{
	"id": "013beb57-c52b-4f30-a33c-579d982bc019",
	"created_at": "2026-04-06T00:22:15.924213Z",
	"updated_at": "2026-04-10T03:21:57.863211Z",
	"deleted_at": null,
	"sha1_hash": "98db7d0740ab2c47befc6ae8f53ea3119dfdd1cb",
	"title": "Qakbot Series: Configuration Extraction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 718225,
	"plain_text": "Qakbot Series: Configuration Extraction\r\nPublished: 2022-04-13 · Archived: 2026-04-05 21:22:20 UTC\r\nIn late March 2022, I was requested to analyze a software artifact. It was an instance of Qakbot, a modular\r\ninformation stealer known since 2007. Differently to other analyses I do as part of my daily job, in this particular\r\ncase I can disclose wide parts of it with you readers. I’m addressing them in a post series. Here, I’ll discuss about\r\nthe configuration extraction based on this specific sample.\r\nThe configuration of recent Qakbot samples is often stored in two distinct resources of the unpacked payload.\r\nEach resource contains a different part of the configuration. A first resource, usually the shortest one in size,\r\ncontains general settings such as the botnet identifier and the campaign timestamp. A second resource, usually\r\nbigger in size, contains the list of command and control IP addresses and ports. Both resources are encrypted and\r\nthis post is all about discussing how Qakbot decrypts its configuration.\r\nFigure 1\r\n-\r\nQakbot resouces storing the malware configuration\r\nAs you may notice from Figure 1, our sample contains two encrypted sections. The smaller in size is labelled\r\n“524” and the bigger in size is labelled “118”. Those two sections labels aren’t new to the malware research\r\ncommunity since the existence of other Qakbot samples sharing the same resource labels is documented (see, as\r\nan example, Tavares - 2021). Both resources are encrypted with a custom implementation of the RC4 algorithm.\r\nThe RC4 key-scheduling algorithm is implemented in the function starting at 0xb339f9. The RC4 pseudo-random\r\ngeneration algorithm is implemented in the function starting at 0xb33924. The key used to decrypt the resources is\r\nthe SHA1 of the string:\r\n\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nhttps://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/\r\nPage 1 of 4\n\nNotice that you won’t find that string into the sample because it is obfuscated. If you are interested in the Qakbot\r\nstrings obfuscation technique, I discuss it in this post.\r\nFigure 2\r\n-\r\nDecompiled listing of the Qakbot general configuration extraction\r\nQakbot contains a custom implementation of the SHA1 algorithm. The implementing function is located at\r\n0xb3745c. Figure 2 shows the listing of the function responsible for the configuration extraction from the\r\nresource “524” located at 0xb234bb. As you may notice, the resource label and the key string are obfuscated and\r\nwe added their de-obfuscated counterpart as comments . Moreover, you may notice an example of junk API call\r\n(BitBlt) placed into the code just to distract the analyst. I’ll pospone a general discussion about junk code injection\r\nand other Qakbot anti-analysis techniques in a dedicated post.\r\nhttps://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/\r\nPage 2 of 4\n\nFigure 3\r\n-\r\nDecompiled listing of the Qakbot resource decryption and validation\r\nThe actual decryption and validation is accomplished by the function located at 0xb2f7ac and showed in Figure 3.\r\nFrom that listing you may notice that the sample decrypts the resource by calling the RC4 functions. The format of\r\nthe decrypted resource is composed of two fields: a first field sized in 20 bytes containing the expected SHA1 of\r\nthe content and a second field consisting of the actual content of the resource. The validation is accomplished by\r\ncomputing the SHA1 of the content field and then by comparing it with the expected SHA1 in the first field. If the\r\nvalidation succeeds, the just decrypted content is placed in a buffer.\r\nFigure 4\r\n-\r\nDecrypted content of resource \"524\"\r\nAs already mentioned, the two resources contain different aspects of the Qakbot configuration. The content of\r\nresource “524” is structured in key-value pairs where each pair represent a configuration field. The key\r\ncomponent is an integer identifier of the field. The value is unstructured since it may contain strings, integers, or\r\neven timestamps. As you may notice from Figure 4, showing the decrypted content of resource “524”, the\r\nconfiguration contain just two fields: field 10, containing the botnet identifier, and field 3 containing what is often\r\nreferred as the campaign identifier. Actually, field 3 is a Unix timestamp probably indicating the creation date of\r\nthe campaign. Older Qakbot samples were used to contain a richer configuration (Kremez - 2018).\r\nhttps://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/\r\nPage 3 of 4\n\nFigure 5\r\n-\r\nStructure of the network configuration resource (decrypted)\r\nResource “118” contains the network configuration of the sample. It is structured in records separated by the byte\r\n0x01. Each record is composed of four bytes each one representing an IP address octet and additional two bytes\r\nrepresenting the port. The network configuration for the sample object of analysis contains 150 command and\r\ncontrol IP addresses and ports. Figure 5 shows the format of the unencrypted network configuration resource. You\r\nmay find all the C2 addresses here.\r\nAs always, if you want to share comments or feedbacks (rigorously in broken Italian or broken English) do not\r\nesitate to drop me a message at admin[@]malwarology.com.\r\nSource: https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/\r\nhttps://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/"
	],
	"report_names": [
		"qakbot-series-configuration-extraction"
	],
	"threat_actors": [],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98db7d0740ab2c47befc6ae8f53ea3119dfdd1cb.pdf",
		"text": "https://archive.orkl.eu/98db7d0740ab2c47befc6ae8f53ea3119dfdd1cb.txt",
		"img": "https://archive.orkl.eu/98db7d0740ab2c47befc6ae8f53ea3119dfdd1cb.jpg"
	}
}