{ "id": "34fe1ded-7625-46c0-8959-4f149a0b75b3", "created_at": "2026-04-06T00:09:47.890768Z", "updated_at": "2026-04-10T03:36:47.637798Z", "deleted_at": null, "sha1_hash": "fd8d675d1528cf60c20d21218674d81f53866106", "title": "Technical analysis of WarZoneRAT malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1136912, "plain_text": "Technical analysis of WarZoneRAT malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2023-08-15 · Archived: 2026-04-05 19:36:41 UTC\r\nبسم الله الرحمن الرحيم\r\nFreePalestine\r\nIntroductionPermalink\r\nWe will start analyzing Ave Maria known as WARZONE RAT. Ave Maria is a Remote Access Trojan (RAT)\r\nwhich provides some capabilities, such as stealing Cookies stealing passwords, Keylogging (online and offline),\r\nWindows Defender Bypass, and Remote WebCam.\r\nWe can take a look at what this threat actor provides to its customers from its site warzone[.]ws.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 1 of 27\n\nFigure Screenshot of the RAT capabilities from warzone[.]ws\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 2 of 27\n\nFigure Screenshot of the RAT capabilities from warzone[.]ws\r\nAnd special thanks for Abdallah Elshinbary for his continuous help and support.\r\nTechnical summaryPermalink\r\nWhen the attaker wants to start a command, it will send to the RAT a hex number. Every hex number has a\r\nspecific action to be done.\r\nPassword and Cookies Recovery: When it comes to RATs, then it has something with browsers and Email\r\nclients. The malware will harvist the cookies, passwords, history, and configurations of browsers. And steal\r\npassords and configruations of Email clients.\r\nKeylogging: Any RAT has the capability to log any keystrokes, but Warzone RAT has the two types of\r\nKeylogging which are the live keylogger and the offline keylogger.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 3 of 27\n\nRecording audio: The RAT has the capability to record audio and save it to .wav file and send it to the C2\r\nserver.\r\nHRDP: This allows the attacter to connect and control the victim’s device without knowing or alerting the\r\nvictim using Hidden RDP.\r\nEnumerate processes, disks, and files: The malware can enumerate the currently running processes, disks\r\nand their types, and files inside a specific directory.\r\nFile Manager: The RAT gives its customers the ability to download and upload files from the victim’s\r\ncomputer, execute a file, and delete files. And compress any directory or folder inside the victim’s\r\ncomputer using a command and send it to the C2 server.\r\nOther features: The malware can terminate any process the attacker wants, uninstall itself by terminating its\r\nthread and delete itself from registries, restart the device using commands and create a process to check\r\nconnectivity, and take screen shots from the victim’s device.\r\nPassword and Cookies RecoveryPermalink\r\nOnce the attacker sends the command to the RAT which will be 0x20 in hex, the malware will create a thread to\r\nstart Password Recovery action. The RAT will start stealing the saved passwords, configurations, cookies, and\r\nhistory from browsers and extract profiles and passwords from some email services. Then encrypt the data and\r\nsend it to the C2 server then terminate the thread.\r\nFirst, the malware will steal the Cookies from Chromium-based browsers such as Google chrome and Microsoft\r\nedge by quering select host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite,\r\nis_secure from cookies from the cookies table in Cookies database and steal Cookies from Mozilla firefox\r\nbrowser by quering SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies from\r\nthe moz_cookies table.\r\nThe w_query_get_chrome_based_cookies ( sub_40C5FA ) function uses SHGetSpecialFolderPathW to get the\r\nAppData path, than append the the cookies path \\Google\\Chrome\\User Data\\Default\\Network\\Cookies to\r\nAppdata path C:\\Users\\user\\AppData\\Local\\ .It will be like this\r\nC:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Network\\Cookies\r\nThe malware uses the same way to get the all sensitive databases that contain sensitive data such as Login Data ,\r\nHistory of browsers.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 4 of 27\n\nFigure Steal Cookies from browsers - sub_40DC9D\r\nNext, the malware will go after the History of the user’s browsers the same as stealing the cookies. For\r\nChromium-based, quering SELECT url, title, visit_count, last_visit_time FROM urls and Mozzilla\r\nquering SELECT url, title, visit_count, last_visit_date FROM moz_places .\r\nFigure Steal History from browsers - sub_40DC9D\r\nIn the next figure, the malware will steal the passwords and configurations of specific browsers. By quering\r\nselect signon_realm, origin_url, username_value, password_value from logins from logins table of\r\nLogin Data db.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 5 of 27\n\nFigure Steal password and configurations from browsers - sub_40DC9D\r\nFor Email serivices, the malware will go after outlook ( sub_4104A0 ), Foxmail ( sub_410981 ), Thunderbird\r\n( sub_40FA23 ) Email clients.\r\nAs we can see in the next figure, the malware will steal the configurations and login data from Thunderbird email\r\nclient.\r\nFigure Steal Configurations from Thunderbird - sub_40FA23\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 6 of 27\n\nAfter stealing the sensitive data from browsers and Email clients, the malware will encrypt the stolen data using\r\ncustomized RC4 encryption algorithm then send it to the C2 server. The malware uses nevergonnagiveyouup as\r\nencryption key to customized RC4 algorithm. After encryption, the malware will send it using sockets.\r\nFigure Customized RC4 encryption algorithm - sub_406244\r\nThe list of targeted browsers\r\nExpand to see more\r\n Mozilla Firefox\r\n Google Chrome\r\n Epic Privacy Browser\r\n Microsoft Edge\r\nThe list of the targeted Email clients:\r\nOutlook\r\nThunderbird\r\nFoxmail\r\nKeyloggingPermalink\r\nThe RAT has the two types of keylogging which are the live keylogger and the offline keylogger. The offline\r\nkeylogger is run when the victim is offline.\r\nWhen the attaker sends the command 0x24 in hex, the RAT will start a thread of Live keylogger function.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 7 of 27\n\nFigure Live and offline keylogging - sub_40A78D\r\nThe malware will create a directory Microsoft Vision in the AppData directory then create a file with a\r\ntimestamp-based name. The malware will try to get the Keyboard input messages such as WM_KEYDOWN or\r\nWM_KEYUP which are generated by the OS when the victim interacts with the keyboard by using GetMessageA\r\nAPI.\r\nFigure How keylogging is working - sub_40A86E\r\nInside the w_mw_get_clipboard_data_keyboard_in ( sub_40ADCA ) function, we will know that the malware will\r\ntry to grab the clipboard data inside the mw_get_clipboard_data ( sub_4174BA ). Then encrypte the data and\r\nsend to the C2 server if it’s the live keylogger or write the grabbed data to a file then encrypted it and send to the\r\nC2 server if it’s offline keylogger.\r\nFigure clipboard grabber - sub_40ADCA\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 8 of 27\n\nFigure How malware grab clipboard data - sub_4174BA\r\nAfter grabbing the clipboard data, the malware will start keylogging by getting the windows name and check the\r\nkeyboad input state using w_GetKeyboardState ( sub_40AAFD ) function and check if is Shift or Caps Lock\r\npushed. And if Shift or Caps Lock were pushed, the w_ToLowerCase ( sub_401098 ) function will convert the\r\nuppercase to lowercase.\r\nThen encrypte the logs and send to the C2 server if it’s the live keylogger or write the grabbed logs to a file then\r\nencrypted it and send to the C2 server if it’s offline keylogger.\r\nThe logs are #Window Name: , is Shift or Caps Lock pushed, keystrokes.\r\nFigure The RAT keylogging the victim - sub_40ADCA\r\nWhen the malware receives the command 0x26 in hex, the malware terminate the thread which runs the\r\nkeylogging function.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 9 of 27\n\nFigure Terminate the thread which runs the keylogging function - sub_40528D\r\nRecording AudioPermalink\r\nThe RAT has two functions for recording audio mw_record_audio ( sub_40B46F ) and mw_record_audio_0\r\n( sub_040BB1C ). The command is 0x54 in hex to start one function in a thread.\r\nFigure Two recording function - sub_40528D\r\nInside The first function mw_record_audio ( sub_40B46F ), we see that waveInOpen API Opens the audio input\r\ndevice for recording with the configuration parameters from the pwfx structure. And save the record in a time-based .wav file. And even it can prepare for a new recording audio. This function only records audio and save\r\nthe .wav file.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 10 of 27\n\nFigure mw_record_audio function - sub_40B46F\r\nAnd inside the second function mw_record_audio_0 ( sub_040BB1C ), it does what this mw_record_audio\r\nfunction is doing. But after recording audio and save the .wav file, it encrypt and send it to the C2 server before\r\nstarting a new record.\r\nFigure Sending the audio file to the C2 server - sub_040BB1C\r\nwaveInUnprepareHeader function is called after the audio was recorded and captured in the buffer which is a\r\ncleanup process.\r\nTo terminate recording audio, the RAT get the command 0x5A in hex.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 11 of 27\n\nHRDPPermalink\r\nThe RAT provides a remote access to victim’s device using Hidden RDP ( HRDP ) to remotely connect to and\r\ncontrol the device without knowing or alerting the victim.\r\nThe malware first get value of ServiceDll registry inside the\r\nSYSTEM\\\\CurrentControlSet\\\\Services\\\\TermService\\\\Parameters which will be the path\r\n%SystemRoot%\\System32\\termsrv.dll to termsrv.dll .\r\ntermsrv.dll is The DLL which handles the functionality and settings of the Remote Desktop Protocol (RDP).\r\nFigureGet the path to termsrv.dll - sub_412446\r\nAfter that, the malware will add a new user account special properties or behaviors such as hiding the user account\r\nfrom login screen.\r\nFirst, the malware will create this key SOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList and set the value of UserList registry to 0 to\r\nhide the user account from login screen. inside the mw_add_user_account ( sub_41313D ), it adds a new user\r\naccount using NetUserAdd API and adds the user to a local group using NetLocalGroupAddMembers API.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 12 of 27\n\nFigure Hide the user acount from login screen - sub_411BC1\r\nThen the malware will create a thread to start start_RDP ( sub_412003 ). This function open a registry key\r\nSYSTEM\\\\CurrentControlSet\\\\Services\\\\TermService to get the entry value of ImagePath which is\r\n%SystemRoot%\\System32\\svchost.exe -k NetworkService and get svchost.exe -k NetworkService which is\r\nused to run an instance of svchost.exe under the context of the NetworkService . And get the entry value of\r\nServiceDll which is %SystemRoot%\\System32\\termsrv.dll .\r\nThis is because The malware will invoke an instance of svchost.exe using svchost.exe -k NetworkService\r\ncommand and load the termsrv.dll DLL file into svchost.exe .\r\nFigure Load termsrv.dll into svchost.exe - sub_41263D\r\nInside sub_412B16 function, the malware continues changing the registry values to enable RDP.\r\nChange the registry fDenyTSConnections inside SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal\r\nServer and set to its value to false ( 0 ) to enable RDP connetions.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 13 of 27\n\nChange the registry EnableConcurrentSessions inside SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal\r\nServer\\\\Licensing Core and set to its value to false ( 0 ) to prevent opening two sessions at the same\r\ntime.\r\nChange the registry AllowMultipleTSSessions inside SOFTWARE\\\\Microsoft\\\\Windows\r\nNT\\\\CurrentVersion\\\\Winlogon and set to its value to false ( 0 ) to prevent opening two sessions at the\r\nsame time.\r\nChange the registry Name value to RDPClip and change Type registry its value to 3 inside\r\nSYSTEM\\\\CurrentControlSet\\\\ControlTerminal Server\\\\AddIns\\\\Clip Redirector to enable copy and\r\npaste from attacker device to victim device.\r\nFigure Change some registry keys - sub_412B16\r\nAfter the malware changed the settings needed, it uses RDP_check which connect to 127.0.0.1:3389 to check if\r\nthe it’s working and send the return to the C2 server.\r\nFigure RDP check - sub_412510\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 14 of 27\n\nEnumerate processes, disks, and filesPermalink\r\nThe RAT has the ability to get more information about victim’s device by enumerating processes, disks, and files\r\nof the victim’s device. And send a spicific file to the C2 server.\r\nFigure Enumerate processes, disks, and files - sub_40528D\r\nThe malware has the ability to enumerate currently running processes using CreateToolhelp32Snapshot API and\r\nget the full path of the associated executable file using K32GetModuleFileNameExW API. The command is 2 .\r\nFigure Get running processes and path of the associated executable file - sub_415C5D\r\nWhen the malware get the command 4 , it starts enumerating logical disks of the victim’s device using\r\nGetLogicalDriveStringsW API and gets its type if it’s removable , disk , or network drive by using\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 15 of 27\n\nGetDriveTypeW API.\r\nFigure Get list of logical disks and its type - sub_414E4E\r\nThe RAT can enumerate files inside a directory and collect info about each file then collect these info to be sent to\r\nthe C2 server.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 16 of 27\n\nFigure Enumerate files inside a directory - sub_414F8B\r\nFile ManagerPermalink\r\nThe RAT gives its customers the ability to download and upload files from the victim’s computer, execute a file,\r\nand delete files. And even will try to compress any directory or folder inside the victim’s computer using a\r\ncommand and send it to the C2 server.\r\nThe malware has the ability to send a file to the attacker. Inside the mw_send_file_to_c2 function, the malware\r\nwill create a thread to send a file to the C2 server.\r\nFigure send a file to the attacker - sub_40929F\r\nAnd download files from the attacker side to the victim’s machine and execute it.\r\nFigure How the RAT Download and Execute a file - sub_40205E\r\nAnd execute any dropped files on the victim’s computer. The dropped file will be in the temp directory.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 17 of 27\n\nFigure Find path of dropped file and execute it - sub_40205E\r\nAnd execute any specific file on the victim’s computer.\r\nFigure execute a file - sub_40528D\r\nThe malware will try to compress one directory or more than one directory using powershell to a .zip file\r\nwhile hiding the PowerShell window using the command powershell.exe -windowstyle hidden -Command\r\n\"Compress-Archive -Path 'C:\\Path\\To\\Your\\Directory' -DestinationPath 'C:\\Path\\To\\Your\\Archive.zip'\"\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 18 of 27\n\nFigure Compress directories - sub_41731E\r\nOther featuresPermalink\r\nTerminate a processPermalink\r\nThe malware will get the currently running processes, and terminate any process the attacker wants.\r\nFigure Terminate any process - sub_401BA7\r\nUninstall the RATPermalink\r\nThe malware has the ability to uninstall itself by terminating its thread and delete itself from registries.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 19 of 27\n\nFigure Terminate its thread and delete reg - sub_4166D0\r\nRestart the system and check connectivityPermalink\r\nThe RAT can restart the device using commands and create a process to check connectivity.\r\nthere is two methods to restart the device:\r\n1. using command shutdown.exe /r /t 00 to restart the computer or force the restart using shutdown.exe\r\n/r /f /t 00 command while hiding the execution window using WinExec function.\r\n2. The malware will attempt to elevate privileges to perform a hard system shutdown. It first loads\r\nntdll.dll , retrieves the function pointers for RtlAdjustPrivilege and NtRaiseHardError , adjusts the\r\nprivilege level, and then raises a hard system error with the status code STATUS_FLOAT_MULTIPLE_FAULTS .\r\nFigure Restart the system - sub_4022D8\r\nTake screenshotPermalink\r\nThe malware can start a thread and run the function to take screen shots. The malware checks for recent user\r\nactivity using GetLastInputInfo compares to 30 minutes. If there was recent activity, it captures the foreground\r\nwindow’s content as a screenshot and saves it as a JPEG file with a time-based name.\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 20 of 27\n\nFigure Taking screen shots - sub_413896\r\nThe malware encrypt its configuration with customized RC4 algorithm. The malware stores the configuration in\r\nthe .bss section and the The format of the configuration is: [Key length][RC4 key][Encrypted data] . So we\r\nused m4n0w4r’s to decrypt the configuration.\r\nYou can see the code in the jupyter notebook in my github from here\r\n# Refs: https://stackoverflow.com/questions/9433541/movsx-in-python\r\ndef SIGNEXT(x, b):\r\n m = (1 \u003c\u003c (b -1))\r\n x = x \u0026 ((1 \u003c\u003c b) -1)\r\n return ((x ^ m) - m)\r\n \r\n# This routine is responsible for decrypting the stored C2.\r\ndef rc4_customized_decryptor(data, key):\r\n idx = 0\r\n counter1 = 0\r\n counter2 = 0\r\n \r\n # Initialize RC4 S-box\r\n rc4Sbox = list(range(256))\r\n \r\n # Modify RC4 S-box\r\n for i in range(256):\r\n counter2 += (rc4Sbox[i] + key[i%250])\r\n counter2 = counter2 \u0026 0x000000FF\r\n rc4Sbox[i] ^= rc4Sbox[counter2]\r\n rc4Sbox[counter2 \u0026 0xFF] ^= rc4Sbox[counter1 \u0026 0xFF]\r\n rc4Sbox[counter1 \u0026 0xFF] ^= rc4Sbox[counter2 \u0026 0xFF]\r\n counter1 = i+1\r\n \r\n # Decrypt data\r\n counter1 = 0\r\n counter2 = 0\r\n j = 0\r\n decrypted = []\r\n while(idx \u003c len(data)):\r\n counter1 = j + 1\r\n k = (j+1)\r\n rc4Sbox_value1 = rc4Sbox[k]\r\n counter2 += (SIGNEXT(rc4Sbox_value1, 8) \u0026 0xFFFFFFFF)\r\n rc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8) \u0026 0xFFFFFFFF)\r\n rc4Sbox_value2 = rc4Sbox[counter2 \u0026 0x000000FF]\r\n rc4Sbox[k] = rc4Sbox_value2\r\n rc4Sbox[(counter2 \u0026 0x000000FF)] = rc4Sbox_value1\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 21 of 27\n\ntmp1 = rc4Sbox[((0x20 * counter1) ^ (counter2 \u003e\u003e 3)) \u0026 0x000000FF]\r\n tmp2 = rc4Sbox[((0x20 * counter2) ^ (counter1 \u003e\u003e 3)) \u0026 0x000000FF]\r\n tmp3 = rc4Sbox[((tmp1 + tmp2) \u0026 0x000000FF) ^ 0xAA]\r\n tmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) \u0026 0x000000FF]\r\n tmp5 = (tmp3 + tmp4) \u0026 0x000000FF\r\n tmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) \u0026 0x000000FF]\r\n decrypted.append(data[idx] ^ (tmp5 ^ tmp6))\r\n \r\n counter1 += 1\r\n j = counter1\r\n idx += 1\r\n \r\n return bytes(decrypted)\r\n# def unicode_strings(buf, n=4):\r\n# This function makes problems when i upload it in github. So you need to got from OALABS\r\n# Get unicode_strings function from https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_\r\nimport pefile\r\nimport struct\r\n# Load the PE file using pefile\r\npe = pefile.PE(r\"\") # Put your file path\r\n# Initialize variable to store .bss section data\r\nbss_section_data = None\r\n# Iterate through sections to find the .bss section\r\nfor section in pe.sections:\r\n section_name = section.Name\r\n if section_name.startswith(b'.bss'):\r\n bss_section_data = section.get_data()\r\n# Extract the key size and key from the .bss section\r\nkey_size = struct.unpack('\u003cI', bss_section_data[:4])[0]\r\nkey = bss_section_data[4:4 + key_size]\r\n# because the key is 250 bytes. We extracted 50 bytes from bss section and fill the rest with zeros\r\nkey = key + b'\\x00' * (250 - len(key))\r\n# Extract encrypted data from the .bss section\r\nenc_data = bss_section_data[4 + key_size:]\r\nenc_data = enc_data.split(b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00')[0]\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 22 of 27\n\n# Decrypt the encrypted data using a custom RC4 decryptor\r\ndec_data = rc4_customized_decryptor(enc_data, key)\r\n# Extract C2 host length and host string\r\nhost_len = struct.unpack('\u003cI', dec_data[:4])[0]\r\nhost_wide = dec_data[4:host_len+4]\r\nc2_host = unicode_strings(host_wide)[0]\r\n# Extract C2 port\r\nc2_port = struct.unpack('\u003cH', dec_data[host_len+4:host_len+4+2])[0]\r\n# Print the extracted C2 host and port\r\nprint(\"C2 host: %s, port: %d\" % (c2_host, c2_port))\r\nThe C2 host is 89.117.76.41 and the port is 4422 .\r\nYaraPermalink\r\nrule warzonerat_aveaariarat {\r\n meta:\r\n description = \"Detects warzonerat/aveaariarat malware\"\r\n author = \"muha2xmad\"\r\n date = \"2023-08-24\"\r\n hash1 = \"f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c\"\r\n \r\n strings:\r\n \r\n $browser_str001 = \"\\\\Google\\\\Cache\\\\\" fullword ascii wide\r\n $browser_str002 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Local State\" fullword ascii wide\r\n $browser_str003 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies\" fullword ascii wide\r\n $browser_str004 = \"\\\\Microsoft\\\\Edge\\\\User Data\\\\Default\\\\Network\\\\Cookies\" fullword ascii wide\r\n $browser_str005 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\History\" fullword ascii wide\r\n $browser_str006 = \"\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data\" fullword ascii wide\r\n $browser_str007 = \"\\\\Google\\\\Chrome Beta\\\\User Data\\\\Default\\\\Login Data\" fullword ascii wide\r\n $browser_str008 = \"\\\\Microsoft\\\\Edge\\\\User Data\\\\Default\\\\Login Data\" fullword ascii wide\r\n $browser_str009 = \"\\\\logins.json\" fullword ascii wide\r\n $browser_str010 = \"\\\\Tencent\\\\QQBrowser\\\\User Data\\\\Local State\" fullword ascii wide\r\n $browser_str011 = \"\\\\UCBrowser\\\\User Data_i18n\\\\Default\\\\UC Login Data.17\" fullword ascii wide\r\n $browser_str012 = \"\\\\Google\\\\Media\\\\\" fullword ascii wide\r\n $browser_str013 = \"\\\\Google\\\\Cache\\\\\" fullword ascii wide\r\n $browser_str014 = \"\\\\Google\\\\Cache\\\\\" fullword ascii wide\r\n $reg_str001 = \"Software\\\\Microsoft\\\\Office\\\\15.0Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 23 of 27\n\n$reg_str002 = \"software\\\\Aerofox\\\\FoxmailPreview\" fullword wide\r\n $reg_str003 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList\" ful\r\n $reg_str004 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\TermService\\\\Parameters\" fullword wide\r\n $reg_str005 = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\" fullword wide\r\n $reg_str006 = \"SYSTEM\\\\CurrentControlSet\\\\ControlTerminal Server\\\\AddIns\\\\Clip Redirector\" fullword wide\r\n $reg_str007 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\TermService\" fullword wide\r\n $str001 = \"QAaR$43!QAFff\" fullword wide\r\n $str002 = \"?lst@@YAXHJ@Z\" fullword wide\r\n $str003 = \"RDPClip\" fullword wide\r\n $str004 = \"AllowMultipleTSSessions\" fullword wide\r\n $str005 = \"fDenyTSConnections\" fullword wide\r\n $str006 = \"svchost.exe -k\" fullword wide\r\n $str007 = \"#Window Name: \" fullword wide\r\n $str008 = \"profiles.ini\" fullword wide\r\n $str009 = \"-Clipboard Grabbed-\" fullword wide\r\n $str010 = \"#Window Name: \" fullword wide\r\n $str011 = \".zip\" fullword wide\r\n $str012 = \"SeDebugPrivilege\" fullword wide\r\n $str013 = \"rudp\" fullword wide\r\n $str014 = \"rpdp\" fullword wide\r\n $APIs_str001= \"SHGetKnownFolderPath\" fullword ascii\r\n $APIs_str002= \"SHGetSpecialFolderPathW\" fullword ascii\r\n $APIs_str003= \"SHCreateDirectoryExW\" fullword ascii\r\n $APIs_str004= \"SHGetFolderPathW\" fullword ascii\r\n $APIs_str005= \"Wow64DisableWow64FsRedirection\" fullword ascii\r\n $command001 = \"powershell Add-MpPreference -ExclusionPath \" fullword wide\r\n $command002 = \"powerShell.exe -windowstyle hidden -Command \\\"Compress-Archive -Path ' \" fullword wide\r\n $command003 = \"shutdown.exe /r /t 00\" fullword wide\r\n $command004 = \"cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 \u003e Nul \u0026 cmd.exe /C \" fullword wide\r\n $command005 = \"powershell Add-MpPreference -ExclusionPath \" fullword wide\r\n $command006 = \"%SystemRoot%\\\\System32\\\\termsrv.dll\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and (10 of ($browser_str0*) or 5 of ($reg_str0*) or 10 of ($str0*) or 5 of ($APIs_st\r\n}\r\nCommandsPermalink\r\nHex command Description\r\n0xC Terminate a process\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 24 of 27\n\nHex command Description\r\n0xE start remote shell\r\n2 enumerate processes\r\n4 enumerate disks\r\n6 enumerate files\r\n8 or 0x4A send file to c2\r\n0x22 download and execute\r\n0x1A uninstall the RAT from device\r\n0x1C execute dropped file\r\n0x20 password recovery\r\n0x24 start keylogger\r\n0x26 terminate keylogger\r\n0x28 setup and start RDP\r\n0x4E start RDP\r\n0x3A execute a specific file\r\n0x48 create cmd process inject shellcode\r\n0x4C restart, cleanup, and delete\r\n0x5C take screenShot\r\n0x5E terminate taking screenshot\r\n0x60 compress directory/directories\r\n0x5A terminate recording audio\r\n0x54 record audio\r\nIoCsPermalink\r\nSample sha256 hash: f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c\r\nC2: 89.117.76.41:4422\r\nMITRE ATT\u0026CKPermalink\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 25 of 27\n\nI used pestudio PRO tool for helping to draw MITRE ATT\u0026CK.\r\nT1595: Active\r\nScanning\r\nT1592:\r\nGather Victim\r\nHost Information\r\nT1589: Gather\r\nVictim Identity\r\nInformation\r\nT1590: Gather\r\nVictim Network\r\nInformation\r\nT1591:\r\nGather Victim\r\nOrg Information\r\nT1598: Phishing\r\nfor Information\r\nT1597: Search\r\nClosed Sources\r\nT1596: Search\r\nOpen Technical\r\nDatabases\r\nT1593:\r\nSearch Open\r\nWebsites/Domains\r\nT1594: Search\r\nVictim-Owned\r\nWebsites\r\nReconnaissance\r\nT1650:\r\nAcquire Access\r\nT1583: Acquire\r\nInfrastructure\r\nT1586: Compromise\r\nAccounts\r\nT1584: Compromise\r\nInfrastructure\r\nT1587: Develop\r\nCapabilities\r\nT1585: Establish\r\nAccounts\r\nT1588: Obtain\r\nCapabilities\r\nT1608: Stage\r\nCapabilities\r\nResource\r\nDevelopment\r\nT1189: Drive-by\r\nCompromise\r\nT1190: Exploit\r\nPublic-Facing\r\nApplication\r\nT1133: External\r\nRemote Services\r\nT1200: Hardware\r\nAdditions\r\nT1566:\r\nPhishing\r\nT1091: Replication\r\nThrough\r\nRemovable Media\r\nT1195: Supply\r\nChain Compromise\r\nT1199: Trusted\r\nRelationship\r\nT1078: Valid\r\nAccounts\r\nInitial\r\nAccess\r\nT1651: Cloud\r\nAdministration\r\nCommand\r\nT1059: Command\r\nand Scripting\r\nInterpreter\r\nT1609: Container\r\nAdministration\r\nCommand\r\nT1610: Deploy\r\nContainer\r\nT1203:\r\nExploitation for\r\nClient Execution\r\nT1559:\r\nInter-Process\r\nCommunication\r\nT1106:\r\nNative API\r\nT1053: Scheduled\r\nTask/Job\r\nT1648: Serverless\r\nExecution\r\nT1129: Shared\r\nModules\r\nT1072: Software\r\nDeployment Tools\r\nT1569: System\r\nServices\r\nT1204: User\r\nExecution\r\nT1047: Windows\r\nManagement\r\nInstrumentation\r\nExecution\r\nT1098: Account\r\nManipulation\r\nT1197:\r\nBITS Jobs\r\nT1547: Boot or\r\nLogon Autostart\r\nExecution\r\nT1037: Boot or\r\nLogon Initialization\r\nScripts\r\nT1176: Browser\r\nExtensions\r\nT1554:\r\nCompromise Client\r\nSoftware Binary\r\nT1136: Create\r\nAccount\r\nT1543:\r\nCreate or Modify\r\nSystem Process\r\nT1546:\r\nEvent Triggered\r\nExecution\r\nT1133: External\r\nRemote Services\r\nT1574: Hijack\r\nExecution Flow\r\nT1525: Implant\r\nInternal Image\r\nT1556: Modify\r\nAuthentication\r\nProcess\r\nT1137: Office\r\nApplication\r\nStartup\r\nT1542:\r\nPre-OS Boot\r\nT1053: Scheduled\r\nTask/Job\r\nT1505:\r\nServer Software\r\nComponent\r\nT1205: Traffic\r\nSignaling\r\nT1078: Valid\r\nAccounts\r\nPersistence\r\nT1548:\r\nAbuse Elevation\r\nControl Mechanism\r\nT1134:\r\nAccess Token\r\nManipulation\r\nT1547: Boot or\r\nLogon Autostart\r\nExecution\r\nT1037: Boot or\r\nLogon Initialization\r\nScripts\r\nT1543:\r\nCreate or Modify\r\nSystem Process\r\nT1484:\r\nDomain Policy\r\nModification\r\nT1611: Escape\r\nto Host\r\nT1546:\r\nEvent Triggered\r\nExecution\r\nT1068: Exploitation\r\nfor Privilege\r\nEscalation\r\nT1574: Hijack\r\nExecution Flow\r\nT1055: Process\r\nInjection\r\nT1053: Scheduled\r\nTask/Job\r\nT1078: Valid\r\nAccounts\r\nPrivilege\r\nEscalation\r\nT1548:\r\nAbuse Elevation\r\nControl Mechanism\r\nT1134:\r\nAccess Token\r\nManipulation\r\nT1197:\r\nBITS Jobs\r\nT1612: Build\r\nImage on Host\r\nT1622: Debugger\r\nEvasion\r\nT1140:\r\nDeobfuscate/Decode\r\nFiles or Information\r\nT1610: Deploy\r\nContainer\r\nT1006: Direct\r\nVolume Access\r\nT1484:\r\nDomain Policy\r\nModification\r\nT1480: Execution\r\nGuardrails\r\nT1211:\r\nExploitation for\r\nDefense Evasion\r\nT1222: File and\r\nDirectory Permissions\r\nModification\r\nT1564: Hide\r\nArtifacts\r\nT1574: Hijack\r\nExecution Flow\r\nT1562: Impair\r\nDefenses\r\nT1070: Indicator\r\nRemoval\r\nT1202: Indirect\r\nCommand Execution\r\nT1036:\r\nMasquerading\r\nT1556: Modify\r\nAuthentication\r\nProcess\r\nT1578: Modify\r\nCloud Compute\r\nInfrastructure\r\nT1112: Modify\r\nRegistry\r\nT1601: Modify\r\nSystem Image\r\nT1599: Network\r\nBoundary Bridging\r\nT1027:\r\nObfuscated Files\r\nor Information\r\nT1647: Plist\r\nFile Modification\r\nT1542:\r\nPre-OS Boot\r\nT1055: Process\r\nInjection\r\nT1620: Reflective\r\nCode Loading\r\nT1207: Rogue\r\nDomain Controller\r\nT1014:\r\nRootkit\r\nT1553: Subvert\r\nTrust Controls\r\nT1218:\r\nSystem Binary\r\nProxy Execution\r\nT1216:\r\nSystem Script\r\nProxy Execution\r\nT1221: Template\r\nInjection\r\nT1205: Traffic\r\nSignaling\r\nT1127: Trusted\r\nDeveloper Utilities\r\nProxy Execution\r\nT1535:\r\nUnused/Unsupported\r\nCloud Regions\r\nT1550: Use Alternate\r\nAuthentication\r\nMaterial\r\nT1078: Valid\r\nAccounts\r\nT1497:\r\nVirtualization/Sandbox\r\nEvasion\r\nT1600: Weaken\r\nEncryption\r\nT1220: XSL\r\nScript Processing\r\nDefense\r\nEvasion\r\nT1557:\r\nAdversary-in-the-Middle\r\nT1110:\r\nBrute Force\r\nT1555:\r\nCredentials from\r\nPassword Stores\r\nT1212:\r\nExploitation for\r\nCredential Access\r\nT1187: Forced\r\nAuthentication\r\nT1606: Forge\r\nWeb Credentials\r\nT1056: Input\r\nCapture\r\nT1556: Modify\r\nAuthentication\r\nProcess\r\nT1111: Multi-Factor\r\nAuthentication\r\nInterception\r\nT1621: Multi-Factor\r\nAuthentication\r\nRequest Generation\r\nT1040: Network\r\nSniffing\r\nT1003:\r\nOS Credential\r\nDumping\r\nT1528:\r\nSteal Application\r\nAccess Token\r\nT1649: Steal or\r\nForge Authentication\r\nCertificates\r\nT1558:\r\nSteal or Forge\r\nKerberos Tickets\r\nT1539: Steal Web\r\nSession Cookie\r\nT1552: Unsecured\r\nCredentials\r\nCredential\r\nAccess\r\nT1087: Account\r\nDiscovery\r\nT1010:\r\nApplication\r\nWindow Discovery\r\nT1217: Browser\r\nInformation\r\nDiscovery\r\nT1580: Cloud\r\nInfrastructure\r\nDiscovery\r\nT1538: Cloud\r\nService Dashboard\r\nT1526: Cloud\r\nService Discovery\r\nT1619:\r\nCloud Storage\r\nObject Discovery\r\nT1613: Container\r\nand Resource\r\nDiscovery\r\nT1622: Debugger\r\nEvasion\r\nT1652: Device\r\nDriver Discovery\r\nT1482: Domain\r\nTrust Discovery\r\nT1083: File\r\nand Directory\r\nDiscovery\r\nT1615: Group\r\nPolicy Discovery\r\nT1046: Network\r\nService Discovery\r\nT1135: Network\r\nShare Discovery\r\nT1040: Network\r\nSniffing\r\nT1201: Password\r\nPolicy Discovery\r\nT1120: Peripheral\r\nDevice Discovery\r\nT1069: Permission\r\nGroups Discovery\r\nT1057: Process\r\nDiscovery\r\nT1012: Query\r\nRegistry\r\nT1018: Remote\r\nSystem Discovery\r\nT1518: Software\r\nDiscovery\r\nT1082: System\r\nInformation\r\nDiscovery\r\nT1614:\r\nSystem Location\r\nDiscovery\r\nT1016: System\r\nNetwork Configuration\r\nDiscovery\r\nT1049: System\r\nNetwork Connections\r\nDiscovery\r\nT1033:\r\nSystem Owner/User\r\nDiscovery\r\nT1007: System\r\nService Discovery\r\nT1124: System\r\nTime Discovery\r\nT1497:\r\nVirtualization/Sandbox\r\nEvasion\r\nDiscovery\r\nT1210:\r\nExploitation of\r\nRemote Services\r\nT1534: Internal\r\nSpearphishing\r\nT1570: Lateral\r\nTool Transfer\r\nT1563:\r\nRemote Service\r\nSession Hijacking\r\nT1021: Remote\r\nServices\r\nT1091: Replication\r\nThrough\r\nRemovable Media\r\nT1072: Software\r\nDeployment Tools\r\nT1080: Taint\r\nShared Content\r\nT1550: Use Alternate\r\nAuthentication\r\nMaterial\r\nLateral\r\nMovement\r\nT1557:\r\nAdversary-in-the-Middle\r\nT1560: Archive\r\nCollected Data\r\nT1123: Audio\r\nCapture\r\nT1119: Automated\r\nCollection\r\nT1185: Browser\r\nSession Hijacking\r\nT1115:\r\nClipboard Data\r\nT1530: Data from\r\nCloud Storage\r\nT1602: Data from\r\nConfiguration\r\nRepository\r\nT1213: Data\r\nfrom Information\r\nRepositories\r\nT1005: Data from\r\nLocal System\r\nT1039:\r\nData from Network\r\nShared Drive\r\nT1025: Data from\r\nRemovable Media\r\nT1074:\r\nData Staged\r\nT1114: Email\r\nCollection\r\nT1056: Input\r\nCapture\r\nT1113: Screen\r\nCapture\r\nT1125: Video\r\nCapture\r\nCollection\r\nT1071:\r\nApplication\r\nLayer Protocol\r\nT1092: Communication\r\nThrough\r\nRemovable Media\r\nT1132: Data\r\nEncoding\r\nT1001: Data\r\nObfuscation\r\nT1568: Dynamic\r\nResolution\r\nT1573: Encrypted\r\nChannel\r\nT1008: Fallback\r\nChannels\r\nT1105: Ingress\r\nTool Transfer\r\nT1104:\r\nMulti-Stage\r\nChannels\r\nT1095:\r\nNon-Application\r\nLayer Protocol\r\nT1571:\r\nNon-Standard Port\r\nT1572: Protocol\r\nTunneling\r\nT1090:\r\nProxy\r\nT1219: Remote\r\nAccess Software\r\nT1205: Traffic\r\nSignaling\r\nT1102:\r\nWeb Service\r\nCommand\r\nand Control\r\nT1020: Automated\r\nExfiltration\r\nT1030:\r\nData Transfer\r\nSize Limits\r\nT1048: Exfiltration\r\nOver Alternative\r\nProtocol\r\nT1041:\r\nExfiltration\r\nOver C2 Channel\r\nT1011: Exfiltration\r\nOver Other\r\nNetwork Medium\r\nT1052:\r\nExfiltration Over\r\nPhysical Medium\r\nT1567:\r\nExfiltration\r\nOver Web Service\r\nT1029: Scheduled\r\nTransfer\r\nT1537:\r\nTransfer Data\r\nto Cloud Account\r\nExfiltration\r\nT1531: Account\r\nAccess Removal\r\nT1485: Data\r\nDestruction\r\nT1486:\r\nData Encrypted\r\nfor Impact\r\nT1565: Data\r\nManipulation\r\nT1491:\r\nDefacement\r\nT1561:\r\nDisk Wipe\r\nT1499: Endpoint\r\nDenial of Service\r\nT1495: Firmware\r\nCorruption\r\nT1490: Inhibit\r\nSystem Recovery\r\nT1498: Network\r\nDenial of Service\r\nT1496: Resource\r\nHijacking\r\nT1489:\r\nService Stop\r\nT1529: System\r\nShutdown/Reboot\r\nImpact\r\nFigure MITRE ATT\u0026CK\r\nQuotePermalink\r\nما كان ذنب السراب إنما دهشة العطىش\r\nمت بحمد الله وتوفيقه ال بعلم وال بعمل\r\nReferencesPermalink\r\n[QuickNote] Decrypting the C2 configuration of Warzone RAT\r\nWarZone RAT OALABS\r\nSecuronix Threat Labs Security Advisory\r\nPhishing Campaign Delivering Three Fileless Malware: AveMariaRAT\r\nWARZONE: BEHIND THE ENEMY LINES\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 26 of 27\n\nSource: https://muha2xmad.github.io/malware-analysis/warzonerat/\r\nhttps://muha2xmad.github.io/malware-analysis/warzonerat/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://muha2xmad.github.io/malware-analysis/warzonerat/" ], "report_names": [ "warzonerat" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434187, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd8d675d1528cf60c20d21218674d81f53866106.pdf", "text": "https://archive.orkl.eu/fd8d675d1528cf60c20d21218674d81f53866106.txt", "img": "https://archive.orkl.eu/fd8d675d1528cf60c20d21218674d81f53866106.jpg" } }