{
	"id": "35c3fd0b-5956-4b24-93f1-dffc715196fe",
	"created_at": "2026-04-06T00:07:24.865541Z",
	"updated_at": "2026-04-10T03:20:45.271448Z",
	"deleted_at": null,
	"sha1_hash": "9cfe933ef5bd99df5085eb3be41413688cef5d21",
	"title": "QBOT Configuration Extractor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45951,
	"plain_text": "QBOT Configuration Extractor\r\nBy Elastic Security Labs\r\nPublished: 2022-12-06 · Archived: 2026-04-05 21:54:39 UTC\r\nPython script to extract the configuration from QBOT samples.\r\nDownload qbot-config-extractor.tar.gz\r\nGetting Started\r\nThis tool provides a Python module and command line tool that will extract configurations from the QBOT\r\nmalware samples and dump the results to screen.\r\nFor information on the QBOT attack pattern and malware analysis, check out our blog posts detailing\r\nthis:\r\nExploring the QBOT Attack Pattern\r\nQBOT Malware Analysis\r\nDocker\r\nWe can easily run the extractor with Docker, first we need to build the image:\r\ndocker build . -t qbot-config-extractor\r\nThen we run the container with the -v flag to map a host directory to the docker container directory:\r\ndocker run -ti --rm -v \\\r\n\"$(pwd)/data\":/data qbot-config-extractor:latest -d /data/\r\nWe can either specify a single sample with -f option or a directory of samples with -d.\r\n$ docker run -ti --rm -v $(pwd)/data:/data qbot-config-extractor:latest -f data/c2ba065654f13612ae63bca7f972ea9\r\n=== Strings ===\r\n# Blob address: 0x100840a0\r\n# Key address: 0x10084040\r\n[0x0]: ProgramData\r\n[0xc]: /t4\r\n[0x10]: EBBA\r\n[0x15]: netstat -nao\r\n[0x22]: jHxastDcds)oMc=jvh7wdUhxcsdt2\r\nhttps://www.elastic.co/security-labs/qbot-configuration-extractor\r\nPage 1 of 2\n\n[0x40]: schtasks.exe /Create /RU \"NT AUTHORITY\\SYSTEM\" /SC ONSTART /TN %u /TR \"%s\" /NP /F\r\n...truncated...\r\n=== RESOURCE 1 ===\r\nKey: b'\\\\System32\\\\WindowsPowerShel1\\\\v1.0\\\\powershel1.exe'\r\nType: DataType.DOMAINS\r\n41.228.22.180:443\r\n47.23.89.62:995\r\n176.67.56.94:443\r\n103.107.113.120:443\r\n148.64.96.100:443\r\n47.180.172.159:443\r\n181.118.183.98:443\r\n...truncated...\r\nRunning it Locally\r\nAs mentioned above, Docker is the recommended approach to running this project, however you can also run this\r\nlocally. This project uses Poetry to manage dependencies, testing, and metadata. If you have Poetry installed\r\nalready, from this directory, you can simply run the following commands to run the tool. This will setup a virtual\r\nenvironment, install the dependencies, activate the virtual environment, and run the console script.\r\npoetry lock\r\npoetry install\r\npoetry shell\r\nqbot-config-extractor -h\r\nOnce that works, you can do the same sort of things as mentioned in the Docker instructions above.\r\nSource: https://www.elastic.co/security-labs/qbot-configuration-extractor\r\nhttps://www.elastic.co/security-labs/qbot-configuration-extractor\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/qbot-configuration-extractor"
	],
	"report_names": [
		"qbot-configuration-extractor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434044,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cfe933ef5bd99df5085eb3be41413688cef5d21.pdf",
		"text": "https://archive.orkl.eu/9cfe933ef5bd99df5085eb3be41413688cef5d21.txt",
		"img": "https://archive.orkl.eu/9cfe933ef5bd99df5085eb3be41413688cef5d21.jpg"
	}
}