[QuickNote] Decrypting the C2 configuration of Warzone RAT

[QuickNote] Decrypting the C2 configuration of Warzone RAT | 0day in {REA_TEAM} Home About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #2 : Intro To Olly Debug Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] 0day in {REA_TEAM} Stay updated via RSS Lịch March 2023 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Tìm kiếm Recent Posts – Bài mới [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc Archived: All My Technical Articles from VinCSS Empowering Malware Analysis with IDA AppCall Feature [QuickNote] The Xworm malware is being spread through a phishing email [QuickNote] Retrieve unknown python stealer from PyInstaller [QuickNote] DarkGate – Make AutoIt Great Again [QuickNote] Qakbot 5.0 – Decrypt strings and configuration [QuickNote] Phishing email distributes WarZone RAT via DBatLoader [QuickNote] Technical Analysis of recent Pikabot Core Module Bình luận gần nhất Week 04 – 2026… on [Samplepedia Solution] Unveili… Week 48 – 2025… on [Phân tích nhanh] Chiến dịch P… loilv on [Phân tích nhanh] Chiến dịch P… lemycanh on Empowering Malware Analysis wi… Thông tin các mối đe… on [QuickNote] Analysis of malwar… Pages About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #2 : Intro To Olly Debug Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] Chuyên mục 2011 in review (1) Another malicious document with CVE-2017–11882 (1) Bruce Dang… (1) Common Macro Malware Techniques (1) Flare-on 2016 {Sad_but_True} (1) Flare-On7 (3) [Flare-On7] Chal7-re_crowd write-up (Eng) (1) [Flare-On7] Chal7-re_crowd write-up (Vie) (1) [Flare-On7] Chal9-crackinstaller write-up (1) Fun with x64dbg theme (1) IDA Pro section (69) Fentanyl (IDAPython script) (1) Free IDA Pro Binary Auditing Training Material for University Lectures (1) Hex-Rays Decompiler Enhanced View (1) HexRaysCodeXplorer (1) IDA Patcher (1) IDA Plugin:labeless (1) IDA Pro Book (1) IDA Pro Python Editor v2 (1) IDA search string plugin (with source) (1) IDA Stealth Plugin (1) IDA Stingray (1) IDA Tutorial… (1) IDA Tutorials (50) Cách dump PE file từ bộ nhớ bằng IDA (1) Cracking basic with IDA Pro (1) Dùng thử IDA 5.2 và HexRays (1) Hex-Rays Decompiler Video Demo for IDA (1) IDA Pro Advanced changes our lif3! (1) IDA Pro Advanced_N0w 0r N3v3r (1) Keypatch (1) Make IDA Sig (1) Manual Unpacking with IDA Pro (Simple case) (1) Phân tích RCA crackme bằng Olly và IDA+HexRays (1) Reversing C++ programs with IDA pro and Hex-rays (1) REVERSING WITH IDA FROM SCRATCH (P1) (1) REVERSING WITH IDA FROM SCRATCH (P10) (1) REVERSING WITH IDA FROM SCRATCH (P11) (1) REVERSING WITH IDA FROM SCRATCH (P12) (1) REVERSING WITH IDA FROM SCRATCH (P13) (1) REVERSING WITH IDA FROM SCRATCH (P14) (1) REVERSING WITH IDA FROM SCRATCH (P15) (1) REVERSING WITH IDA FROM SCRATCH (P16) (1) REVERSING WITH IDA FROM SCRATCH (P17) (1) REVERSING WITH IDA FROM SCRATCH (P18) (1) REVERSING WITH IDA FROM SCRATCH (P19) (1) REVERSING WITH IDA FROM SCRATCH (P2) (1) REVERSING WITH IDA FROM SCRATCH (P20) (1) REVERSING WITH IDA FROM SCRATCH (P21) (1) REVERSING WITH IDA FROM SCRATCH (P22) (1) REVERSING WITH IDA FROM SCRATCH (P23) (1) REVERSING WITH IDA FROM SCRATCH (P24) (1) REVERSING WITH IDA FROM SCRATCH (P25) (1) REVERSING WITH IDA FROM SCRATCH (P26) (1) REVERSING WITH IDA FROM SCRATCH (P27) (1) REVERSING WITH IDA FROM SCRATCH (P28) (1) REVERSING WITH IDA FROM SCRATCH (P29) (1) REVERSING WITH IDA FROM SCRATCH (P3) (1) REVERSING WITH IDA FROM SCRATCH (P30) (1) REVERSING WITH IDA FROM SCRATCH (P31) (1) REVERSING WITH IDA FROM SCRATCH (P32) (1) REVERSING WITH IDA FROM SCRATCH (P33) (1) REVERSING WITH IDA FROM SCRATCH (P34) (1) REVERSING WITH IDA FROM SCRATCH (P35) (1) REVERSING WITH IDA FROM SCRATCH (P36) (1) REVERSING WITH IDA FROM SCRATCH (P37) (1) REVERSING WITH IDA FROM SCRATCH (P4) (1) REVERSING WITH IDA FROM SCRATCH (P5) (1) REVERSING WITH IDA FROM SCRATCH (P6) (1) REVERSING WITH IDA FROM SCRATCH (P7) (1) REVERSING WITH IDA FROM SCRATCH (P8) (1) REVERSING WITH IDA FROM SCRATCH (P9) (1) Understanding Code (1) [Crackme]Find-the-flag-by-ExtremeCoders (1) IDA-Pro 6.x Lowercase ARM Instructions (1) IDASkins – advanced skinning for IDA Pro (1) Malwarebytes crackme writeup (1) RetDec — machine-code decompiler (1) REtypedef – Reverse typedef substitution for IDA Pro (1) [IDA Plugin] Snowman (1) [Plug-in]IDA Unicode strings v3.0 (1) Linux (11) Auto start vmware script (1) BackTrack 4 Beta is out (1) FluxBox cho BackTrack Beta 4 (2) Artwiz font (1) Hướng dẫn : Sử dụng chương trình Scuba để rà soát security cho Oracle Database (1) Hướng dẫn cài đặt BackTrack (1) Installing Oracle 9i on RHEL5. (1) Linux RCE Starting Guide from SilkCut (1) Some tutor about using BackTrack (2) 1.4 Netcat The Almighty (1) 1.5 Using Wireshark (Ethereal) (1) Truy vấn thông tin các Patch đã được apply vào OracleDB (1) Movie (10) Die For Metal – Manowar (1) Feeling about Prison Break SE01 (1) Fifa 09 Advanced Skills Tutorial (1) Fifa 09 Standard Skills Tutorial (1) FIFA 09 Tricks Tutorials For PS2 (1) Heart Of Steel – Manowar (1) Kings Of Metal (1) SheepWolf! (1) Music (4) Cat's in the Cradle !! (Nghe và cảm nhận) (1) Cây và Gió – The Sand (1) Dế mèn-TheWall (1) Forever autumn_Lake of Tears (1) MustangPanda – Enemy At The Gate (1) My Tutorials (63) A Deep Dive into Zloader – the Silent Night (1) Archived: All My Technical Articles from VinCSS (1) Command Line Plugin (1) Diving into a PlugX sample of Mustang Panda group (1) Empowering Malware Analysis with IDA AppCall Feature (1) Fix Foxit Reader (1) Fix Foxit Reader_Part2 (1) How to crack BlackBerry App! (1) Just another CVE-2017-0199 sample in the wild world! (1) Keygen Tutorials (5) Kĩ thuật Internal Keygen (1) Kĩ thuật Internal Keygen_Ví dụ 2 (1) Phân tích ASM và code Keygen (1) Xây dựng Keygen Form trong VC++ (1) Đưa ảnh vào Keygen Form (1) Malware analysis “KẾ HOẠCH, NHIỆM VỤ TRỌNG TÂM NĂM 2020.doc” (1) Manual Unpacking IcedID Write-up (1) PE Tutorials (1) Phát hiện DDE Attack bằng công cụ Profiler (1) Phân tích nhanh một sample… (1) Quick analysis CobaltStrike loader and shellcode (1) Quick analysis note about DealPly (Adware) (1) Quick analysis note about GuLoader (or CloudEyE) (1) Sample nhắm vào “Tập đoàn Dầu khí Việt Nam” (1) Sử dụng IceSword để Remove Rootkits (1) Solution for KeyGenMe_by_ZeroTen_#1 (1) Solution for KLiZMA's UnpackMe #1 (1) Solution for NrZ0e1's CrackMe #1 (1) Solution for Zart's mishka tribute (1) SomeCrypto~01 (1) SomeCrypto~02 (1) Sublime Text (The latest build: 3059) (1) Tìm hiểu PE file qua các ví dụ cơ bản (1) Uncovering Suspected Malware Distributed By Individuals from Vietnam (1) Unprotecting-the-crypter (2) Thực hành với NtPacker (1) Unveiling Qakbot: Exploring one of the Most Active Threat Actors (1) [Case study] Decrypt strings using Dumpulator (1) [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc (1) [QuickNote.En] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam (1) [QuickNote] Analysis of Pandora ransomware (1) [QuickNote] Another nice PlugX sample (1) [QuickNote] CobaltStrike SMB Beacon Analysis (1) [QuickNote] DarkGate – Make AutoIt Great Again (1) [QuickNote] Decrypting the C2 configuration of Warzone RAT (1) [QuickNote] Emotet epoch4 & epoch5 tactics (1) [QuickNote] Examining Formbook Campaign via Phishing Emails (1) [QuickNote] Phishing email distributes WarZone RAT via DBatLoader (1) [QuickNote] Qakbot 5.0 – Decrypt strings and configuration (1) [QuickNote] Retrieve unknown python stealer from PyInstaller (1) [QuickNote] Technical Analysis of recent Pikabot Core Module (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] The Xworm malware is being spread through a phishing email (1) [QuickNote] VidarStealer Analysis (1) [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) OllyDbg tut_13 (1) OllyDbg tut_14 (1) OllyDbg tut_15 (1) OllyDbg tut_2 (1) OllyDbg tut_3 (1) OllyDbg tut_4 (1) OllyDbg tut_5 (1) OllyDbg tut_6 (1) OllyDbg tut_7 (1) OllyDbg tut_8 (1) OllyDbg tut_9 (1) OllyDBg_tut16 (1) OllyDbg_tut17 (1) OllyDbg_tut18 (1) OllyDbg_tut19 (1) OllyDbg_tut20 (1) OllyDbg_tut21 (1) OllyDbg_tut22 (1) OllyDbg_tut23 (1) OllyDBG_tut24 (1) OllyDBG_tut25 (1) OllyDbg_tut26 (1) OllyDbg_tut27 (1) OllyDbg_tut28 (1) OllyDbg_tut29 (1) OllyDbg_tut30 (1) OllyDbg_tut31 (1) OllyDbg_tut32 (1) Other Tutorials (76) A Method for Detecting Obfuscated Calls in Malicious Binaries (1) Advanced Windows Debugging – Part 1 (1) Advanced Windows Debugging – Part 2 (1) An Exercise in RSA Reversal (RSA128 + MD5) (1) Anti-Reverse Engineering Guide (1) Anti-Unpacker Tricks 2 – Part 8 (1) Armadillo – ECDSA Patching (1) Armadillo 5.xx – 8.xx (Password Patcher) (1) Armadillo 7.00 (CopyMem2 + Import Elimination + Strategic Code Splicing) (1) Automatic Binary Deobfuscation (1) Basic of Reversing by c0lo!! (1) Basic types of software of protection (1) Code Obfuscation and Malware Detection (1) CodeBreakers Magazine Collections (1) CRACKING BẰNG PHƯƠNG PHÁP DÙNG POINT-H (1) Debug tutorial (1) Decompilers and Beyond (1) Discovering Variables in Executables (1) ExeCryptor 2.4.x (Tips and Tricks) (1) IDA Pro Demo Video (1) Inference and Analysis of Formal Models of Botnet (1) Introduction to File Infection Techniques (1) Java Reversing (1) Kernel Malware – The Attack from Within (1) Keygenning GameShield (1) Lần đầu với software của android OS (1) Malicious Software and its Underground Economy (1) Mass Malware Analysis – A Do It Yourself Kit (1) Olly Schemes-Căn chỉnh màu cho Olly (1) OllyEye plug-in (1) Primer on Android OS Reversing (1) Private exe Protector unpacking (1) Results of Bad Protection Implementation (1) Reverse Engineering of the Android File System (1) Reverse Engineering Technqiues (1) Reverse Engineering with OllySocketTrace (1) REVERSING GENERALS – PART III (1) REVERSING-GENERALS (Phần I) (1) REVERSING-GENERALS (Phần II) (1) RLPack 1.21 + WinLicense 2.0x (Unpacking) (1) Run TTProtect v1.05 in OllyDbg! (1) Silence's Unpacking Tour: The Enigma Protector (vol.1) (1) Theories and Methods of Code-Caves (1) TLS Callback in VC++ (1) Underhood on Armadillo License Removal (1) Unofficial Reversing On The S40 Revealed (Part 1) (1) Watch Your Hack V6.1 (1) Yahoo Archive Decode (1) [ARTUT] Manual Unpack and Fix of PECompact 2xx-3xx (1) [QuickNote] MountLocker – Some pseudo-code snippets (1) Practical Malware Analysis (1) RE Tools (65) Arma Raider 3.3 (1) Armadillo v6.xx Finger-Print-Patcher V0.1 (1) BitDiffer 1.3.0.13 – most cattle DLL Library comparison tool! (1) CodeWalker: Another AntiRootkit Tool (1) Delphi Decompiler 1.1.0.194 (1) Exeinfo for Win32 by A.S.L (1) FileAlyzer 1.6.0.4 (1) Msieve 1.39 + GUI 1.1 (1) OllyDbg – EvO_DBG (1) OllyDbg 2.0.1.1 (Final) (1) OllyDbg 2.01 (1) OllyDbg 2.01 alpha 4 (1) Ollydbg moded for Execryptor & THEMIDA (1) OllyDBG v2 (1) Oreans UnVirtualizer 1.3 (1) Oreans UnVirtualizer ODBG Plug-in (1) Overaly type detector/Extractor/Viewer (PEiD Plugin), Under SEH TM (1) P32Dasm (1) PatchDiff2 (1) PEiD v0.95 Build date: Oct 21, 2008 (1) PeStudio 8.01 (1) Phantom 1.45 (1) PROTECTiON iD v6.1.3 (1) ResEdit 1.4.4.16 (1) StrongOD v0.18 [2008.09.18] (1) Stud_PE 2.6.0.6 (1) Trial-Reset 3.4 Final (1) Universal Import Fixer (UIF) v1.2 (FINAL) (1) VB Decompiler (1) WinHex (1) x64 SEH & Explorer Suite Update (1) [Leaked]Hiew v8.40 (1) REA's Tutorials Archive (5) Palm Cracking Beginner (1) REA_Books (3) REA Unpacking Ebook (1) REA-cRaCkErTeAm Tutorials (1) Reverse Engineering of Object Oriented Code (1) Reversing.Kr {Some write-ups) (15) Chal1. Easy Crack Challenge (1) Chal10. CSHOP Challenge (1) Chal11. Direct3D_FPS Challenge (1) Chal12. Twist1 Challenge (1) Chal13. AutoHotkey1 Challenge (1) Chal14. HateIntel Challenge (1) Chal15. CSharp (1) Chal2. Easy Unpack Challenge (1) Chal3. Replace Challenge (1) Chal4. Easy Keygen Challenge (1) Chal5. Music Player Challenge (1) Chal6. ImagePrc Challenge (1) Chal7. Position Challenge (1) Chal8. Easy ELF Challenge (1) Chal9. Ransomware Challenge (1) Sysinternals (1) System Security and Binary Code Analysis (1) Things to REMEMBER… (1) Trà đá hacking #02 (1) Uncategorized (99) Dây rock! (1) Watch Your Hack (bản dịch Tiếng Việt) (1) [Note] Conditional BreakPoint with OllyDbg v1 & v2 (1) [x64dbg plugin] SlothBP (1) [x64dbg plugin] xAnalyzer (1) Đào tạo tại Sài Gòn (Trà_Đá_Hacking#7) (1) peonimusha Bl0g An error has occurred; the feed is probably down. Try again later. Top Posts [QuickNote] Decrypting the C2 configuration of Warzone RAT [QuickNote] DarkGate - Make AutoIt Great Again VB.Decompiler.Pro.v8.3.RETAIL.INCL_KEYGEN+PATCH-FFF About [Case study] Decrypt strings using Dumpulator Cracking basic with IDA Pro Diving into a PlugX sample of Mustang Panda group REVERSING WITH IDA FROM SCRATCH (P25) Tutorial #1 : What is Reverse Engineering REVERSING WITH IDA FROM SCRATCH (P15) Các bài đã đăng January 2026 (1) November 2025 (1) September 2025 (1) October 2024 (1) September 2024 (1) August 2024 (1) June 2024 (1) April 2024 (2) January 2024 (1) September 2023 (1) July 2023 (1) May 2023 (1) April 2023 (1) March 2023 (1) January 2023 (1) December 2022 (3) September 2022 (1) June 2022 (2) April 2022 (1) March 2022 (1) February 2022 (1) January 2022 (2) December 2021 (1) September 2021 (1) August 2021 (1) July 2021 (1) May 2021 (2) February 2021 (1) December 2020 (1) October 2020 (4) September 2020 (1) August 2020 (1) July 2020 (1) June 2020 (4) April 2020 (1) March 2020 (1) February 2020 (2) December 2019 (3) November 2019 (2) October 2019 (3) September 2019 (1) August 2019 (2) July 2019 (3) June 2019 (2) May 2019 (2) April 2019 (2) March 2019 (7) February 2019 (4) January 2019 (2) December 2018 (1) November 2018 (2) October 2018 (1) September 2018 (1) August 2018 (1) July 2018 (1) June 2018 (1) March 2018 (1) January 2018 (1) December 2017 (3) November 2017 (1) October 2017 (3) July 2017 (1) May 2017 (2) April 2017 (1) February 2017 (2) November 2016 (2) October 2016 (1) September 2016 (1) August 2016 (1) July 2016 (1) May 2016 (3) April 2016 (1) January 2016 (13) December 2015 (1) November 2015 (1) October 2015 (4) September 2015 (3) August 2015 (2) May 2015 (4) April 2015 (2) March 2015 (1) February 2015 (1) December 2014 (7) November 2014 (7) October 2014 (4) August 2014 (1) July 2014 (8) May 2014 (1) April 2014 (2) March 2014 (2) February 2014 (3) January 2014 (5) December 2013 (4) November 2013 (2) October 2013 (2) September 2013 (2) August 2013 (2) July 2013 (6) June 2013 (2) February 2013 (1) November 2012 (1) June 2012 (1) April 2012 (3) March 2012 (6) February 2012 (1) January 2012 (5) December 2011 (3) October 2011 (1) September 2011 (2) August 2011 (2) July 2011 (3) May 2011 (4) January 2011 (1) December 2010 (1) October 2010 (1) September 2010 (3) August 2010 (3) July 2010 (1) June 2010 (4) May 2010 (1) April 2010 (5) March 2010 (4) February 2010 (5) January 2010 (19) December 2009 (8) November 2009 (1) August 2009 (1) July 2009 (1) May 2009 (2) April 2009 (6) March 2009 (17) February 2009 (10) January 2009 (13) December 2008 (11) November 2008 (12) October 2008 (17) September 2008 (51) Blogroll Benina Blog Levis's Bl0g ML(l4w) Blog Quyle's Bl0g RE Team TrietPTM's Blog Vic's Bl0g Yêu chim sẻ Statistics - Lượt truy cập 897,509 hits [QuickNote] Decrypting the C2 configuration of Warzone RAT Posted: March 25, 2023 in My Tutorials , [QuickNote] Decrypting the C2 configuration of Warzone RAT Tags: IDA , Malware Analysis , RAT , ReverseEngineering , WarzoneRAT 5 1. Introduction Warzone RAT is a type of malware that is capable of infiltrating a victim’s computer and giving attackers remote access and control over the system. The malware has gained notoriety for its advanced capabilities and ability to evade detection, making it a serious threat to computer security. Warzone RAT is typically spread through phishing emails or other social engineering techniques, where attackers trick victims into downloading and installing the malware on their systems. Once the malware is installed, it can perform a variety of malicious actions, including stealing passwords, taking screenshots, and logging keystrokes. It can also download and execute additional malware, giving attackers even more control over the victim’s system. One of the key features of Warzone RAT is its ability to encrypt its configuration data, making it difficult for security experts to analyze and understand how the malware operates. Currently, there are two variants of the malware in circulation, each using a different method to decode its configuration. The first variant uses standard RC4 encryption, while the second variant uses a modified version of RC4. This modification makes it even more challenging to decrypt and analyze the malware’s configuration data. 2. Analysis Sample1: 00930cccd81e184577b1ffeebf08ee6a32dd0ef416435f551c64d2bcb61d46cf (use standard RC4) Sample2: 61f8bf26e80b6d6a7126d6732b072223dfc94203bb7ae07f493aad93de5fa342 (use modified RC4) In Warzone RAT, the configuration info is stored in the .bss PE section of the malware’s code. The .bss section is typically used for storing uninitialized data. The format of the configuration is as follows: [Key length] [RC4 key] [Encrypted data] . Below is an illustration of the configuration stored in the .bss section in both samples. The steps to perform the process of retrieving information and copying data from the .bss section to memory are the same in both samples. The pseudo-code is shown below: The pseudo code in function wzr_decrypt_config in both samples is the same, which involves extracting the RC4 Key and Encrypted data, and then using RC4 to decrypt the configuration. The difference lies in function wzr_perform_rc4 . The function wzr_perform_rc4 in sample 1 uses standard RC4 to decrypt the configuration. Its pseudocode is shown below: Thus, we can easily use CyberChef to perform configuration decoding or write a Python script to automate for similar samples. The pseudocode for function wzr_perform_rc4 in sample 2 as shown below. Prior to decryption, it allocates an array of 250 bytes, filled with zero values. Then, it copies the extracted rc4_key into this array. Finally, it calls the wzr_rc4_crypt function, which uses the modified RC4 algorithm to decrypt the configuration. The complete pseudocode of the wzr_rc4_crypt function is as follows: void __thiscall wzr_rc4_crypt(wzr_rc4_data *rc4_info, _BYTE *data) { idx = 0; if ( rc4_info->rc4Sbox ) { if ( rc4_info->rc4_key_250b ) { rc4_info->counter2 = 0; LOBYTE(i) = 0; rc4_info->counter1 = 0; do { rc4_info->rc4Sbox[i] = rc4_info->counter1; i = rc4_info->counter1 + 1; rc4_info->counter1 = i; } while ( i < 256 ); rc4_info->counter1 = 0; for ( i = 0; i < 256; rc4_info->counter1 = i ) { rc4Sbox = rc4_info->rc4Sbox; rc4_info->counter2 += rc4Sbox[i] + rc4_info->rc4_key_250b[i % 250]; rc4Sbox[i] ^= rc4Sbox[rc4_info->counter2]; // swap values rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)] ^= rc4_info->rc4Sbox[LOBYTE(rc4_info->counter1)]; rc4_info->rc4Sbox[LOBYTE(rc4_info->counter1)] ^= rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)]; i = rc4_info->counter1 + 1; } rc4_info->counter1 = 0; rc4_info->counter2 = 0; // Decrypt data if ( rc4_info->data_length ) { j = 0; do { rc4_info->counter1 = j + 1; rc4Sbox = rc4_info->rc4Sbox; k = (j + 1); rc4Sbox_value1 = rc4Sbox[k]; rc4_info->counter2 += rc4Sbox_value1; rc4Sbox_value1_ = rc4Sbox_value1; rc4Sbox_value2 = rc4Sbox[rc4_info->counter2]; rc4Sbox[k] = rc4Sbox_value2; rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)] = rc4Sbox_value1; rc4Sbox_ = rc4_info->rc4Sbox; data[idx] ^= rc4Sbox_[(rc4_info->counter2 + rc4Sbox_value2)] ^ (rc4Sbox_[(rc4Sbox_value2 + rc4Sbox_value1_)] + rc4Sbox_[(rc4Sbox_[((0x20 * rc4_info->counter2) ^ (rc4_info->counter1 >> 3))] + rc4Sbox_[((0x20 * rc4_info->counter1) ^ (rc4_info->counter2 >> 3))]) ^ 0xAA]); j = ++rc4_info->counter1; ++idx; } while ( idx < rc4_info->data_length ); } } } } With the pseudocode above, we can rewrite the decoding code in Python as follows. This is the code I wrote, and you can write it in your own way as long as it performs the task correctly. # Refs: https://stackoverflow.com/questions/9433541/movsx-in-python def SIGNEXT(x, b): m = (1 << (b -1)) x = x & ((1 << b) -1) return ((x ^ m) - m) # This routine is responsible for decrypting the stored C2. def rc4_customized_decryptor(data, key): idx = 0 counter1 = 0 counter2 = 0 # Initialize RC4 S-box rc4Sbox = list(range(256)) # Modify RC4 S-box for i in range(256): counter2 += (rc4Sbox[i] + key[i%250]) counter2 = counter2 & 0x000000FF rc4Sbox[i] ^= rc4Sbox[counter2] rc4Sbox[counter2 & 0xFF] ^= rc4Sbox[counter1 & 0xFF] rc4Sbox[counter1 & 0xFF] ^= rc4Sbox[counter2 & 0xFF] counter1 = i+1 # Decrypt data counter1 = 0 counter2 = 0 j = 0 decrypted = [] while(idx < len(data)): counter1 = j + 1 k = (j+1) rc4Sbox_value1 = rc4Sbox[k] counter2 += (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF) rc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF) rc4Sbox_value2 = rc4Sbox[counter2 & 0x000000FF] rc4Sbox[k] = rc4Sbox_value2 rc4Sbox[(counter2 & 0x000000FF)] = rc4Sbox_value1 tmp1 = rc4Sbox[((0x20 * counter1) ^ (counter2 >> 3)) & 0x000000FF] tmp2 = rc4Sbox[((0x20 * counter2) ^ (counter1 >> 3)) & 0x000000FF] tmp3 = rc4Sbox[((tmp1 + tmp2) & 0x000000FF) ^ 0xAA] tmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) & 0x000000FF] tmp5 = (tmp3 + tmp4) & 0x000000FF tmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) & 0x000000FF] decrypted.append(data[idx] ^ (tmp5 ^ tmp6)) counter1 += 1 j = counter1 idx += 1 return bytes(decrypted) Below are the results of using a Python script to extract the configuration of Warzone RAT from the samples used in the article. 3. End The article would like to conclude here. I hope that it provides useful information for you during the process of analyzing the Warzone RAT malware. To protect against Warzone RAT and other types of malware, users should take precautions such as being cautious when opening email attachments, using strong passwords, and keeping their software up to date. It is also important to use antivirus software and to keep it updated regularly. By taking these steps, users can help to protect themselves against the threat of Warzone RAT and other types of malware. 4. Refs https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_rat_config.html https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf Share this: Share Share on Facebook (Opens in new window) Facebook Share on X (Opens in new window) X Print (Opens in new window) Print Email a link to a friend (Opens in new window) Email Like Loading... Related Comments [QuickNote] Decrypting the C2 configuration of Warzone RAT - Ciberdefensa says: March 25, 2023 at 8:33 PM […] Article Link: [QuickNote] Decrypting the C2 configuration of Warzone RAT | 0day in {REA_TEAM} […] Week 13 – 2023 – This Week In 4n6 says: March 26, 2023 at 6:45 PM […] 0day in {REA_TEAM}[QuickNote] Decrypting the C2 configuration of Warzone RAT […] [QuickNote] Decrypting the C2 configuration of Warzone RAT - SPIXNET C2S says: March 29, 2023 at 8:02 PM […] (c) kienmanowar […] [QuickNote] Phishing email distributes WarZone RAT via DBatLoader | 0day in {REA_TEAM} says: April 9, 2024 at 4:29 PM […] [QuickNote] Decrypting the C2 configuration of Warzone RAT […] [QuickNote] Phishing email distributes WarZone RAT via DBatLoader – technoquest.online says: May 3, 2024 at 6:52 AM […] the script in the article I analyzed here, extracting the C2 information that the WarZone RAT payload will connect […] Leave a comment Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. [QuickNote] Another nice PlugX sample [QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam Blog at WordPress.com. Comment Reblog Subscribe Subscribed 0day in {REA_TEAM} Join 173 other subscribers Sign me up Already have a WordPress.com account? Log in now. Privacy 0day in {REA_TEAM} Subscribe Subscribed Sign up Log in Copy shortlink Report this content View post in Reader Manage subscriptions Collapse this bar Loading Comments... Write a Comment... Email (Required) Name (Required) Website %d Design a site like this with WordPress.com Get started