{
	"id": "ca9217ae-d69e-4541-b28f-7dd971cfed59",
	"created_at": "2026-04-06T00:09:06.114533Z",
	"updated_at": "2026-04-10T13:11:48.117992Z",
	"deleted_at": null,
	"sha1_hash": "d22736409149b6edcb7acb94d3dc1bb535959094",
	"title": "QAKBOT BB Configuration and C2 IPs List",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1173618,
	"plain_text": "QAKBOT BB Configuration and C2 IPs List\r\nBy Raffaele Sabato\r\nPublished: 2022-10-12 · Archived: 2026-04-05 19:33:46 UTC\r\nOctober 13, 2022 4 minute read\r\nThis is my first malware blog post, hope it will be useful to someone, I’ll not go deeper in the malware details\r\nbecause there are plenty of detailed reports related to QAKBOT. I’ll describe how the malware changed its\r\nresource decryption mechanism and report some IoCs.\r\nOn September 30, 2022 a friend of mine received a phishing email pretending to be sent by one of his customers,\r\nthe email contained an URL, a password and a legit old message.\r\nFigure 1 - Phishing Email\r\nBy visiting the URL https://lynxus[.]com/usq/refeidpisnretse with a user agent related to Windows, a working\r\nzip named Card654141047.zip is provided, if the user agent is not “ok” the server responses with a fake zip file\r\nthat doesn’t work.\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 1 of 10\n\nFigure 2 - Malcious URL message containing the zip password\r\nUsing the provided password “U492”, it is possible to extract an ISO file from the zip. The ISO file contains a\r\nLNK file and a hidden folder with the following files:\r\nexpeditionPresides.js\r\nredressingLamentations.cmd\r\nregressing.txt\r\nrougher.gif\r\ntiddler.dat\r\nFigure 3 - Lnk File and hidden folder\r\nFigure 4 - Hidden folder content\r\nThe LNK file is a link to expeditionPresides.js, it contains the following JScript:\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 2 of 10\n\n// observablyCleaned\r\nvar undisruptedPuzzles = \"rund DllRegis\";\r\n// ShellExecute\r\nvar bridgeheadsLibels = new ActiveXObject(\"shell.application\").shellexecute(\"assaulting\\\\redressingLamentations.\r\nit runs redressingLamentations.cmd by proving two parameters “rund DllRegis”. Following the content of\r\nredressingLamentations.cmd.\r\n@echo off\r\nset a=ll\r\nset e=32\r\n:: tankageLicentiously\r\n%1%a%%e% assaulting\\tiddler.dat,%2terServer\r\nexit\r\nIt uses rundll32 in order to execute the DllRegisterServer export function from tiddler.dat, following some\r\ndetails of the DLL.\r\nFigure 5 - tiddler.dat details\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 3 of 10\n\nTiddler.dat is the first stage DLL used to extract the unpacked version of the malware, by setting a breakpoint on\r\nNtAllocateVirtualMemory it’s easy to find the unpacked version, I’ll not describe how to get it.\r\nAfter unpacking the DLL, we can analyse it, the details are in the image below.\r\nFigure 6 - Unpacked DLL details\r\nAfter some analysis we can confirm that the malware is QAKBOT, the malware seems to be similar to the one\r\nreported by several blog post, anyway the BOT Configuration and the C2 IPs list are encrypted in a different\r\nway, so I’ll only describe how to decrypt it instead of write something already reported in a very clear way by\r\nseveral blog posts:\r\nElastic\r\nHornetsecurity\r\nYou can find all the decrypted strings and the scripts in my GitHub.\r\nThe file has two resources, one containing the encrypted Configuration and one containing the encrypted C2 IPs\r\nlist.\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 4 of 10\n\nFigure 7 - Resouce 3C91E639 containing the C2 list\r\nFigure 8 - Resource 89210AF9 containing the bot configuration\r\nThe resources are encrypted in the same way, so let’s use the configuration resource as example.\r\nTwo “steps” of RC4 encryption are used, let’ see it on CyberChef in order to be clearer.\r\nAs shown in the image below, in the first step, the SHA1 Hash is calculated on the string,\r\n“Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd”, the SHA1 Hash result is “CA 6A E9 55 26 F0 BC EB 6B A5\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 5 of 10\n\n39 0E B6 14 81 9A 9B 4A F9 4E”, this will be the RC4 key (the string used is different in each qakbot sample,\r\nfor example in another sample I analyzed it was “bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN”, you\r\nhave to figure out which string it uses).\r\nFigure 9 - SHA1 Hash of the string \"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd\"\r\nUsing the data we obtain from SHA1 as key, we can use the RC4 algorithm to decrypt the data. The output from\r\nthe first RC4 decryption will contains the following data:\r\nFrom bytes 0 to 20: SHA1 Hash of New Key + Encrypted Configuration\r\nFrom bytes 20 to 40: New Key\r\nFrom bytes 40 to end: Encrypted Configuration\r\nFigure 10 - Resource RC4 Decryption Step 1\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 6 of 10\n\nIn the image below we can see that the SHA1 Hash of New Key + Encrypted Configuration matches the first\r\n20 bytes we got from the decrypted data.\r\nFigure 11 - SHA1(Encrypted Configuration)\r\nIn the second step, the RC4 algorithm is used with the New Key to decrypt the Encrypted Configuration. The\r\nfollowing images shows the result of the second step decryption.\r\nFigure 12 - Resource RC4 Decryption Step 2\r\nThe QAKBOT campaign ID is “BB” the timestamp 1664535088 corresponds to Fri Sep 30 2022 10:51:28\r\nGMT+0000.\r\nWhile writing this, a blog post by Trendmicro was published talking about this specific QAKBOT campaign.\r\nTo automatically extract the configuration and the C2 IPs, I wrote the following python script.\r\nimport hashlib\r\nfrom arc4 import ARC4\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 7 of 10\n\nfile = open(\"89210AF9.bin\",\"rb\") #Resource with Qakbot configuration\r\nresource = file.read()\r\nkey = hashlib.sha1(b\"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd\").digest() #change with your password\r\nrc4 = ARC4(key)\r\ndata = rc4.decrypt(resource)\r\nkey = data[20:40]\r\nrc4 = ARC4(key)\r\ndecrypted_data = rc4.decrypt(data[40:])\r\nprint(\"Qakbot Configuration:\")\r\nprint((decrypted_data[20:]).decode(\"utf-8\"))\r\nfile = open(\"3C91E639.bin\",\"rb\") #Resource with Qakbot C2\r\nresource = file.read()\r\nkey = hashlib.sha1(b\"Muhcu#YgcdXubYBu2@2ub4fbUhuiNhyVtcd\").digest() #change with your password\r\nrc4 = ARC4(key)\r\ndata = rc4.decrypt(resource)\r\nkey = data[20:40]\r\nrc4 = ARC4(key)\r\n#print(key)\r\ndecrypted_data = rc4.decrypt(data[40:])\r\nprint(\"Qakbot C2:\")\r\nfor i in range(21,len(decrypted_data),7):\r\n c2 = bytearray(decrypted_data[i:i+7])\r\n print(\"%d.%d.%d.%d:%d\" % (c2[0],c2[1],c2[2],c2[3],(c2[4]\u003c\u003c8)+c2[5]))\r\nHope this first malware blog post can help someone during his analysis of QAKBOT, you can find the samples at\r\nthe following urls:\r\nhttps://bazaar.abuse.ch/sample/5b54f57dbaa74fa589afb2d26d6c6b39e0c2930bd88fea3172556ce96b3eb959/\r\nhttps://bazaar.abuse.ch/sample/8b08c031d365a0b4d032c6e51bf773655e15795fe3eabcd3fa6487ffe9f3d6b3/\r\nhttps://bazaar.abuse.ch/sample/796ff26db045085ec8162d414cc2deafb2836d3f0bffd8c58af4595ebb4261e9/\r\nConfiguration:\r\n10=BB\r\n3=1664535088\r\nFile Hashes:\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 8 of 10\n\n5B54F57DBAA74FA589AFB2D26D6C6B39E0C2930BD88FEA3172556CE96B3EB959\r\n796FF26DB045085EC8162D414CC2DEAFB2836D3F0BFFD8C58AF4595EBB4261E9\r\nD5F09EBC9B1F3FB9781ACA09E3B9FA63F90B909CC7418FF7D2AFA462F400DCE3\r\n8B08C031D365A0B4D032C6E51BF773655E15795FE3EABCD3FA6487FFE9F3D6B3\r\n93104C4834A27E39C13AC9D4663C6FA622AE6ECC5491A67DDF9125E6633CF07B\r\n55AD915DCD65192548046ECBECDA5AD8AD6A92A11F07EC9A92744FCAC1599501\r\n757D3C81555FBF635B2B9FD1D5222E6FE046710753395545A29E3E1F0A78FBF1\r\nBD3A47E0E27523044FEB2C30879EB684CFD174EC329350BAF5E0824FFFF1A22F\r\nC2 IPs:\r\n41.107.71[.]201:443\r\n105.101.230[.]16:443\r\n105.108.239[.]60:443\r\n196.64.227[.]5:8443\r\n41.249.158[.]221:995\r\n134.35.14[.]5:443\r\n113.170.117[.]251:443\r\n187.193.219[.]248:443\r\n122.166.244[.]116:443\r\n154.237.129[.]123:995\r\n41.98.229[.]81:443\r\n186.48.199[.]243:995\r\n102.156.3[.]13:443\r\n41.97.190[.]189:443\r\n197.207.191[.]164:443\r\n105.184.14[.]132:995\r\n196.207.146[.]151:443\r\n105.158.113[.]15:443\r\n196.89.42[.]89:995\r\n86.98.156[.]229:993\r\n177.174.119[.]195:32101\r\n81.156.194[.]147:2078\r\n80.253.189[.]55:443\r\n197.49.175[.]67:995\r\n177.45.78[.]52:993\r\n89.187.169[.]77:443\r\n196.92.59[.]242:995\r\n41.13.200[.]19:443\r\n41.97.195[.]237:443\r\n92.191.56[.]11:2222\r\n154.70.53[.]202:443\r\n210.186.37[.]98:50002\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 9 of 10\n\nSource: https://syrion.me/qakbot-bb-extractor/\r\nhttps://syrion.me/qakbot-bb-extractor/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://syrion.me/qakbot-bb-extractor/"
	],
	"report_names": [
		"qakbot-bb-extractor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d22736409149b6edcb7acb94d3dc1bb535959094.pdf",
		"text": "https://archive.orkl.eu/d22736409149b6edcb7acb94d3dc1bb535959094.txt",
		"img": "https://archive.orkl.eu/d22736409149b6edcb7acb94d3dc1bb535959094.jpg"
	}
}