecounter2 \u003e\u003e 3))]) ^ 0xAA]);\r\nj = ++rc4_info-\u003ecounter1;\r\n++idx;\r\n}\r\nwhile ( idx \u003c rc4_info-\u003edata_length );\r\n}\r\n}\r\n}\r\n}\r\nWith the pseudocode above, we can rewrite the decoding code in Python as follows. This is the code I wrote, and\r\nyou can write it in your own way as long as it performs the task correctly.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\ndef SIGNEXT(x, b):\r\nm = ( 1 \u003c\u003c (b - 1 ))\r\nx = x \u0026 (( 1 \u003c\u003c b) - 1 )\r\nreturn ((x ^ m) - m)\r\ndef rc4_customized_decryptor(data, key):\r\nidx = 0\r\ncounter1 = 0\r\ncounter2 = 0\r\nrc4Sbox = list ( range ( 256 ))\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 7 of 10\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\nfor i in range ( 256 ):\r\ncounter2 + = (rc4Sbox[i] + key[i % 250 ])\r\ncounter2 = counter2 \u0026 0x000000FF\r\nrc4Sbox[i] ^ = rc4Sbox[counter2]\r\nrc4Sbox[counter2 \u0026 0xFF ] ^ = rc4Sbox[counter1 \u0026 0xFF ]\r\nrc4Sbox[counter1 \u0026 0xFF ] ^ = rc4Sbox[counter2 \u0026 0xFF ]\r\ncounter1 = i + 1        \r\ncounter1 = 0\r\ncounter2 = 0\r\nj = 0\r\ndecrypted = []\r\nwhile (idx \u003c len (data)):\r\ncounter1 = j + 1\r\nk = (j + 1 )\r\nrc4Sbox_value1 = rc4Sbox[k]\r\ncounter2 + = (SIGNEXT(rc4Sbox_value1, 8 ) \u0026 0xFFFFFFFF )\r\nrc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8 ) \u0026 0xFFFFFFFF )\r\nrc4Sbox_value2 = rc4Sbox[counter2 \u0026 0x000000FF ]\r\nrc4Sbox[k] = rc4Sbox_value2\r\nrc4Sbox[(counter2 \u0026 0x000000FF )] = rc4Sbox_value1\r\ntmp1 = rc4Sbox[(( 0x20 * counter1) ^ (counter2 \u003e\u003e 3 )) \u0026\r\n0x000000FF ]\r\ntmp2 = rc4Sbox[(( 0x20 * counter2) ^ (counter1 \u003e\u003e 3 )) \u0026\r\n0x000000FF ]\r\ntmp3 = rc4Sbox[((tmp1 + tmp2) \u0026 0x000000FF ) ^ 0xAA ]\r\ntmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) \u0026 0x000000FF ]\r\ntmp5 = (tmp3 + tmp4) \u0026 0x000000FF\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 8 of 10\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\ntmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) \u0026 0x000000FF ]\r\ndecrypted.append(data[idx] ^ (tmp5 ^ tmp6))\r\ncounter1 + = 1\r\nj = counter1\r\nidx + = 1\r\nreturn bytes(decrypted)\r\nBelow are the results of using a Python script to extract the configuration of Warzone RAT from the samples used\r\nin the article.\r\n3. End\r\nThe article would like to conclude here. I hope that it provides useful information for you during the process of\r\nanalyzing the Warzone RAT malware. To protect against Warzone RAT and other types of malware, users should\r\ntake precautions such as being cautious when opening email attachments, using strong passwords, and keeping\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 9 of 10\n\ntheir software up to date. It is also important to use antivirus software and to keep it updated regularly. By taking\r\nthese steps, users can help to protect themselves against the threat of Warzone RAT and other types of malware.\r\n4. Refs\r\nhttps://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_rat_config.html\r\nhttps://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf\r\nSource: https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nhttps://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/"
	],
	"report_names": [
		"quicknote-decrypting-the-c2-configuration-of-warzone-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434462,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/655f3f998feb6f04bf2bae01718a26eef5af7a34.pdf",
		"text": "https://archive.orkl.eu/655f3f998feb6f04bf2bae01718a26eef5af7a34.txt",
		"img": "https://archive.orkl.eu/655f3f998feb6f04bf2bae01718a26eef5af7a34.jpg"
	}
}