{
	"id": "c41ee29d-7296-41ed-af58-223f16b02696",
	"created_at": "2026-04-06T00:08:18.979075Z",
	"updated_at": "2026-04-10T13:12:37.545899Z",
	"deleted_at": null,
	"sha1_hash": "41f454ba6a0231e51eea933242c53b15f1b87951",
	"title": "QakBOT v5 Deep Malware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1061618,
	"plain_text": "QakBOT v5 Deep Malware Analysis\r\nBy Mohamed Ezzat\r\nPublished: 2024-05-26 · Archived: 2026-04-05 15:06:49 UTC\r\n17 minute read\r\nMeet QakbotPermalink\r\nQakBot, also recognized as QBot, QuackBot, and Pinkslipbot, has been operational for years, initially as a\r\nfinancial malware targeting governments and businesses for financial fraud by pilfering user credentials and\r\nkeystrokes.\r\nOver time, it has evolved into a malware dropper, spreading sensitive information to other network systems. The\r\nthreat group has updated its code-base to support 64-bit versions of Windows, enhanced encryption algorithms,\r\nand added further obfuscation techniques. With the release of Qakbot version 5.0, the string encryption algorithm\r\nunderwent a significant change. While strings are still encrypted using a simple XOR key, the key is no longer\r\nhard-coded in the data section. Instead, it is encrypted with AES.\r\nTechnical in PointsPermalink\r\n1. Qakbot uses API hashing to hide its imports. It uses CRC32 hashing, along with another layer of XORing\r\nwith a hard-coded key. It’s parsing the loaded DLLs in memory and getting its export tables. As a result,\r\nQakbot can resolve imported APIs and build its IAT.\r\n2. Qakbot comes with encrypted strings inside the .data section, These strings are encrypted using a XOR\r\nkey and that key is encrypted using AES algorithm.\r\n3. Environment Detection: Qakbot includes checks to detect if it is running in a virtual machine or sandbox\r\nenvironment, commonly used tools for malware analysis. If such conditions are detected, Qakbot may\r\nchange its behavior or terminate itself to avoid detection.\r\n4. Configuration Extraction: Qakbot comes with AES encrypted configuration.This configuration contains\r\ndetails related to the malicious campaign and the C2 which the malware will communicate with for further\r\ncommands.\r\n5. C2 Communication: After extracting its C2, Qakbot establishes a connection with its C2 servers to receive\r\ncommands for downloading, executing additional modules, updating configuration values, and exfiltrating\r\ngathered information from the infected system.\r\n6. Qakbot gathers comprehensive information about the compromised host to send to its C2 server and create\r\na unique victim fingerprint. This includes OS version, domain trusts, computer name, username, screen\r\nresolution, system time, system uptime, and bot uptime. It mainly relies on Windows Management\r\nInstrumentation(WMI) to collect details such as hardware ID, installed languages, and installed programs.\r\nSample Basic InformationPermalink\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 1 of 22\n\nSHA-256 af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f\r\nFile type Win DLL\r\nTarget Machine x64\r\nCreation Time 2024-01-29 13:43:37 UTC\r\nFirst Seen In The Wild 2024-02-07 10:12:50 UTC\r\nFigure(1): sample on VirusTotal\r\nAnti AnalysisPermalink\r\nAPI ResolutionPermalink\r\nQakBot uses Windows API Hashing (Dynamic API Resolution) to evade signature-based anti-malware scanners\r\nand make static analysis harder.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 2 of 22\n\nFigure(2): API hashes\r\nWe can see based on algorithm constants that Qakbot uses the CRC32 hash algorithm, also there is another layer\r\nof XORing, and here are the steps in some detail :\r\nThe DllName is decrypted by XORing with a hard-coded key 0xA235CB91. After decryption, a handle to the\r\nDLL is obtained. This handle is then passed to a function that iterates over the DLL’s exported functions. A\r\nfunction resolves the addresses of the exports by iterating over the export table of the module, hashing the name of\r\neach export using CRC32, and comparing the result with a hard-coded CRC32 hash to determine if it has found\r\nthe correct address.\r\nFigure(3): API resolving Steps\r\nWith knowledge of the algorithm name and XOR key, we can use the awesome hashdb plugin from OALabs that\r\nperforms string hash lookup against a remote database.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 3 of 22\n\nFigure(4): hashdb result\r\nOnce the HashDB plugin decrypts all API names, we create structures to store the API lists from each DLL. This\r\nsimplifies our workflow and make our life easier while analysis .\r\nFigure(5): populated IAT\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 4 of 22\n\nDefeating encrypted StringsPermalink\r\nQakbot strings are obfuscated, making the analysis more difficult, so the next step is to decrypt them.\r\nDecryption routine\r\nThis version decrypts the strings with an XOR key just like the earlier versions but this XOR key is encrypted\r\nusing the AES algorithm.\r\nIt first Calculates a SHA256 hash for aes_key_ref and uses the calculated hash as the AES Key then decrypts the\r\nenc_xor_key blob using AES in CBC mode to have the dec_xor_key.\r\nFigure(6): The XOR key decryption process\r\nThe final step is to use the dec_xor_key to decrypt the string array.\r\nFigure(7): String decryption process\r\nWriting a decryption script\r\nWe now can write an IDAPython script to decrypt the strings and add comments to the code, making analysis\r\neasier here are some notes before the script :\r\nThe first 16 bytes of the enc_xor_key are used as the AES IV.\r\nThere are two encrypted string tables used.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 5 of 22\n\nThere are two decryption functions with 4 wraps.\r\nThe wrap function decrypts the string array and selects the string based on an index [the only argument].\r\n \r\nFigure(8): Index pattern used in script\r\n#--------------- imports --------------------#\r\nimport hashlib\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Util.Padding import unpad\r\nimport idautils\r\n#------------- helper ------------------------#\r\ndef hex_to_int(x):\r\n if type(x) == int :\r\n return x\r\n return (int(x[:-1], 16))\r\ndef search_by_index(table , ind):\r\n return(table[ind:].split('\\x00')[0])\r\n#------------- IDA py ------------------------#\r\ndef read_data_ida(address,size):\r\n data = idc.get_bytes(address, size)\r\n return data\r\ndef set_comment(address, text):\r\n idc.set_cmt(address, text,0)\r\n#------------ Decryption ---------------------#\r\ndef calculate_sha256(input_data):\r\n sha256_hash = hashlib.sha256()\r\n sha256_hash.update(input_data)\r\n hash_hex = sha256_hash.digest()\r\n return hash_hex\r\ndef aes_decrypt(ciphertext, key, iv):\r\n cipher = AES.new(key, AES.MODE_CBC, iv)\r\n plaintext = cipher.decrypt(ciphertext)\r\n unpadded_plaintext = unpad(plaintext, AES.block_size)\r\n return unpadded_plaintext\r\ndef xor_decrypt(data,key):\r\n dec_data = ''\r\n for i in range(len(data)):\r\n dec_data += chr(data[i] ^ key[i % len(key)])\r\n return dec_data\r\ndef full_dec(enc_str , enc_xor_key , aes_key_init):\r\n aes_key = calculate_sha256(aes_key_init)\r\n dec_xor_key = aes_decrypt(enc_xor_key[16:],aes_key,enc_xor_key[:16])\r\n dec_str = xor_decrypt(enc_str,dec_xor_key)\r\n return dec_str\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 6 of 22\n\n#----------- Decrypt enc str tbl 1 -------------#\r\nenc_str_1 , enc_xor_key_1 , aes_key_init_1 = read_data_ida(0x1800297A0 , 0x1836) , read_data_ida(0x18002AFE0,0xA\r\ntbl_1 = full_dec(enc_str_1,enc_xor_key_1,aes_key_init_1)\r\n#----------- Decrypt enc str tbl 2 -------------#\r\nenc_str_2 , enc_xor_key_2 , aes_key_init_2 = read_data_ida(0x1800282A0 , 0x5AD) , read_data_ida(0x1800281C0,0xD0\r\ntbl_2 = full_dec(enc_str_2,enc_xor_key_2,aes_key_init_2)\r\n#--\u003e pattern used: mov ecx , immediate_val\r\ndef do_magic(table,references):\r\n for ref in references:\r\n prev_instruction_address = idc.prev_head(ref)\r\n if (idc.print_insn_mnem(prev_instruction_address) == 'mov' and idc.print_operand(prev_instruction_addres\r\n ind = print_operand(prev_instruction_address,1)\r\n set_comment(ref,search_by_index(table,hex_to_int(ind)))\r\n else :\r\n prev_instruction_address = idc.prev_head(prev_instruction_address)\r\n if (idc.print_insn_mnem(prev_instruction_address) == 'mov' and idc.print_operand(prev_instruction_ad\r\n ind = print_operand(prev_instruction_address,1)\r\n set_comment(ref,search_by_index(table,hex_to_int(ind)))\r\n else:\r\n prev_instruction_address = idc.prev_head(prev_instruction_address)\r\n if (idc.print_insn_mnem(prev_instruction_address) == 'mov' and idc.print_operand(prev_instructio\r\n ind = print_operand(prev_instruction_address,1)\r\n set_comment(ref,search_by_index(table,hex_to_int(ind)))\r\n else:\r\n print('not working' ,hex(ref))\r\nreference_1 = list(idautils.CodeRefsTo(idc.get_name_ea_simple(\"wrap_mw_decrpyion_fun_1\"), 0)) #codeRefs-to need\r\nreference_1 = reference_1 + list(idautils.CodeRefsTo(idc.get_name_ea_simple('wrap_2_mw_decrpyion_fun_1') , 0))\r\nreference_2 = list(idautils.CodeRefsTo(idc.get_name_ea_simple('wrap_2_mw_decrpyion_fun_2'), 0))\r\nreference_2 = reference_2 + list(idautils.CodeRefsTo(idc.get_name_ea_simple('wrap_mw_decrpyion_fun_2'), 0))\r\ndef main():\r\n do_magic(tbl_1,reference_1)\r\n do_magic(tbl_2,reference_2)\r\nif __name__ == '__main__':\r\n main()\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 7 of 22\n\nFigure(9): IDA python script result\r\nyou can get the full decrypted strings list from here\r\nEmulation CheckPermalink\r\nQakbot uses the GetFileAttributesW function to check for a folder \"C:\\INTERNAL__empty.\" If this directory\r\nexists, it suggests that the environment might be used for analysis, such as Microsoft Defender emulation or\r\nsandbox, and then the process will be terminated.\r\nFigure(10): emulation check\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 8 of 22\n\nChecking ProcessesPermalink\r\nQakbot loops through running processes on the system and compares their executable names against well-known\r\nstatic and dynamic malware analysis tools.\r\nFigure(11): Qakbot search for tool's process\r\nfull processes list\r\nExpand to see more\r\n  wireshark.exe\r\n  filemon.exe\r\n  procmon.exe\r\n  idaq64.exe\r\n  tcpview.exe\r\nAnti VMPermalink\r\nQakbot exploits Windows Management Instrumentation (WMI), a system management technology used to\r\nadminister remote systems and provide comprehensive data about the operating system, hardware, and installed\r\nsoftware and applications on a computer.\r\nIt uses WMI queries to gather system information, including details about virtualization. It queries classes\r\nsuch as Win32_ComputerSystem, Win32_Bios, Win32_DiskDrive, or Win32_PhysicalMemory, then\r\ncheck for patterns indicative of virtualized environments. These patterns include known manufacturer or\r\nmodel strings associated with virtualization platforms.\r\nBelow are the classes and their corresponding checked values :\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 9 of 22\n\nClass Checked Values\r\nWin32_ComputerSystem MS_VM_CERT, VMware, Virtual Machine\r\nWin32_Bios VRTUAL, VMware, VMW, Xen\r\nWin32_DiskDrive VMware, PROD_VIRTUAL_DISK, VIRTUAL-DISK, XENSRC, 20202020\r\nWin32_PhysicalMemory VMware, VMW, QEMU\r\nWin32_PnPEntity QEMU, VMware Pointing, VMware Accelerated, VMware SCSI,..\r\nQakbot also searches for ‘vmnat’, a process initiated by VMware upon startup. ‘vmnat’ manages communication\r\nin the Network Address Translation (NAT) set up with the guest machine .\r\nQakbot’s C2 FunctionalityPermalink\r\nMalware needs to connect to C2 servers to execute remote commands, update its code, and exfiltrate stolen data.\r\nBefore doing so, it needs to extract its C2 from an encrypted configuration.\r\nQakbot, in this version, contains an embedded AES encrypted configuration within its .data section.\r\nFigure(12): Encrypted configuration\r\nThe AES decryption method used is the same as the one we’ve seen for decrypting strings. The key will be SHA-256 hashed before attempting the decryption, the first 16 bytes of the encrypted string used as IV. Then use the\r\nfinal key to decrypt the rest encrypted data.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 10 of 22\n\nFigure(13): Decrypt the campaign INFO\r\nWith the same method and key, Qakbot will decrypt its C2 list .\r\nFigure(14): Decrypt the C2 list\r\nWith this information, we can reuse our string decryption script with some edits to have the configuration . notice\r\nthat :\r\nThe first 32 bytes in the decrypted data represent the SHA-256 validation, a cryptographic process used for\r\ndata integrity verification. These bytes serve as a hash value that allows systems to confirm the authenticity\r\nand integrity of the data being processed.\r\nWe can see the output of the script (configuration).\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 11 of 22\n\nFigure(15): the Decrypted configuration the malware use\r\nC2 communicationPermalink\r\nQakBot mainly uses HTTP for C2 communication. The malware communicates with its C2 servers through\r\nencrypted AES payloads and then encodes the result in Base64.\r\nFigure(16): C2 communication fun\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 12 of 22\n\nFigure(17): AES Encryption and the key used while C2 communication\r\nGather system INFOPermalink\r\nPart of QakBOT communication with its command and control is sending information about the computer.\r\nQakBot gathers computer information using a combination of Windows API calls, shell commands, and Windows\r\nManagement Instrumentation (WMI) commands. This approach allows it to collect various details about the\r\nsystem, including hardware, software, and configuration data. By using these methods together, QakBot obtains a\r\ncomprehensive overview of the target computer’s setup and specifications.\r\nVMI Queries UsedPermalink\r\nQakbot builds a WMI query by concatenating strings to form It then executes these queries to retrieve critical data\r\nand obtain a comprehensive overview of the system’s configuration and installed security measures.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 13 of 22\n\nFigure(18): Qakbot create VMI queries\r\nHere are the WMI classes targeted and the information they retrieve:\r\nClass Properties Result\r\nWin32_OperatingSystem Caption OS Info [name and version]\r\nAntiVirusProduct *\r\nInformation about antivirus products installed\r\non a system\r\nWin32_Processor * Information about the processor\r\nWin32_ComputerSystem *\r\nInformation about the computer system,\r\nincluding its hardware configuration, such as\r\nthe manufacturer, model, system type, number\r\nof processors, memory\r\nWin32_Bios *\r\nDetails about a computer’s BIOS, like its\r\nversion, manufacturer, and release date\r\nWin32_DiskDrive * Information about the disk drives installed on\r\na computer, including their model,\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 14 of 22\n\nClass Properties Result\r\nmanufacturer, interface type, capacity\r\nWin32_PhysicalMemory *\r\nDetails about the physical memory modules in\r\nuse, including their capacity, speed,\r\nmanufacturer\r\nWin32_Product\r\nCaption, Description, Vendor,\r\nVersion, InstallDate,\r\nInstallSource, PackageName\r\nInformation about installed software,\r\nincluding its name, description, vendor,\r\nversion, installation date, installation source,\r\nand package name\r\nWin32_PnPEntity\r\nCaption, Description,\r\nDeviceID, Manufacturer,\r\nName, PNPDeviceID, Service,\r\nStatus\r\nDetails about Plug and Play devices, such as\r\ntheir name, description, device ID,\r\nmanufacturer, name, PnP device ID, service,\r\nand status\r\nWindows command linePermalink\r\nQakbot creates anonymous pipes to execute various built-in command-line tools processes, enabling it to retrieve\r\ninformation about the compromised system’s environment effectively.\r\nFigure(19): execute command-line tools\r\nHere is the list of commands that can be used to gather information about the system:\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 15 of 22\n\nWindows Command Output\r\nipconfig /all\r\nDisplays detailed configuration information about all\r\nnetwork interfaces.\r\nwhoami /all\r\nDisplays user, group, and privileges information for the\r\ncurrent user.\r\nnltest /domain_trusts /all_trusts\r\nLists all domain trusts established with the current\r\ndomain.\r\nqwinsta\r\nLists information about all Remote Desktop sessions on\r\nthe local system.\r\nnslookup -querytype=ALL -timeout=12\r\n_ldap._tcp.dc._msdcs.%s\r\nPerforms a DNS lookup for LDAP service records for\r\nthe specified domain controller.\r\nnet share\r\nLists information about shared resources on the local\r\nsystem.\r\nnet localgroup Lists information about local groups on the local system.\r\nnetstat -nao\r\nLists active network connections and associated\r\nprocesses.\r\nnet view\r\nLists information about shared resources on remote\r\nsystems.\r\nroute print Displays the IP routing table for the local system.\r\narp -a\r\nDisplays the ARP cache, which contains mappings of IP\r\naddresses to MAC addresses.\r\nAdditionally, it will use Windows API calls to get different system details like computer name, screen size, AD\r\ndomain info, user name, processor details, whether it’s a 32-bit or 64-bit Windows, and the operating system\r\nversion, along with its respective full paths.\r\nCollect AntiViruses InformationPermalink\r\nQakbot checks for specific antivirus programs like Kaspersky, Avast, Norton, etc to see if any antivirus software is\r\nactive on the system. It does this by scanning running programs and looking for related processes from these\r\nvendors.\r\nThis list shows which antivirus vendors are associated with each process :\r\nprocesses Related Vendor\r\nccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe Norton Security\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 16 of 22\n\nprocesses Related Vendor\r\navgcsrvx.exe;avgsvcx.exe;avgcsrva.exe AVG Antivirus\r\nMsMpEng.exe\r\nMicrosoft\r\nDefender\r\nAntivirus\r\navp.exe;kavtray.exe\r\nKaspersky\r\nAntivirus\r\ncoreServiceShell.exe;PccNTMon.exe;NTRTScan.exe\r\nTrend Micro\r\nAntivirus\r\nfshoster32.exe\r\nF-Secure\r\nAntivirus\r\nfmon.exe\r\nFortiClient\r\nAntivirus\r\negui.exe;ekrn.exe ESET\r\nbdagent.exe;vsserv.exe;vsservppl.exe Bitdefender\r\nAvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe Avast\r\nSophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe Sophos\r\nWRSA.exe\r\nWebroot\r\nSecureAnywhere\r\nvkise.exe;isesrv.exe;cmdagent.exe Kaspersky\r\nByteFence.exe ByteFence\r\nMBAMService.exe;mbamgui.exe Malwarebytes\r\nmcshield.exe McAfee\r\ndwengine.exe;dwarkdaemon.exe;dwwatcher.exe Datawatch\r\nSentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;… SentinelOne\r\nSonicWallClientProtectionService.exe;SWDash.exe SonicWall\r\nCynetEPS.exe;CynetMS.exe;CynetConsole.exe Cynet\r\nCSFalconService.exe;CSFalconContainer.exe\r\nCrowdStrike\r\nFalcon\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 17 of 22\n\nExecuting C2 CommandsPermalink\r\nAfter establishing communication, the C2 server will send commands to be executed. These commands are\r\nrepresented as integer values or indexes.\r\nFigure(20): The list of the C2 commands used by Qakbot\r\nProcess HollowingPermalink\r\nQakBot selects a system process for process hollowing based on the machine’s architecture (32-bit or 64-bit) and\r\nthe installed antivirus software.\r\nThis list includes the following system processes:\r\nExpand to see more\r\n  %SystemRoot%\\SysWOW64\\AtBroker.exe\r\n  %SystemRoot%\\System32\\AtBroker.exe\r\n  %SystemRoot%\\SysWOW64\\xwizard.exe\r\n  %SystemRoot%\\System32\\xwizard.exe\r\n  %SystemRoot%\\SysWOW64\\explorer.exe\r\nIt first calls the CreateProcessW() API with the CREATE_SUSPENDED flag to start a new process, making it\r\nsuspended at the beginning.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 18 of 22\n\nFigure(21): create a suspended process\r\nThen it allocates virtual memory in a target process, writes data into the allocated region, and then modifies the\r\nmemory protection to allow execution.\r\nNext, it retrieves the context of the thread to modify it to set the instruction pointer (EIP/RIP register) to point to\r\nthe entry point of the injected code.\r\nIt finally calls the API ResumeThread() to resume the new processes.\r\nPersistencePermalink\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 19 of 22\n\nQakBot sets itself to run on system reboot through a registry entry or Scheduled Task.\r\nFigure(22): Persistence function\r\nConclusionPermalink\r\nQakbot is an advanced malware with regular updates and powerful anti-analysis actions, ensuring it remains a\r\npersistent threat with a wide range of capabilities and techniques.\r\nYARA RulePermalink\r\nrule detect_Qakbot_v5\r\n{\r\n meta:\r\n description = \"just a rule for Qakbot v5\"\r\n author = \"Mohamed Ezzat (@ZW01f)\"\r\n hash1 = \"af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f\"\r\n hash2 = \"59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35\"\r\n strings:\r\n $s1 = \"\\\\u%04X\\\\u%04X\" ascii wide\r\n $s2 = \"%u;%u;%u\" ascii wide\r\n $s3 = \"CfGetPlatformInfo\" ascii wide\r\n $p1 = {45 33 C0 E8 ?? ?? ?? ?? 35 91 CB 35 A2 41 3B C7}\r\n $p2 = { 0F B6 01 48 FF C1 44 33 C0 41 8B C0 41 C1 E8 04 83 E0 0F 44 33 04 82 41 8B C0 41 C1 E8 04 83 E0\r\n condition:\r\n uint16(0) == 0x5A4D and all of ($p*) and (2 of ($s*)) and filesize \u003c 500KB\r\n}\r\nThis python script is used to extract the configuration of the Qakbot malware :\r\nOpen the binary file.\r\nGet the .data section.\r\nExtract the the key and the encrypted configuration data .\r\nSHA-256 hash the extracted key to get the final key.\r\nUse the key to decrypt the configurations.\r\nParse the decrypted configurations to extract useful information.\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 20 of 22\n\n#--------------- imports --------------------#\r\nimport hashlib\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Util.Padding import unpad\r\nimport socket\r\nfrom datetime import datetime\r\nimport pytz\r\n#------------- helper ------------------------#\r\ndef extract_data(filename): #finds the content of the \".data\" section. .\r\n import pefile\r\n pe = pefile.PE(filename)\r\n for section in pe.sections:\r\n if '.data' in section.Name.decode(encoding='utf-8').rstrip('x00'):\r\n return (section.get_data(section.VirtualAddress, section.SizeOfRawData))\r\ndef tohex(data):\r\n import binascii\r\n if type(data) == str:\r\n return binascii.hexlify(data.encode('utf-8'))\r\n else:\r\n return binascii.hexlify(data)\r\ndef get_ip(ip_binary):\r\n # Convert the binary network format to a human-readable string format\r\n ip_str = socket.inet_ntoa(ip_binary)\r\n return ip_str\r\n#------------ Decryption ---------------------#\r\ndef calculate_sha256(input_data):\r\n sha256_hash = hashlib.sha256()\r\n sha256_hash.update(input_data)\r\n hash_hex = sha256_hash.digest()\r\n return hash_hex\r\ndef aes_decrypt(ciphertext, key, iv):\r\n cipher = AES.new(key, AES.MODE_CBC, iv)\r\n plaintext = cipher.decrypt(ciphertext)\r\n unpadded_plaintext = unpad(plaintext, AES.block_size)\r\n return unpadded_plaintext\r\ndef full_dec(enc_str , aes_key_init):\r\n aes_key = calculate_sha256(aes_key_init)\r\n dec_str = aes_decrypt(enc_str[17:],aes_key,enc_str[1:17])\r\n return dec_str\r\ndef parse_camp(input_str):\r\n lines = input_str.strip().split(b'\\r\\n')\r\n parsed_data = {}\r\n for line in lines:\r\n key, value = line.split(b'=')\r\n parsed_data[key] = value\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 21 of 22\n\ntimestamp = int(parsed_data[b'3'])\r\n dt_obj = pytz.utc.localize(datetime.utcfromtimestamp(timestamp))\r\n print(f\"Botnet ID : {parsed_data[b'10']}'\")\r\n print(f\"b'40' : {parsed_data[b'40']}'\")\r\n print(f\"Campaign Timestamp : {dt_obj}\")\r\ndef parse_c2(dec_ips):\r\n i = 0\r\n splitted_data = [dec_ips[i:i+7] for i in range(1, len(dec_ips), 8)]\r\n for data in splitted_data:\r\n ip = get_ip(data[:4])\r\n port = int(tohex(data[4:6]),16)\r\n print('IP[{0}] = {1}:{2}'.format(i,ip,port))\r\n i = i + 1\r\ndef main():\r\n file_name = input(\"enter the file path: \")\r\n # The config data begins at these offsets inside the .data section\r\n enc_ips_rva = 0x852 ; size_rva = 0x850 ; enc_config_rva = 0x1022\r\n data_section = extract_data(file_name) #read data section\r\n size = ord(data_section[size_rva:size_rva+1])\r\n enc_config_ips = data_section[enc_ips_rva:enc_ips_rva+size]\r\n enc_config = data_section[enc_config_rva:enc_config_rva+size]\r\n init_key = b'T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9'\r\n aes_key = calculate_sha256(init_key)\r\n campaign_info = full_dec(enc_config,init_key)\r\n dec_c2 = full_dec(enc_config_ips,init_key)\r\n print('##------------------- Campaign Info -------------------##')\r\n print('sha256 :',tohex(campaign_info[:32]))\r\n print('#--------------------------------------#')\r\n parse_camp(campaign_info[32:])\r\n print('##------------------- Qakbot c2 -------------------##')\r\n print('sha256 :',tohex(dec_c2[:32]))\r\n print('#--------------------------------------#')\r\n parse_c2(dec_c2[32:])\r\n \r\nif __name__ == '__main__':\r\n main()\r\nReferencesPermalink\r\n[QuickNote] Qakbot 5.0 – Decrypt strings and configuration\r\nhttps://labs.k7computing.com/index.php/qakbot-returns/\r\nSource: https://zw01f.github.io/malware%20analysis/qakbot/\r\nhttps://zw01f.github.io/malware%20analysis/qakbot/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://zw01f.github.io/malware%20analysis/qakbot/"
	],
	"report_names": [
		"qakbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434098,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41f454ba6a0231e51eea933242c53b15f1b87951.pdf",
		"text": "https://archive.orkl.eu/41f454ba6a0231e51eea933242c53b15f1b87951.txt",
		"img": "https://archive.orkl.eu/41f454ba6a0231e51eea933242c53b15f1b87951.jpg"
	}
}