Technical analysis of WarZoneRAT malware
By Muhammad Hasan Ali
Published: 2023-08-15 · Archived: 2026-04-05 19:36:41 UTC
بسم الله الرحمن الرحيم
FreePalestine
IntroductionPermalink
We will start analyzing Ave Maria known as WARZONE RAT. Ave Maria is a Remote Access Trojan (RAT)
which provides some capabilities, such as stealing Cookies stealing passwords, Keylogging (online and offline),
Windows Defender Bypass, and Remote WebCam.
We can take a look at what this threat actor provides to its customers from its site warzone[.]ws.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 1 of 27

Figure Screenshot of the RAT capabilities from warzone[.]ws
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 2 of 27

Figure Screenshot of the RAT capabilities from warzone[.]ws
And special thanks for Abdallah Elshinbary for his continuous help and support.
Technical summaryPermalink
When the attaker wants to start a command, it will send to the RAT a hex number. Every hex number has a
specific action to be done.
Password and Cookies Recovery: When it comes to RATs, then it has something with browsers and Email
clients. The malware will harvist the cookies, passwords, history, and configurations of browsers. And steal
passords and configruations of Email clients.
Keylogging: Any RAT has the capability to log any keystrokes, but Warzone RAT has the two types of
Keylogging which are the live keylogger and the offline keylogger.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 3 of 27

Recording audio: The RAT has the capability to record audio and save it to .wav file and send it to the C2
server.
HRDP: This allows the attacter to connect and control the victim’s device without knowing or alerting the
victim using Hidden RDP.
Enumerate processes, disks, and files: The malware can enumerate the currently running processes, disks
and their types, and files inside a specific directory.
File Manager: The RAT gives its customers the ability to download and upload files from the victim’s
computer, execute a file, and delete files. And compress any directory or folder inside the victim’s
computer using a command and send it to the C2 server.
Other features: The malware can terminate any process the attacker wants, uninstall itself by terminating its
thread and delete itself from registries, restart the device using commands and create a process to check
connectivity, and take screen shots from the victim’s device.
Password and Cookies RecoveryPermalink
Once the attacker sends the command to the RAT which will be 0x20 in hex, the malware will create a thread to
start Password Recovery action. The RAT will start stealing the saved passwords, configurations, cookies, and
history from browsers and extract profiles and passwords from some email services. Then encrypt the data and
send it to the C2 server then terminate the thread.
First, the malware will steal the Cookies from Chromium-based browsers such as Google chrome and Microsoft
edge by quering select host_key, path, name, encrypted_value, expires_utc, is_httponly, samesite,
is_secure from cookies from the cookies table in Cookies database and steal Cookies from Mozilla firefox
browser by quering SELECT host, path, name, value, expiry, isHttpOnly, isSecure FROM moz_cookies from
the moz_cookies table.
The w_query_get_chrome_based_cookies ( sub_40C5FA ) function uses SHGetSpecialFolderPathW to get the
AppData path, than append the the cookies path \Google\Chrome\User Data\Default\Network\Cookies to
Appdata path C:\Users\user\AppData\Local\ .It will be like this
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
The malware uses the same way to get the all sensitive databases that contain sensitive data such as Login Data ,
History of browsers.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 4 of 27

Figure Steal Cookies from browsers - sub_40DC9D
Next, the malware will go after the History of the user’s browsers the same as stealing the cookies. For
Chromium-based, quering SELECT url, title, visit_count, last_visit_time FROM urls and Mozzilla
quering SELECT url, title, visit_count, last_visit_date FROM moz_places .
Figure Steal History from browsers - sub_40DC9D
In the next figure, the malware will steal the passwords and configurations of specific browsers. By quering
select signon_realm, origin_url, username_value, password_value from logins from logins table of
Login Data db.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 5 of 27

Figure Steal password and configurations from browsers - sub_40DC9D
For Email serivices, the malware will go after outlook ( sub_4104A0 ), Foxmail ( sub_410981 ), Thunderbird
( sub_40FA23 ) Email clients.
As we can see in the next figure, the malware will steal the configurations and login data from Thunderbird email
client.
Figure Steal Configurations from Thunderbird - sub_40FA23
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 6 of 27

After stealing the sensitive data from browsers and Email clients, the malware will encrypt the stolen data using
customized RC4 encryption algorithm then send it to the C2 server. The malware uses nevergonnagiveyouup as
encryption key to customized RC4 algorithm. After encryption, the malware will send it using sockets.
Figure Customized RC4 encryption algorithm - sub_406244
The list of targeted browsers
Expand to see more
 Mozilla Firefox
 Google Chrome
 Epic Privacy Browser
 Microsoft Edge
The list of the targeted Email clients:
Outlook
Thunderbird
Foxmail
KeyloggingPermalink
The RAT has the two types of keylogging which are the live keylogger and the offline keylogger. The offline
keylogger is run when the victim is offline.
When the attaker sends the command 0x24 in hex, the RAT will start a thread of Live keylogger function.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 7 of 27

Figure Live and offline keylogging - sub_40A78D
The malware will create a directory Microsoft Vision in the AppData directory then create a file with a
timestamp-based name. The malware will try to get the Keyboard input messages such as WM_KEYDOWN or
WM_KEYUP which are generated by the OS when the victim interacts with the keyboard by using GetMessageA
API.
Figure How keylogging is working - sub_40A86E
Inside the w_mw_get_clipboard_data_keyboard_in ( sub_40ADCA ) function, we will know that the malware will
try to grab the clipboard data inside the mw_get_clipboard_data ( sub_4174BA ). Then encrypte the data and
send to the C2 server if it’s the live keylogger or write the grabbed data to a file then encrypted it and send to the
C2 server if it’s offline keylogger.
Figure clipboard grabber - sub_40ADCA
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 8 of 27

Figure How malware grab clipboard data - sub_4174BA
After grabbing the clipboard data, the malware will start keylogging by getting the windows name and check the
keyboad input state using w_GetKeyboardState ( sub_40AAFD ) function and check if is Shift or Caps Lock
pushed. And if Shift or Caps Lock were pushed, the w_ToLowerCase ( sub_401098 ) function will convert the
uppercase to lowercase.
Then encrypte the logs and send to the C2 server if it’s the live keylogger or write the grabbed logs to a file then
encrypted it and send to the C2 server if it’s offline keylogger.
The logs are #Window Name: , is Shift or Caps Lock pushed, keystrokes.
Figure The RAT keylogging the victim - sub_40ADCA
When the malware receives the command 0x26 in hex, the malware terminate the thread which runs the
keylogging function.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 9 of 27

Figure Terminate the thread which runs the keylogging function - sub_40528D
Recording AudioPermalink
The RAT has two functions for recording audio mw_record_audio ( sub_40B46F ) and mw_record_audio_0
( sub_040BB1C ). The command is 0x54 in hex to start one function in a thread.
Figure Two recording function - sub_40528D
Inside The first function mw_record_audio ( sub_40B46F ), we see that waveInOpen API Opens the audio input
device for recording with the configuration parameters from the pwfx structure. And save the record in a time-based .wav file. And even it can prepare for a new recording audio. This function only records audio and save
the .wav file.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 10 of 27

Figure mw_record_audio function - sub_40B46F
And inside the second function mw_record_audio_0 ( sub_040BB1C ), it does what this mw_record_audio
function is doing. But after recording audio and save the .wav file, it encrypt and send it to the C2 server before
starting a new record.
Figure Sending the audio file to the C2 server - sub_040BB1C
waveInUnprepareHeader function is called after the audio was recorded and captured in the buffer which is a
cleanup process.
To terminate recording audio, the RAT get the command 0x5A in hex.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 11 of 27

HRDPPermalink
The RAT provides a remote access to victim’s device using Hidden RDP ( HRDP ) to remotely connect to and
control the device without knowing or alerting the victim.
The malware first get value of ServiceDll registry inside the
SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters which will be the path
%SystemRoot%\System32\termsrv.dll to termsrv.dll .
termsrv.dll is The DLL which handles the functionality and settings of the Remote Desktop Protocol (RDP).
FigureGet the path to termsrv.dll - sub_412446
After that, the malware will add a new user account special properties or behaviors such as hiding the user account
from login screen.
First, the malware will create this key SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList and set the value of UserList registry to 0 to
hide the user account from login screen. inside the mw_add_user_account ( sub_41313D ), it adds a new user
account using NetUserAdd API and adds the user to a local group using NetLocalGroupAddMembers API.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 12 of 27

Figure Hide the user acount from login screen - sub_411BC1
Then the malware will create a thread to start start_RDP ( sub_412003 ). This function open a registry key
SYSTEM\\CurrentControlSet\\Services\\TermService to get the entry value of ImagePath which is
%SystemRoot%\System32\svchost.exe -k NetworkService and get svchost.exe -k NetworkService which is
used to run an instance of svchost.exe under the context of the NetworkService . And get the entry value of
ServiceDll which is %SystemRoot%\System32\termsrv.dll .
This is because The malware will invoke an instance of svchost.exe using svchost.exe -k NetworkService
command and load the termsrv.dll DLL file into svchost.exe .
Figure Load termsrv.dll into svchost.exe - sub_41263D
Inside sub_412B16 function, the malware continues changing the registry values to enable RDP.
Change the registry fDenyTSConnections inside SYSTEM\\CurrentControlSet\\Control\\Terminal
Server and set to its value to false ( 0 ) to enable RDP connetions.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 13 of 27

Change the registry EnableConcurrentSessions inside SYSTEM\\CurrentControlSet\\Control\\Terminal
Server\\Licensing Core and set to its value to false ( 0 ) to prevent opening two sessions at the same
time.
Change the registry AllowMultipleTSSessions inside SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon and set to its value to false ( 0 ) to prevent opening two sessions at the
same time.
Change the registry Name value to RDPClip and change Type registry its value to 3 inside
SYSTEM\\CurrentControlSet\\ControlTerminal Server\\AddIns\\Clip Redirector to enable copy and
paste from attacker device to victim device.
Figure Change some registry keys - sub_412B16
After the malware changed the settings needed, it uses RDP_check which connect to 127.0.0.1:3389 to check if
the it’s working and send the return to the C2 server.
Figure RDP check - sub_412510
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 14 of 27

Enumerate processes, disks, and filesPermalink
The RAT has the ability to get more information about victim’s device by enumerating processes, disks, and files
of the victim’s device. And send a spicific file to the C2 server.
Figure Enumerate processes, disks, and files - sub_40528D
The malware has the ability to enumerate currently running processes using CreateToolhelp32Snapshot API and
get the full path of the associated executable file using K32GetModuleFileNameExW API. The command is 2 .
Figure Get running processes and path of the associated executable file - sub_415C5D
When the malware get the command 4 , it starts enumerating logical disks of the victim’s device using
GetLogicalDriveStringsW API and gets its type if it’s removable , disk , or network drive by using
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 15 of 27

GetDriveTypeW API.
Figure Get list of logical disks and its type - sub_414E4E
The RAT can enumerate files inside a directory and collect info about each file then collect these info to be sent to
the C2 server.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 16 of 27

Figure Enumerate files inside a directory - sub_414F8B
File ManagerPermalink
The RAT gives its customers the ability to download and upload files from the victim’s computer, execute a file,
and delete files. And even will try to compress any directory or folder inside the victim’s computer using a
command and send it to the C2 server.
The malware has the ability to send a file to the attacker. Inside the mw_send_file_to_c2 function, the malware
will create a thread to send a file to the C2 server.
Figure send a file to the attacker - sub_40929F
And download files from the attacker side to the victim’s machine and execute it.
Figure How the RAT Download and Execute a file - sub_40205E
And execute any dropped files on the victim’s computer. The dropped file will be in the temp directory.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 17 of 27

Figure Find path of dropped file and execute it - sub_40205E
And execute any specific file on the victim’s computer.
Figure execute a file - sub_40528D
The malware will try to compress one directory or more than one directory using powershell to a .zip file
while hiding the PowerShell window using the command powershell.exe -windowstyle hidden -Command
"Compress-Archive -Path 'C:\Path\To\Your\Directory' -DestinationPath 'C:\Path\To\Your\Archive.zip'"
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 18 of 27

Figure Compress directories - sub_41731E
Other featuresPermalink
Terminate a processPermalink
The malware will get the currently running processes, and terminate any process the attacker wants.
Figure Terminate any process - sub_401BA7
Uninstall the RATPermalink
The malware has the ability to uninstall itself by terminating its thread and delete itself from registries.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 19 of 27

Figure Terminate its thread and delete reg - sub_4166D0
Restart the system and check connectivityPermalink
The RAT can restart the device using commands and create a process to check connectivity.
there is two methods to restart the device:
1. using command shutdown.exe /r /t 00 to restart the computer or force the restart using shutdown.exe
/r /f /t 00 command while hiding the execution window using WinExec function.
2. The malware will attempt to elevate privileges to perform a hard system shutdown. It first loads
ntdll.dll , retrieves the function pointers for RtlAdjustPrivilege and NtRaiseHardError , adjusts the
privilege level, and then raises a hard system error with the status code STATUS_FLOAT_MULTIPLE_FAULTS .
Figure Restart the system - sub_4022D8
Take screenshotPermalink
The malware can start a thread and run the function to take screen shots. The malware checks for recent user
activity using GetLastInputInfo compares to 30 minutes. If there was recent activity, it captures the foreground
window’s content as a screenshot and saves it as a JPEG file with a time-based name.
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 20 of 27

Figure Taking screen shots - sub_413896
The malware encrypt its configuration with customized RC4 algorithm. The malware stores the configuration in
the .bss section and the The format of the configuration is: [Key length][RC4 key][Encrypted data] . So we
used m4n0w4r’s to decrypt the configuration.
You can see the code in the jupyter notebook in my github from here
# Refs: https://stackoverflow.com/questions/9433541/movsx-in-python
def SIGNEXT(x, b):
 m = (1 << (b -1))
 x = x & ((1 << b) -1)
 return ((x ^ m) - m)
 
# This routine is responsible for decrypting the stored C2.
def rc4_customized_decryptor(data, key):
 idx = 0
 counter1 = 0
 counter2 = 0
 
 # Initialize RC4 S-box
 rc4Sbox = list(range(256))
 
 # Modify RC4 S-box
 for i in range(256):
 counter2 += (rc4Sbox[i] + key[i%250])
 counter2 = counter2 & 0x000000FF
 rc4Sbox[i] ^= rc4Sbox[counter2]
 rc4Sbox[counter2 & 0xFF] ^= rc4Sbox[counter1 & 0xFF]
 rc4Sbox[counter1 & 0xFF] ^= rc4Sbox[counter2 & 0xFF]
 counter1 = i+1
 
 # Decrypt data
 counter1 = 0
 counter2 = 0
 j = 0
 decrypted = []
 while(idx < len(data)):
 counter1 = j + 1
 k = (j+1)
 rc4Sbox_value1 = rc4Sbox[k]
 counter2 += (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)
 rc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)
 rc4Sbox_value2 = rc4Sbox[counter2 & 0x000000FF]
 rc4Sbox[k] = rc4Sbox_value2
 rc4Sbox[(counter2 & 0x000000FF)] = rc4Sbox_value1
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 21 of 27

tmp1 = rc4Sbox[((0x20 * counter1) ^ (counter2 >> 3)) & 0x000000FF]
 tmp2 = rc4Sbox[((0x20 * counter2) ^ (counter1 >> 3)) & 0x000000FF]
 tmp3 = rc4Sbox[((tmp1 + tmp2) & 0x000000FF) ^ 0xAA]
 tmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) & 0x000000FF]
 tmp5 = (tmp3 + tmp4) & 0x000000FF
 tmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) & 0x000000FF]
 decrypted.append(data[idx] ^ (tmp5 ^ tmp6))
 
 counter1 += 1
 j = counter1
 idx += 1
 
 return bytes(decrypted)
# def unicode_strings(buf, n=4):
# This function makes problems when i upload it in github. So you need to got from OALABS
# Get unicode_strings function from https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_
import pefile
import struct
# Load the PE file using pefile
pe = pefile.PE(r"") # Put your file path
# Initialize variable to store .bss section data
bss_section_data = None
# Iterate through sections to find the .bss section
for section in pe.sections:
 section_name = section.Name
 if section_name.startswith(b'.bss'):
 bss_section_data = section.get_data()
# Extract the key size and key from the .bss section
key_size = struct.unpack('<I', bss_section_data[:4])[0]
key = bss_section_data[4:4 + key_size]
# because the key is 250 bytes. We extracted 50 bytes from bss section and fill the rest with zeros
key = key + b'\x00' * (250 - len(key))
# Extract encrypted data from the .bss section
enc_data = bss_section_data[4 + key_size:]
enc_data = enc_data.split(b'\x00\x00\x00\x00\x00\x00\x00\x00')[0]
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 22 of 27

# Decrypt the encrypted data using a custom RC4 decryptor
dec_data = rc4_customized_decryptor(enc_data, key)
# Extract C2 host length and host string
host_len = struct.unpack('<I', dec_data[:4])[0]
host_wide = dec_data[4:host_len+4]
c2_host = unicode_strings(host_wide)[0]
# Extract C2 port
c2_port = struct.unpack('<H', dec_data[host_len+4:host_len+4+2])[0]
# Print the extracted C2 host and port
print("C2 host: %s, port: %d" % (c2_host, c2_port))
The C2 host is 89.117.76.41 and the port is 4422 .
YaraPermalink
rule warzonerat_aveaariarat {
 meta:
 description = "Detects warzonerat/aveaariarat malware"
 author = "muha2xmad"
 date = "2023-08-24"
 hash1 = "f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c"
 
 strings:
 
 $browser_str001 = "\\Google\\Cache\\" fullword ascii wide
 $browser_str002 = "\\Google\\Chrome\\User Data\\Local State" fullword ascii wide
 $browser_str003 = "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" fullword ascii wide
 $browser_str004 = "\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies" fullword ascii wide
 $browser_str005 = "\\Google\\Chrome\\User Data\\Default\\History" fullword ascii wide
 $browser_str006 = "\\Google\\Chrome\\User Data\\Default\\Login Data" fullword ascii wide
 $browser_str007 = "\\Google\\Chrome Beta\\User Data\\Default\\Login Data" fullword ascii wide
 $browser_str008 = "\\Microsoft\\Edge\\User Data\\Default\\Login Data" fullword ascii wide
 $browser_str009 = "\\logins.json" fullword ascii wide
 $browser_str010 = "\\Tencent\\QQBrowser\\User Data\\Local State" fullword ascii wide
 $browser_str011 = "\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17" fullword ascii wide
 $browser_str012 = "\\Google\\Media\\" fullword ascii wide
 $browser_str013 = "\\Google\\Cache\\" fullword ascii wide
 $browser_str014 = "\\Google\\Cache\\" fullword ascii wide
 $reg_str001 = "Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 23 of 27

$reg_str002 = "software\\Aerofox\\FoxmailPreview" fullword wide
 $reg_str003 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" ful
 $reg_str004 = "SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" fullword wide
 $reg_str005 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" fullword wide
 $reg_str006 = "SYSTEM\\CurrentControlSet\\ControlTerminal Server\\AddIns\\Clip Redirector" fullword wide
 $reg_str007 = "SYSTEM\\CurrentControlSet\\Services\\TermService" fullword wide
 $str001 = "QAaR$43!QAFff" fullword wide
 $str002 = "?lst@@YAXHJ@Z" fullword wide
 $str003 = "RDPClip" fullword wide
 $str004 = "AllowMultipleTSSessions" fullword wide
 $str005 = "fDenyTSConnections" fullword wide
 $str006 = "svchost.exe -k" fullword wide
 $str007 = "#Window Name: " fullword wide
 $str008 = "profiles.ini" fullword wide
 $str009 = "-Clipboard Grabbed-" fullword wide
 $str010 = "#Window Name: " fullword wide
 $str011 = ".zip" fullword wide
 $str012 = "SeDebugPrivilege" fullword wide
 $str013 = "rudp" fullword wide
 $str014 = "rpdp" fullword wide
 $APIs_str001= "SHGetKnownFolderPath" fullword ascii
 $APIs_str002= "SHGetSpecialFolderPathW" fullword ascii
 $APIs_str003= "SHCreateDirectoryExW" fullword ascii
 $APIs_str004= "SHGetFolderPathW" fullword ascii
 $APIs_str005= "Wow64DisableWow64FsRedirection" fullword ascii
 $command001 = "powershell Add-MpPreference -ExclusionPath " fullword wide
 $command002 = "powerShell.exe -windowstyle hidden -Command \"Compress-Archive -Path ' " fullword wide
 $command003 = "shutdown.exe /r /t 00" fullword wide
 $command004 = "cmd.exe /C ping 1.2.3.4 -n 4 -w 1000 > Nul & cmd.exe /C " fullword wide
 $command005 = "powershell Add-MpPreference -ExclusionPath " fullword wide
 $command006 = "%SystemRoot%\\System32\\termsrv.dll" fullword wide
 condition:
 uint16(0) == 0x5a4d and (10 of ($browser_str0*) or 5 of ($reg_str0*) or 10 of ($str0*) or 5 of ($APIs_st
}
CommandsPermalink
Hex command Description
0xC Terminate a process
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 24 of 27

Hex command Description
0xE start remote shell
2 enumerate processes
4 enumerate disks
6 enumerate files
8 or 0x4A send file to c2
0x22 download and execute
0x1A uninstall the RAT from device
0x1C execute dropped file
0x20 password recovery
0x24 start keylogger
0x26 terminate keylogger
0x28 setup and start RDP
0x4E start RDP
0x3A execute a specific file
0x48 create cmd process inject shellcode
0x4C restart, cleanup, and delete
0x5C take screenShot
0x5E terminate taking screenshot
0x60 compress directory/directories
0x5A terminate recording audio
0x54 record audio
IoCsPermalink
Sample sha256 hash: f65a8af1100b56f2ebe014caeaa5bb2fbbca2da76cb99f3142354e31fbba5c8c
C2: 89.117.76.41:4422
MITRE ATT&CKPermalink
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 25 of 27

I used pestudio PRO tool for helping to draw MITRE ATT&CK.
T1595: Active
Scanning
T1592:
Gather Victim
Host Information
T1589: Gather
Victim Identity
Information
T1590: Gather
Victim Network
Information
T1591:
Gather Victim
Org Information
T1598: Phishing
for Information
T1597: Search
Closed Sources
T1596: Search
Open Technical
Databases
T1593:
Search Open
Websites/Domains
T1594: Search
Victim-Owned
Websites
Reconnaissance
T1650:
Acquire Access
T1583: Acquire
Infrastructure
T1586: Compromise
Accounts
T1584: Compromise
Infrastructure
T1587: Develop
Capabilities
T1585: Establish
Accounts
T1588: Obtain
Capabilities
T1608: Stage
Capabilities
Resource
Development
T1189: Drive-by
Compromise
T1190: Exploit
Public-Facing
Application
T1133: External
Remote Services
T1200: Hardware
Additions
T1566:
Phishing
T1091: Replication
Through
Removable Media
T1195: Supply
Chain Compromise
T1199: Trusted
Relationship
T1078: Valid
Accounts
Initial
Access
T1651: Cloud
Administration
Command
T1059: Command
and Scripting
Interpreter
T1609: Container
Administration
Command
T1610: Deploy
Container
T1203:
Exploitation for
Client Execution
T1559:
Inter-Process
Communication
T1106:
Native API
T1053: Scheduled
Task/Job
T1648: Serverless
Execution
T1129: Shared
Modules
T1072: Software
Deployment Tools
T1569: System
Services
T1204: User
Execution
T1047: Windows
Management
Instrumentation
Execution
T1098: Account
Manipulation
T1197:
BITS Jobs
T1547: Boot or
Logon Autostart
Execution
T1037: Boot or
Logon Initialization
Scripts
T1176: Browser
Extensions
T1554:
Compromise Client
Software Binary
T1136: Create
Account
T1543:
Create or Modify
System Process
T1546:
Event Triggered
Execution
T1133: External
Remote Services
T1574: Hijack
Execution Flow
T1525: Implant
Internal Image
T1556: Modify
Authentication
Process
T1137: Office
Application
Startup
T1542:
Pre-OS Boot
T1053: Scheduled
Task/Job
T1505:
Server Software
Component
T1205: Traffic
Signaling
T1078: Valid
Accounts
Persistence
T1548:
Abuse Elevation
Control Mechanism
T1134:
Access Token
Manipulation
T1547: Boot or
Logon Autostart
Execution
T1037: Boot or
Logon Initialization
Scripts
T1543:
Create or Modify
System Process
T1484:
Domain Policy
Modification
T1611: Escape
to Host
T1546:
Event Triggered
Execution
T1068: Exploitation
for Privilege
Escalation
T1574: Hijack
Execution Flow
T1055: Process
Injection
T1053: Scheduled
Task/Job
T1078: Valid
Accounts
Privilege
Escalation
T1548:
Abuse Elevation
Control Mechanism
T1134:
Access Token
Manipulation
T1197:
BITS Jobs
T1612: Build
Image on Host
T1622: Debugger
Evasion
T1140:
Deobfuscate/Decode
Files or Information
T1610: Deploy
Container
T1006: Direct
Volume Access
T1484:
Domain Policy
Modification
T1480: Execution
Guardrails
T1211:
Exploitation for
Defense Evasion
T1222: File and
Directory Permissions
Modification
T1564: Hide
Artifacts
T1574: Hijack
Execution Flow
T1562: Impair
Defenses
T1070: Indicator
Removal
T1202: Indirect
Command Execution
T1036:
Masquerading
T1556: Modify
Authentication
Process
T1578: Modify
Cloud Compute
Infrastructure
T1112: Modify
Registry
T1601: Modify
System Image
T1599: Network
Boundary Bridging
T1027:
Obfuscated Files
or Information
T1647: Plist
File Modification
T1542:
Pre-OS Boot
T1055: Process
Injection
T1620: Reflective
Code Loading
T1207: Rogue
Domain Controller
T1014:
Rootkit
T1553: Subvert
Trust Controls
T1218:
System Binary
Proxy Execution
T1216:
System Script
Proxy Execution
T1221: Template
Injection
T1205: Traffic
Signaling
T1127: Trusted
Developer Utilities
Proxy Execution
T1535:
Unused/Unsupported
Cloud Regions
T1550: Use Alternate
Authentication
Material
T1078: Valid
Accounts
T1497:
Virtualization/Sandbox
Evasion
T1600: Weaken
Encryption
T1220: XSL
Script Processing
Defense
Evasion
T1557:
Adversary-in-the-Middle
T1110:
Brute Force
T1555:
Credentials from
Password Stores
T1212:
Exploitation for
Credential Access
T1187: Forced
Authentication
T1606: Forge
Web Credentials
T1056: Input
Capture
T1556: Modify
Authentication
Process
T1111: Multi-Factor
Authentication
Interception
T1621: Multi-Factor
Authentication
Request Generation
T1040: Network
Sniffing
T1003:
OS Credential
Dumping
T1528:
Steal Application
Access Token
T1649: Steal or
Forge Authentication
Certificates
T1558:
Steal or Forge
Kerberos Tickets
T1539: Steal Web
Session Cookie
T1552: Unsecured
Credentials
Credential
Access
T1087: Account
Discovery
T1010:
Application
Window Discovery
T1217: Browser
Information
Discovery
T1580: Cloud
Infrastructure
Discovery
T1538: Cloud
Service Dashboard
T1526: Cloud
Service Discovery
T1619:
Cloud Storage
Object Discovery
T1613: Container
and Resource
Discovery
T1622: Debugger
Evasion
T1652: Device
Driver Discovery
T1482: Domain
Trust Discovery
T1083: File
and Directory
Discovery
T1615: Group
Policy Discovery
T1046: Network
Service Discovery
T1135: Network
Share Discovery
T1040: Network
Sniffing
T1201: Password
Policy Discovery
T1120: Peripheral
Device Discovery
T1069: Permission
Groups Discovery
T1057: Process
Discovery
T1012: Query
Registry
T1018: Remote
System Discovery
T1518: Software
Discovery
T1082: System
Information
Discovery
T1614:
System Location
Discovery
T1016: System
Network Configuration
Discovery
T1049: System
Network Connections
Discovery
T1033:
System Owner/User
Discovery
T1007: System
Service Discovery
T1124: System
Time Discovery
T1497:
Virtualization/Sandbox
Evasion
Discovery
T1210:
Exploitation of
Remote Services
T1534: Internal
Spearphishing
T1570: Lateral
Tool Transfer
T1563:
Remote Service
Session Hijacking
T1021: Remote
Services
T1091: Replication
Through
Removable Media
T1072: Software
Deployment Tools
T1080: Taint
Shared Content
T1550: Use Alternate
Authentication
Material
Lateral
Movement
T1557:
Adversary-in-the-Middle
T1560: Archive
Collected Data
T1123: Audio
Capture
T1119: Automated
Collection
T1185: Browser
Session Hijacking
T1115:
Clipboard Data
T1530: Data from
Cloud Storage
T1602: Data from
Configuration
Repository
T1213: Data
from Information
Repositories
T1005: Data from
Local System
T1039:
Data from Network
Shared Drive
T1025: Data from
Removable Media
T1074:
Data Staged
T1114: Email
Collection
T1056: Input
Capture
T1113: Screen
Capture
T1125: Video
Capture
Collection
T1071:
Application
Layer Protocol
T1092: Communication
Through
Removable Media
T1132: Data
Encoding
T1001: Data
Obfuscation
T1568: Dynamic
Resolution
T1573: Encrypted
Channel
T1008: Fallback
Channels
T1105: Ingress
Tool Transfer
T1104:
Multi-Stage
Channels
T1095:
Non-Application
Layer Protocol
T1571:
Non-Standard Port
T1572: Protocol
Tunneling
T1090:
Proxy
T1219: Remote
Access Software
T1205: Traffic
Signaling
T1102:
Web Service
Command
and Control
T1020: Automated
Exfiltration
T1030:
Data Transfer
Size Limits
T1048: Exfiltration
Over Alternative
Protocol
T1041:
Exfiltration
Over C2 Channel
T1011: Exfiltration
Over Other
Network Medium
T1052:
Exfiltration Over
Physical Medium
T1567:
Exfiltration
Over Web Service
T1029: Scheduled
Transfer
T1537:
Transfer Data
to Cloud Account
Exfiltration
T1531: Account
Access Removal
T1485: Data
Destruction
T1486:
Data Encrypted
for Impact
T1565: Data
Manipulation
T1491:
Defacement
T1561:
Disk Wipe
T1499: Endpoint
Denial of Service
T1495: Firmware
Corruption
T1490: Inhibit
System Recovery
T1498: Network
Denial of Service
T1496: Resource
Hijacking
T1489:
Service Stop
T1529: System
Shutdown/Reboot
Impact
Figure MITRE ATT&CK
QuotePermalink
ما كان ذنب السراب إنما دهشة العطىش
مت بحمد الله وتوفيقه ال بعلم وال بعمل
ReferencesPermalink
[QuickNote] Decrypting the C2 configuration of Warzone RAT
WarZone RAT OALABS
Securonix Threat Labs Security Advisory
Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT
WARZONE: BEHIND THE ENEMY LINES
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 26 of 27

Source: https://muha2xmad.github.io/malware-analysis/warzonerat/
https://muha2xmad.github.io/malware-analysis/warzonerat/
Page 27 of 27