{
	"id": "bb61c0fd-c514-41ae-b7ed-10036583e301",
	"created_at": "2026-04-06T00:06:58.243818Z",
	"updated_at": "2026-04-10T03:21:37.897905Z",
	"deleted_at": null,
	"sha1_hash": "aeffe1728b20e45192a50fe08c95ccbef592403a",
	"title": "Hatching - Automated malware analysis solutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 673855,
	"plain_text": "Hatching - Automated malware analysis solutions\r\nBy Written by Markel Picado (d00rt)\r\nPublished: 2019-11-12 · Archived: 2026-04-05 19:38:35 UTC\r\nSummary\r\nQbot or Qakbot is a sophisticated worm with banking capabilities. This malware family has been infecting\r\ncomputers since 2009, utilizing a number of techniques (some of them quite advanced) which make it difficult to\r\ndetect. It has a packing layer, anti-VM techniques, anti-debug techniques, and anti-sandbox techniques which\r\nmake the analysis of this threat difficult. Qakbot is capable of updating itself and this also makes this threat more\r\ncomplex to detect since it is constantly changing on disk.\r\nUsing Triage we analyzed the most recent variant of this malware, and we added a new module to support the\r\ndetection and configuration extraction of Qakbot samples as shown in the image below. A tool to deobfuscate the\r\nQakbot payload is also included qakbuscator.py.\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 1 of 16\n\nQakbot family detection in Hatching Triage\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 2 of 16\n\nQakbot config extraction Hatching Triage\r\nUnpacking process\r\nQakbot has a custom packer. There are probably other versions of Qakbot in the wild with different packers, but\r\nthis section is based on analysis of the packer for the sample:\r\ne736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5 .\r\nIn summary, the unpacking process is as follows:\r\nThe unpacking process\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 3 of 16\n\nThe packer allocates memory and then drops an encrypted buffer there (Step 1-2).\r\nThe dropped buffer is decrypted and the decrypted data contains a PE file (Step 3). This PE file is not at the\r\nbeginning of the buffer but starts at offset 0x427 . From the beginning to the PE file offset is filled with 0x00\r\nbytes.\r\nOffset is filled with `0x00` bytes\r\nThis could be a trick to make analysts think that this function is “freeing memory” or that it’s a memset-like\r\nfunction.\r\nThe PE header is modified - this can also confuse analysts or memory dumping tools that look for PE file\r\nsignatures since they can’t find the “MZ” magic number. This is shown in the image below.\r\nModified PE header\r\nThe decrypted PE file image size is calculated to allocate memory for it. The PE file is copied (mapped as a\r\nwindows loader would do) from the decrypted buffer to the newly allocated memory (Step 3-4).\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 4 of 16\n\nThe PE is copied over\r\nMapping file to Allocated Memory\r\nOnce the file is mapped to the newly allocated memory, the header is fixed as shown in the following image. Once\r\nthe PE file is mapped its entry point is called. (Step 4)\r\nCalling the entry point\r\nThis PE is going to read the rest of the previous decrypted buffer since there is still some encrypted data. Once the\r\ndata is decrypted a new PE file can be found. (Step 4-5)\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 5 of 16\n\nThe new PE file\r\nThis time the header is also modified and is fixed before mapping it. (Step 5-6)\r\nNew PE file with new header\r\nThe decrypted PE is Qakbot itself. In this case the PE header doesn’t have the well-known string “This program\r\ncannot be run in DOS mode”, because the DOS-Stub was deleted.\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 6 of 16\n\nThis PE file is the final payload of Qakbot so finally the PE file is mapped to the ImageBaseAddress of the\r\noriginal file (Step 6).\r\nThe original image loaded at address 0x400000 is wiped.\r\nThe address 0x400000 is wiped\r\nThe newly unpacked PE (Qakbot) is copied to the original image base address 0x400000 .\r\nQakbot copied over to 0x400000\r\nSo, after mapping the Qakbot binary the execution flow goes to the EntryPoint of this file. (Step 7).\r\nThe unpacked sample hash of the file we ran in Triage:\r\n850ff92b7f3badda4bd4eca0a54fbdea410667db1ea27db8069337bf451078d1\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 7 of 16\n\nOverview\r\nObfuscation\r\nOnce the sample is unpacked, Qakbot itself also implements an obfuscation layer in its code. This obfuscation\r\nmakes the analysis a bit harder. The flow graph of the main function is the following:\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 8 of 16\n\nQakbot's obfuscation\r\nThe obfuscation basically consists of adding unused loops with an empty body. Like the following:\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 9 of 16\n\nUnused loops\r\nAs is shown in the image above, it does a “XOR EAX, EAX” operation and then decides to loop or not depending\r\non the Z flag which is set with the previous instruction (so the loop will never happen). The goal of these small\r\nloops is to make a less comprehensive flow graph and to make the analysis harder. There are more than 600 loops\r\nlike this throughout the code.\r\nAt Hatching, we implemented a tool qakbuscator.py to deobfuscate the code and make the analysis much easier.\r\nThis tool is provided with this analysis to allow all researchers to use it.\r\nQakbot's deobfuscated\r\nThe DLLs that are in the Qakbot resources also have this obfuscation layer - you can use the script to deobfuscate\r\nthem.\r\nBehavioral analysis\r\nThe sample used to perform the behavioral analysis is the deobfuscated sample using our deobfuscator tool\r\nexplained in the previous section.\r\nSAMPLE: 3bd468d29868bb3f198530ef2426668efe30a8330bf3835a4f3a941d534ef2df\r\nThis is how a process tree of a Qakbot infection looks like:\r\nProcess tree after Qakbot infection\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 10 of 16\n\nRegardless of the input vector, the first time Qakbot runs it tries to install itself.\r\nAnti-VM/Anti-analysis tricks\r\nFirst of all, it checks if it is running in a virtualized environment or not. Qakbot executes itself with the option\r\n\"/C\" . Qakbot admits parameters, in this case the parameter \"/C\" is to make anti-VM and anti-sandbox checks\r\nlike the following ones:\r\nReading from the virtual port in order to detect VMWare\r\nVMWare detection\r\nCheck the CPUID\r\nCPUID check\r\nThere are also other techniques used by Qakbot to know if it is running in an emulated environment like checking\r\nthe sample name - in order to see if it is set to some default name like “sample.exe” or “malware.exe”; or checking\r\nrunning processes in order to detect any related to a virtual environments, anti-virus, debuggers etc.\r\nAmong the different options that Qakbot accepts we can find the following:\r\nAccepted parameters Description\r\n/C Anti-VM checks\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 11 of 16\n\nAccepted parameters Description\r\n/I [name] Disable Windows SpyNey and delete scheduled task [name]\r\n/P[file] Decrypt [file] and load it\r\n/Q Set exit status to 0x6F\r\n/T Sync related stuff\r\n/V Debug/Testing option\r\n/W Debug/Testing option\r\n/i [name] Install itself and delete scheduled task [name]\r\n/s Create service\r\n/t Send Window Message\r\n/A [1] [2] Unknown\r\nInstallation\r\nIf a VM is detected it exits. Otherwise, it copies itself into %APPDATA% under a randomly generated folder with a\r\nrandomly generated name. Those names are unique for each infected machine since they are created using some\r\ncharacteristics from infected host.\r\nCopying to %APPDATA%\r\nIt also creates the following registry key in order to be run when the system reboots\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”.\r\nRun on system boot\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 12 of 16\n\nAlso, it drops a .dat file that has configuration information, like botnet name, timestamp, etc. This file contains\r\nencrypted data which is decrypted in memory during run time. Once this file is decrypted it looks like is shown in\r\nthe image below.\r\nDecrypted file\r\nThe following table, from a blog post by the security researcher Vitaly Kremez (link) , shows the meanings of\r\nsome of these config values:\r\nQakbot Config\r\n11 = 2 (number of hardcoded C2)\r\n1 = date of qbot install in HH:MM:ss-dd/mm/yyyy\r\n2 = victim qbot install\r\n45 = C2 IP\r\n46 = C2 Port\r\n39 = victim external IP\r\n38 = last victim call to C2 (time in Unix)\r\n43 = time of record ((time in Unix)\r\n5 = victim network shares\r\nFinally, the copied file is executed and the original file is overwritten with calc.exe . Some malware deletes the\r\nfile directly, but Qakbot has decided to overwrite it with a legitimate binary. This way it doesn’t leave traces.\r\nOverwriting with legitimate binary\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 13 of 16\n\nWhen Qakbot is installed, its behavior is different. In this case, it is going to create an instance of the\r\nexplorer.exe process in order to inject itself into it.\r\nOnce injected into explorer, the main .dll is loaded. At this point, different things could happen since the\r\ncommunication with the control panel begins. As shown in the process tree above, the explorer process executes\r\nan update of Qakbot directly downloaded from the C\u0026C. Also, it can exfiltrate data, or infect browsers in order to\r\nget banking information from the victim system.\r\nQakbot update sample: https://tria.ge/reports/191104-athqk1tjxn/task2\r\nTriage\r\nIn Triage we’ve just added support for this family, meaning you can detect Qakbot as well as get its configuration\r\ndirectly after the analysis.\r\nQakbot in Triage\r\nSamples\r\nThe Triage report for the sample that was used for this blog can be found (here).\r\nSample state SHA256\r\nPacked Qakbot e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5\r\nQakbot 850ff92b7f3badda4bd4eca0a54fbdea410667db1ea27db8069337bf451078d1\r\nDeobfuscated Qakbot 3bd468d29868bb3f198530ef2426668efe30a8330bf3835a4f3a941d534ef2df\r\nQakbot resource 1 (main.dll) 83273809a35ba26c2fb30cba58ba437004483ae754babad63c5d168113efa430\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 14 of 16\n\nSample state SHA256\r\nDeobfuscated Qakbot\r\nresource 1 (main.dll)\r\n74f8907acfd070d2590895523433a8c85b5ef87f4e1a5ef7ccd356f5562b7a6b\r\nQakbot resource 2 (injects\r\ndll x86)\r\nb7d9a462bd105193e998b6324f3343b84f11ceb21ab24e60e2580a26d95e4494\r\nQakbot resource 3 (injects\r\ndll x64)\r\n8c7a43002ee6105fc37fcdfc00a192239639f7c08bf28e06ca1432551fe21b3f\r\nHere is a list of related samples and their corresponding Triage reports.\r\nSHA256 Triage Report\r\nf614a06748251107a34fa7e44c7652fd88\r\ne61fd958df724455e14ec88040abf9\r\n1.bin https://tria.ge/reports/191111-\r\nypg95xvrwj_\r\n7d4d207fb5258f504d3f9ef60d431332d1\r\ne7320d5849c0b0acf624612b01c8f0\r\n2.bin https://tria.ge/reports/191111-\r\nmgrgp545yx_\r\n357b4979324e2065adc8e6bd11cd7161f8\r\n30250cae30f50fb13edd70fd2b506b\r\n3.bin https://tria.ge/reports/191111-\r\nsbsq7xbqea_\r\n29754f0caa9576eba6b9c351d20549e7e1\r\n9216c6e72c2963da33450719a51277\r\n4.bin https://tria.ge/reports/191111-\r\n57yf3bdh4j_\r\n304a01a339d86ccbba7b1f671839624d44\r\n6e6ea86474912bf976837df779bad2\r\n5.bin https://tria.ge/reports/191111-\r\n38qmrk62q2_\r\nd2f8a61e8cfc9a6c983fc40d2b7ac33e2a\r\n686872d0136dce2f66466c044f246c\r\n6.bin https://tria.ge/reports/191111-\r\np6cqne7cwn_\r\n2b9ef4a9f47402d171eec28acadf3753cb\r\nb33c9bc6ec26d99aa060127a470e95\r\n7.bin https://tria.ge/reports/191111-\r\nzl9l5y6lp2_\r\neb17935cf972d90be92c9b39fff8b3d760\r\necda78a6f602cb2b8bbaf3d87e6b61\r\n8.bin https://tria.ge/reports/191111-\r\n7tn19rbh9x_\r\n6b88260f4c4da4651a82bb62761cd23ee9\r\nad6662a2a0abbec017e7193668397b\r\n9.bin https://tria.ge/reports/191111-\r\nhb6qpeaars_\r\n256967605423fea1e00368078eea1cdb52\r\nd391aa0091e0798db797ab337d1567\r\n10.bin https://tria.ge/reports/191111-\r\nm8tm8zqbrs_\r\n13c2f4b6fb80500884a4ea9d2fe8077412\r\n4f46ebfd80de3e1dfcfb9e167aee08\r\n11.bin https://tria.ge/reports/191111-\r\n7cpggrpxts_\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 15 of 16\n\nReferences\r\nhttps://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-qakbot-in-detail-11-en.pdf\r\nhttps://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html\r\nhttps://cofense.com/closer-look-qakbot-malware-dangerous/\r\nhttps://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html\r\nSource: https://hatching.io/blog/reversing-qakbot\r\nhttps://hatching.io/blog/reversing-qakbot\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://hatching.io/blog/reversing-qakbot"
	],
	"report_names": [
		"reversing-qakbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434018,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aeffe1728b20e45192a50fe08c95ccbef592403a.pdf",
		"text": "https://archive.orkl.eu/aeffe1728b20e45192a50fe08c95ccbef592403a.txt",
		"img": "https://archive.orkl.eu/aeffe1728b20e45192a50fe08c95ccbef592403a.jpg"
	}
}