{
	"id": "fca30e0b-e5fe-488a-abc4-5cfd2e5dd232",
	"created_at": "2026-04-06T00:11:40.243994Z",
	"updated_at": "2026-04-10T13:12:54.539302Z",
	"deleted_at": null,
	"sha1_hash": "43147f2681f1bdcba0550c665faaad6d57d1a1e0",
	"title": "[QuickNote] Qakbot 5.0 – Decrypt strings and configuration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84612,
	"plain_text": "[QuickNote] Qakbot 5.0 – Decrypt strings and configuration\r\nPublished: 2024-04-24 · Archived: 2026-04-05 15:50:14 UTC\r\nIn this new sample, threat actor has updated Qakbot’s codebase to support 64-bit versions of Windows.\r\nHere is the pseudocode for the string decryption functions in the 64-bit and 32-bit versions:\r\nAs the pictures show, the decryption process in the 64-bit version is similar to the previous version. However, the\r\ndifference is that the xor_key_blob in this new version has been encrypted. Therefore, before performing the\r\ndecryption to the original string, it will call the qbot_decrypt_xor_key_blob function ( 0x180011504 ) which I\r\nhave circled in red above to decrypt the original xor_key_blob .\r\n(1) Calculates the SHA256 hash for the blob data at addresses 0x180029700 (0x9F bytes) and 0x180028150\r\n(0x63 bytes) and uses the calculated hash values as the AES Key .\r\n(2) The first 16 bytes of the enc_xor_key_blob at addresses 0x18002AFE0 (0xA0 bytes) and 0x1800281C0\r\n(0xD0 bytes) are used as the AES IV :\r\n(3) Decrypts the encrypted blob data (except for the first 16 bytes used as AES IV ) using AES in CBC mode.\r\nThe result is the xor_key_blob used to decrypt the strings.\r\nWith the decrypted xor_key_blob above, we can completely write an idapython script to decrypt the strings and\r\nadd comments related to the decrypted strings to facilitate the analysis of Qakbot code.\r\nHere is my idapython script (Don’t blame my code if you don’t want your eyes to bleed :), just wanted to share it in\r\ncase someone need to use it for reference.)\r\n[+] Decrypt all strings with index boundary is 0x1836\r\nindex: 0x0, decrypted string: %SystemRoot%\\SysWOW64\\xwizard.exe\r\nindex: 0x22, decrypted string: .dat\r\nindex: 0x27, decrypted string: kernelbase.dll\r\nindex: 0x36, decrypted string: WBJ_IGNORE\r\nindex: 0x41, decrypted string: mpr.dll\r\nindex: 0x49, decrypted string: %SystemRoot%\\explorer.exe\r\nindex: 0x63, decrypted string: %SystemRoot%\\System32\\CertEnrollCtrl.exe\r\nindex: 0x8c, decrypted string: https\r\nindex: 0x92, decrypted string: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;Sen\r\nindex: 0x104, decrypted string: open\r\nindex: 0x109, decrypted string: root\\SecurityCenter2\r\nindex: 0x11e, decrypted string: %SystemRoot%\\SysWOW64\\SndVol.exe\r\nindex: 0x13f, decrypted string: %u.%u.%u.%u.%u.%u.%04x\r\nindex: 0x156, decrypted string: 1234567890\r\nindex: 0x161, decrypted string: %SystemRoot%\\System32\\Utilman.exe\r\nindex: 0x183, decrypted string: snxhk_border_mywnd\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 1 of 7\n\nindex: 0x196, decrypted string: %SystemRoot%\\SysWOW64\\wextract.exe\r\nindex: 0x1b9, decrypted string: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe\r\nindex: 0x1df, decrypted string: Win32_PhysicalMemory\r\nindex: 0x1f4, decrypted string: Caption\r\nindex: 0x1fc, decrypted string: ByteFence.exe\r\nindex: 0x20a, decrypted string: aswhooka.dll\r\nindex: 0x217, decrypted string: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe\r\nindex: 0x242, decrypted string: %SystemRoot%\\SysWOW64\\grpconv.exe\r\nindex: 0x264, decrypted string: VRTUAL;VMware;VMW;Xen\r\nindex: 0x27a, decrypted string: SELECT * FROM AntiVirusProduct\r\nindex: 0x299, decrypted string: %s\\%08X.dll\r\nindex: 0x2a5, decrypted string: wininet.dll\r\nindex: 0x2b1, decrypted string: avp.exe;kavtray.exe\r\nindex: 0x2c5, decrypted string: rundll32.exe\r\nindex: 0x2d3, decrypted string: Create\r\nindex: 0x2da, decrypted string: WQL\r\nindex: 0x2de, decrypted string: %SystemRoot%\\System32\\sethc.exe\r\nindex: 0x2fe, decrypted string: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.ex\r\nindex: 0x351, decrypted string: Software\\Classes\r\nindex: 0x362, decrypted string: vkise.exe;isesrv.exe;cmdagent.exe\r\nindex: 0x384, decrypted string: LastBootUpTime\r\nindex: 0x393, decrypted string: MS_VM_CERT;VMware;Virtual Machine\r\nindex: 0x3b5, decrypted string: Winsta0\r\nindex: 0x3bd, decrypted string: .dll\r\nindex: 0x3c2, decrypted string: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,St\r\nindex: 0x40c, decrypted string: SonicWallClientProtectionService.exe;SWDash.exe\r\nindex: 0x43c, decrypted string: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]\r\nindex: 0x464, decrypted string: SystemRoot\r\nindex: 0x46f, decrypted string: CommandLine\r\nindex: 0x47b, decrypted string: %SystemRoot%\\SysWOW64\\explorer.exe\r\nindex: 0x49e, decrypted string: SOFTWARE\\Wow6432Node\\Microsoft AntiMalware\\SpyNet\r\nindex: 0x4d0, decrypted string: %s\\system32\\\r\nindex: 0x4dd, decrypted string: SELECT * FROM Win32_OperatingSystem\r\nindex: 0x501, decrypted string: wbj.go\r\nindex: 0x508, decrypted string: System32\r\nindex: 0x511, decrypted string: CynetEPS.exe;CynetMS.exe;CynetConsole.exe\r\nindex: 0x53b, decrypted string: C:\\INTERNAL\\__empty\r\nindex: 0x54f, decrypted string: cmd.exe\r\nindex: 0x557, decrypted string: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nindex: 0x585, decrypted string: */*\r\nindex: 0x589, decrypted string: MsMpEng.exe\r\nindex: 0x595, decrypted string: image/pjpeg\r\nindex: 0x5a1, decrypted string: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X\r\nindex: 0x5e8, decrypted string: urlmon.dll\r\nindex: 0x5f3, decrypted string: type=0x%04X\r\nindex: 0x5ff, decrypted string: TRUE\r\nindex: 0x604, decrypted string: Win32_ComputerSystem\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 2 of 7\n\nindex: 0x619, decrypted string: %SystemRoot%\\System32\\backgroundTaskHost.exe\r\nindex: 0x646, decrypted string: ALLUSERSPROFILE\r\nindex: 0x656, decrypted string: .exe\r\nindex: 0x65b, decrypted string: \\\\.\\pipe\\\r\nindex: 0x665, decrypted string: advapi32.dll\r\nindex: 0x672, decrypted string: application/x-shockwave-flash\r\nindex: 0x690, decrypted string: %ProgramFiles%\\Windows Media Player\\wmplayer.exe\r\nindex: 0x6c1, decrypted string: ntdll.dll\r\nindex: 0x6cb, decrypted string: %SystemRoot%\\SysWOW64\\Utilman.exe\r\nindex: 0x6ed, decrypted string: CfGetPlatformInfo\r\nindex: 0x6ff, decrypted string: userenv.dll\r\nindex: 0x70b, decrypted string: LocalLow\r\nindex: 0x714, decrypted string: FALSE\r\nindex: 0x71a, decrypted string: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe\r\nindex: 0x749, decrypted string: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe\r\nindex: 0x787, decrypted string: image/jpeg\r\nindex: 0x792, decrypted string: image/gif\r\nindex: 0x79c, decrypted string: displayName\r\nindex: 0x7a8, decrypted string: Name\r\nindex: 0x7ad, decrypted string: Win32_PnPEntity\r\nindex: 0x7bd, decrypted string: .cfg\r\nindex: 0x7c2, decrypted string: APPDATA\r\nindex: 0x7ca, decrypted string: winsta0\\default\r\nindex: 0x7da, decrypted string: %SystemRoot%\\SysWOW64\\CertEnrollCtrl.exe\r\nindex: 0x803, decrypted string: %SystemRoot%\\SysWOW64\\backgroundTaskHost.exe\r\nindex: 0x830, decrypted string: pstorec.dll\r\nindex: 0x83c, decrypted string: RepUx.exe\r\nindex: 0x846, decrypted string: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz\r\nindex: 0x86d, decrypted string: \\sf2.dll\r\nindex: 0x876, decrypted string: %SystemRoot%\\System32\\dxdiag.exe\r\nindex: 0x897, decrypted string: CSFalconService.exe;CSFalconContainer.exe\r\nindex: 0x8c1, decrypted string: vbs\r\nindex: 0x8c5, decrypted string: WRSA.exe\r\nindex: 0x8ce, decrypted string: crypt32.dll\r\nindex: 0x8da, decrypted string: setupapi.dll\r\nindex: 0x8e7, decrypted string: c:\\saurufdifsdudqat.sys\r\nindex: 0x8ff, decrypted string: %ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\r\nindex: 0x935, decrypted string: netapi32.dll\r\nindex: 0x942, decrypted string: SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths\r\nindex: 0x97c, decrypted string: VMware;PROD_VIRTUAL_DISK;VIRTUAL-DISK;XENSRC;20202020\r\nindex: 0x9b2, decrypted string: %SystemRoot%\\System32\\grpconv.exe\r\nindex: 0x9d4, decrypted string: SpyNetReporting\r\nindex: 0x9e4, decrypted string: wtsapi32.dll\r\nindex: 0x9f1, decrypted string: wpcap.dll\r\nindex: 0x9fb, decrypted string: Packages\r\nindex: 0xa04, decrypted string: %SystemRoot%\\explorer.exe\r\nindex: 0xa1e, decrypted string: regsvr32.exe\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 3 of 7\n\nindex: 0xa2c, decrypted string: aswhookx.dll\r\nindex: 0xa39, decrypted string: Content-Type: application/x-www-form-urlencoded\r\nindex: 0xa69, decrypted string: %SystemRoot%\\SysWOW64\\SearchIndexer.exe\r\nindex: 0xa91, decrypted string: %SystemRoot%\\SysWOW64\\AtBroker.exe\r\nindex: 0xab4, decrypted string: %SystemRoot%\\System32\\WerFault.exe\r\nindex: 0xad7, decrypted string: SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\r\nindex: 0xb0c, decrypted string: vmnat.exe\r\nindex: 0xb16, decrypted string: SubmitSamplesConsent\r\nindex: 0xb2b, decrypted string: SysWOW64\r\nindex: 0xb34, decrypted string: shell32.dll\r\nindex: 0xb40, decrypted string: wmic process call create 'expand \"%S\" \"%S\"'\r\n \r\nindex: 0xb6d, decrypted string: ROOT\\CIMV2\r\nindex: 0xb78, decrypted string: Win32_Product\r\nindex: 0xb86, decrypted string: LOCALAPPDATA\r\nindex: 0xb93, decrypted string: %SystemRoot%\\SysWOW64\\mobsync.exe\r\nindex: 0xbb5, decrypted string: ws2_32.dll\r\nindex: 0xbc0, decrypted string: WScript.Sleep %u\r\nSet objWMIService = GetObject(\"winmgmts:\" \u0026 \"{impersonationLevel=impersonate}!\\\\.\\%coot\\cimv2\")\r\nSet objProcess = GetObject(\"winmgmts:root\\cimv2:Win32_Process\")\r\nerrReturn = objProcess.Create(\"%s\", null, nul, nul)\r\nWSCript.Sleep 2000\r\nSet fso = CreateObject(\"Scripting.FileSystemObject\")\r\nfso.DeleteFile(\"%s\")\r\nindex: 0xd02, decrypted string: bcrypt.dll\r\nindex: 0xd0d, decrypted string: SOFTWARE\\Wow6432Node\\Microsoft\\Windows Defender\\Spynet\r\nindex: 0xd44, decrypted string: abcdefghijklmnopqrstuvwxyz\r\nindex: 0xd5f, decrypted string: fshoster32.exe\r\nindex: 0xd6e, decrypted string: %SystemRoot%\\System32\\SearchIndexer.exe\r\nindex: 0xd96, decrypted string: reg.exe ADD \"HKLM\\%s\" /f /t %s /v \"%s\" /d \"%s\"\r\nindex: 0xdc5, decrypted string: Set objWMIService = GetObject(\"winmgmts:\" \u0026 \"{impersonationLevel=impe\r\nSet objProcess = GetObject(\"winmgmts:root\\cimv2:Win32_Process\")\r\nerrReturn = objProcess.Create(\"%s\", null, nul, nul)\r\nindex: 0xe99, decrypted string: gdi32.dll\r\nindex: 0xea3, decrypted string: Set objWMIService = GetObject(\"winmgmts:\" \u0026 \"{impersonationLevel=impe\r\nSet colFiles = objWMIService.ExecQuery(\"Select * From CIM_DataFile Where Name = '%s'\")\r\nFor Each objFile in colFiles\r\nobjFile.Copy(\"%s\")\r\nNext\r\nindex: 0xf8f, decrypted string: Win32_Process\r\nindex: 0xf9d, decrypted string: SELECT * FROM Win32_Processor\r\nindex: 0xfbb, decrypted string: user32.dll\r\nindex: 0xfc6, decrypted string: Win32_Bios\r\nindex: 0xfd1, decrypted string: %SystemRoot%\\SysWOW64\\explorer.exe\r\nindex: 0xff4, decrypted string: MBAMService.exe;mbamgui.exe\r\nindex: 0x1010, decrypted string: %SystemRoot%\\SysWOW64\\mspaint.exe\r\nindex: 0x1032, decrypted string: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 4 of 7\n\nindex: 0x12f8, decrypted string: %SystemRoot%\\System32\\wextract.exe\r\nindex: 0x131b, decrypted string: egui.exe;ekrn.exe\r\nindex: 0x132d, decrypted string: select\r\nindex: 0x1335, decrypted string: %SystemRoot%\\System32\\wermgr.exe\r\nindex: 0x1356, decrypted string: iphlpapi.dll\r\nindex: 0x1363, decrypted string: SOFTWARE\\Microsoft\\Windows Defender\\SpyNet\r\nindex: 0x138e, decrypted string: %SystemRoot%\\SysWOW64\\dxdiag.exe\r\nindex: 0x13af, decrypted string: %SystemRoot%\\SysWOW64\\WerFault.exe\r\nindex: 0x13d2, decrypted string: %SystemRoot%\\System32\\AtBroker.exe\r\nindex: 0x13f5, decrypted string: %SystemRoot%\\SysWOW64\\sethc.exe\r\nindex: 0x1415, decrypted string: %S.%06d\r\nindex: 0x141d, decrypted string: c:\\\\\r\nindex: 0x1422, decrypted string: S:(ML;;NW;;;LW)\r\nindex: 0x1432, decrypted string: fmon.exe\r\nindex: 0x143b, decrypted string: %SystemRoot%\\System32\\xwizard.exe\r\nindex: 0x145d, decrypted string: cscript.exe\r\nindex: 0x1469, decrypted string: Initializing database...\r\nindex: 0x1482, decrypted string: xagtnotif.exe;AppUIMonitor.exe\r\nindex: 0x14a1, decrypted string: %ProgramFiles%\\Internet Explorer\\iexplore.exe\r\nindex: 0x14cf, decrypted string: Win32_DiskDrive\r\nindex: 0x14df, decrypted string: aabcdeefghiijklmnoopqrstuuvwxyyz\r\nindex: 0x1500, decrypted string: %SystemRoot%\\System32\\mobsync.exe\r\nindex: 0x1522, decrypted string: %SystemRoot%\\SysWOW64\\wermgr.exe\r\nindex: 0x1543, decrypted string: kernel32.dll\r\nindex: 0x1550, decrypted string: %SystemRoot%\\System32\\mspaint.exe\r\nindex: 0x1572, decrypted string: bdagent.exe;vsserv.exe;vsservppl.exe\r\nindex: 0x1597, decrypted string: SOFTWARE\\Microsoft\\Microsoft AntiMalware\\SpyNet\r\nindex: 0x15c7, decrypted string: Caption,Description,Vendor,Version,InstallDate,InstallSource,Package\r\nindex: 0x1610, decrypted string: NTUSER.DAT\r\nindex: 0x161b, decrypted string: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe\r\nindex: 0x1648, decrypted string: from\r\nindex: 0x164f, decrypted string: mcshield.exe\r\nindex: 0x165c, decrypted string: %SystemRoot%\\System32\\SndVol.exe\r\nindex: 0x167d, decrypted string: VMware;VMW;QEMU\r\nindex: 0x168d, decrypted string: QEMU;VMware Pointing;VMware Accelerated;VMware SCSI;VMware SVGA;VMwa\r\nindex: 0x179d, decrypted string: shlwapi.dll\r\nindex: 0x17a9, decrypted string: csc_ui.exe\r\nindex: 0x17b4, decrypted string: CrAmTray.exe\r\nindex: 0x17c1, decrypted string: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0\r\nindex: 0x1803, decrypted string: %ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe\r\n[+] Decrypt all strings with index boundary is 0x5ad\r\nindex: 0x0, decrypted string: SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\r\nindex: 0x39, decrypted string: ProgramData\r\nindex: 0x45, decrypted string: netstat -nao\r\nindex: 0x52, decrypted string: %s \"$%s = \\\"%s\\\"; \u0026 $%s\"\r\nindex: 0x6b, decrypted string: net localgroup\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 5 of 7\n\nindex: 0x7a, decrypted string: powershell.exe\r\nindex: 0x89, decrypted string: route print\r\nindex: 0x95, decrypted string: \"%s\\system32\\schtasks.exe\" /Create /ST %02u:%02u /RU \"NT AUTHORITY\\SYS\r\nindex: 0x10a, decrypted string: Component_08\r\nindex: 0x117, decrypted string: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUF\r\nindex: 0x160, decrypted string: net view\r\nindex: 0x169, decrypted string: ipconfig /all\r\nindex: 0x177, decrypted string: Self check\r\nindex: 0x182, decrypted string: T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9\r\nindex: 0x1a9, decrypted string: 4Lm7DW\u0026yMF*ELN4D8oNp0CtKUf*C2LAstORIBV\r\nindex: 0x1d0, decrypted string: Start screenshot\r\nindex: 0x1e1, decrypted string: %s.%u\r\nindex: 0x1e7, decrypted string: adrclient.dll\r\nindex: 0x1f5, decrypted string: net share\r\nindex: 0x1ff, decrypted string: qwinsta\r\nindex: 0x207, decrypted string: \\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nindex: 0x237, decrypted string: at.exe %u:%u \"%s\" /I\r\nindex: 0x24c, decrypted string: Self test FAILED!!!\r\nindex: 0x260, decrypted string: Component_07\r\nindex: 0x26d, decrypted string: whoami /all\r\nindex: 0x279, decrypted string: /c ping.exe -n 6 127.0.0.1 \u0026 type \"%s\\System32\\calc.exe\" \u003e \"%s\"\r\nindex: 0x2bb, decrypted string: error res='%s' err=%d len=%u\r\nindex: 0x2d8, decrypted string: nltest /domain_trusts /all_trusts\r\nindex: 0x2fa, decrypted string: .lnk\r\nindex: 0x2ff, decrypted string: cmd\r\nindex: 0x303, decrypted string: schtasks.exe /Create /RU \"NT AUTHORITY\\SYSTEM\" /SC ONSTART /TN %u /TR\r\nindex: 0x355, decrypted string: %s \\\"$%s = \\\\\\\"%s\\\\\\\\; \u0026 $%s\\\"\r\nindex: 0x374, decrypted string: ERROR: GetModuleFileNameW() failed with error: %u\r\nindex: 0x3a6, decrypted string: schtasks.exe /Delete /F /TN %u\r\nindex: 0x3c5, decrypted string: arp -a\r\nindex: 0x3cc, decrypted string: Self check ok!\r\nindex: 0x3db, decrypted string: cmd.exe /c set\r\nindex: 0x3ea, decrypted string: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %\r\nindex: 0x443, decrypted string: Microsoft\r\nindex: 0x44d, decrypted string: powershell.exe -encodedCommand %S\r\nindex: 0x46f, decrypted string: SELF_TEST_1\r\nindex: 0x47b, decrypted string: microsoft.com,google.com,kernel.org,www.wikipedia.org,oracle.com,veri\r\nindex: 0x501, decrypted string: c:\\ProgramData\r\nindex: 0x510, decrypted string: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s\r\nindex: 0x54c, decrypted string: %u;%u;%u;\r\nindex: 0x556, decrypted string: powershell.exe -encodedCommand\r\nindex: 0x576, decrypted string: runas\r\nindex: 0x57c, decrypted string: /teorema505\r\nindex: 0x588, decrypted string: Self test OK.\r\nindex: 0x596, decrypted string: ProfileImagePath\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 6 of 7\n\nindex: 0x5a7, decrypted string: p%08x\r\nBased on the list of decrypted strings above, after analyzing the code and comparing it to the old idb of the 32-bit\r\nversion, I found a string at offset 0x182 that is used for the decoding process of Campaign and C2 addresses of\r\nQakbot:\r\nThe decryption process in this new version has some changes compared to the old version that I described here:\r\nThe function qbot_aes_decrypt_and_check_sha256_wrap (0x180015D14) makes a call to the function\r\nqbot_aes_decrypt_and_check_sha256 .\r\nBased on the pseudocode above, the encrypted data is declared as a struct as follows:\r\nThe code in function qbot_aes_decrypt_and_check_sha256 (0x1800163E8) reuses the\r\nqbot_decrypt_xor_key_blob function (0x180011504) that I described above to perform data decryption.\r\nSpecifically:\r\nThe decrypted data includes the first 32 bytes (0x20) as the sha256 checksum , which is used to verify the\r\nintegrity of the decrypted configuration. The entire pseudocode for the function is shown below:\r\nThe method of decrypting C2 address list follows the same procedure as described above.\r\nA Python script can be rewritten to automate the entire process of decoding Campaign and C2 addresses. The\r\nresults obtained are:\r\n# QakBot Config\r\n----\r\n ID : b'tchk08'\r\n b'40' : b'1'\r\n Timestamp : 21:22:34 31-01-2024\r\n----\r\n# QakBot C2 address\r\n```\r\n31.210.173.10:443\r\n185.156.172.62:443\r\n185.113.8.123:443\r\nSource: https://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nhttps://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2024/04/24/quicknote-qakbot-5-0-decrypt-strings-and-configuration/"
	],
	"report_names": [
		"quicknote-qakbot-5-0-decrypt-strings-and-configuration"
	],
	"threat_actors": [],
	"ts_created_at": 1775434300,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43147f2681f1bdcba0550c665faaad6d57d1a1e0.pdf",
		"text": "https://archive.orkl.eu/43147f2681f1bdcba0550c665faaad6d57d1a1e0.txt",
		"img": "https://archive.orkl.eu/43147f2681f1bdcba0550c665faaad6d57d1a1e0.jpg"
	}
}