{
	"id": "6e0f404c-6a5c-4534-961e-94be2ba5ecfb",
	"created_at": "2026-04-06T00:10:09.8686Z",
	"updated_at": "2026-04-10T03:22:06.769162Z",
	"deleted_at": null,
	"sha1_hash": "e38836076d78b9354875c51cd245adbd9c011408",
	"title": "Automating Qakbot decode at scale :: Velociraptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3861853,
	"plain_text": "Automating Qakbot decode at scale :: Velociraptor\r\nBy Matt Green - @mgreen27 2023-04-05\r\nArchived: 2026-04-05 16:38:44 UTC\r\nThis is a technical post covering practical methodology to extract configuration data from recent Qakbot samples.\r\nIn this blog, I will provide some background on Qakbot, then walk through decode themes in an easy to visualize\r\nmanner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 1 of 11\n\nQak!\r\nQakbot or QBot, is a modular malware first observed in 2007 that has been historically known as a banking\r\nTrojan. Qbot is used to steal credentials, financial, or other endpoint data, and in recent years, regularly a loader\r\nfor other malware leading to hands on keyboard ransomware.\r\nTypical delivery includes malicious emails as a zipped attachment, LNK, Javascript, Documents, or an embedded\r\nexecutable. The example shown in this post was delivered by an email with an attached pdf file:\r\nAn example Qakbot infection chain\r\nQakbot has some notable defense evasion capabilities including:\r\n1. Checking for Windows Defender sandbox and terminating on discovery.\r\n2. Checking for the presence of running anti-virus or analysis tools, then modifying its later stage behavior for\r\nevasion.\r\n3. Dynamic corruption of payload on startup and rewrite on system shutdown.\r\nDue to the commodity nature of delivery, capabilities and end game, it is worth extracting configuration from\r\nobserved samples to scope impact from a given campaign. Hunting enterprise wide and finding a previously\r\nmissed machine or discovering an ineffective control can be the difference in preventing a domain wide\r\nransomware event, or a similar really bad day.\r\nConfiguration\r\nQakbot has an RC4 encoded configuration, located inside two resources of the unpacked payload binary. The\r\ndecryption process has not changed significantly in recent times, but for some minor key changes. It uses a SHA1\r\nof a hard coded key that can typically be extracted as an encoded string in the .data section of the payload binary.\r\nThis key often remains static across campaigns, which can speed up analysis with the maintainance of a recent key\r\nlist.\r\nCurrent samples undergo two rounds of RC4 decryption with validation built in. The validation bytes dropped\r\nfrom the data for the second round.\r\nAfter the first round:\r\nThe first 20 bytes in hex is for validation and is compared with the SHA1 of the remaining decoded data\r\nBytes [20:40] is the key used for the second round of decoding\r\nThe Data to decode is byte [40:] onwards\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 2 of 11\n\nThe same validation process occurs for the second round decoded data\r\nVerification = data[:20]\r\nDecodedData = data[20:]\r\nFirst round of Qakbot decode and verification\r\nCampaign information is located inside the smaller resource where, after this decoding and verification process,\r\ndata is clear text.\r\nThe larger resource stores Command and Control configuration. This is typically stored in netaddress format\r\nwith varying separators. A common technique for finding the correct method is searching for common ports and\r\nseparator patterns in the decoded data.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 3 of 11\n\nEasy to spot C2 patterns: port 443\r\nEncoded strings\r\nQakbot stores blobs of xor encoded strings inside the .data section of its payload binary. The current methodology\r\nis to extract blobs of key and data from the referenced key offset which similarly is reused across samples.\r\nCurrent samples start at offset 0x50, with an xor key, followed by a separator of 0x0000 before encoded data. In\r\nrecent samples I have observed more than one string blob and these have occurred in the same format after the\r\nseparator.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 4 of 11\n\nEncoded strings .data\r\nNext steps are splitting on separators, decode expected blob pairs and drop any non printable. Results are fairly\r\nobvious when decoding is successful as Qakbot produces clean strings. I typically have seen two well defined\r\ngroups with strings aligning to Qakbot capabilities.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 5 of 11\n\nDecoded strings: RC4 key highlighted\r\nPayload\r\nQakbot samples are typically packed and need execution or manual unpacking to retrieve the payload for analysis.\r\nIts very difficult to obtain this payload remotely at scale, in practice the easiest way is to execute the sample in a\r\nVM or sandbox that enables extracting the payload with correct PE offsets.\r\nWhen executing locally Qakbot typically injects its payload into a Windows process, and can be detected with\r\nyara targeting the process for an unbacked section with PAGE_EXECUTE_READWRITE protections.\r\nBelow is an example of running PE-Sieve / Hollows Hunter tool from Hasherezade. This helpful tool enables\r\ndetection of several types of process injection, and the dumping of injected sections with appropriately aligned\r\nheaders. In this case, the injected process is wermgr.exe but it’s worth to note, depending on variant and process\r\nfootprint, your injected process may vary.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 6 of 11\n\nDumping Qakbot payload using pe-sieve\r\nDoing it at scale\r\nNow I have explained the decode process, time to enable both detection and decode automation in Velociraptor.\r\nI have recently released Windows.Carving.Qakbot which leverages a PE dump capability in Velociraptor 0.6.8 to\r\nenable live memory analysis. The goal of the artifact was to automate my decoding workflow for a generic Qakbot\r\nparser and save time for a common analysis. I also wanted an easy to update parser to add additional keys or\r\ndecode nuances when changes are discovered.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 7 of 11\n\nWindows.Carving.Qakbot: parameters\r\nThis artifact uses Yara to detect an injected Qakbot payload, then attempts to parse the payload configuration and\r\nstrings. Some of the features in the artifact cover changes observed in the past in the decryption process to allow a\r\nsimplified extraction workflow:\r\nAutomatic PE extraction and offset alignment for memory detections.\r\nStringOffset - the offset of the string xor key and encoded strings is reused regularly.\r\nPE resource type: the RC4 encoded configuration is typically inside 2 resources, I’ve observed BITMAP\r\nand RCDATA\r\nUnescaped key string: this field is typically reused over samples.\r\nType of encoding: single or double, double being the more recent.\r\nHidden TargetBytes parameter to enable piping payload in for analysis.\r\nWorker threads: for bulk analysis / research use cases.\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 8 of 11\n\nWindows.Carving.Qakbot: live decode\r\nResearch\r\nThe Qakbot parser can also be leveraged for research and run bulk analysis. One caveat is the content requires\r\npayload files that have been dumped with offsets intact. This typically requires some post collection filtering or\r\nPE offset realignment but enables Velociraptor notebook to manipulate post processed data.\r\nSome techniques I have used to bulk collect samples:\r\nSandbox with PE dumping features: api based collection\r\nVirustotal search: crowdsourced_yara_rule:0083a00b09|win_qakbot_auto AND tag:pedll AND NOT\r\ntag:corrupt (note: this will collect some broken payloads)\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 9 of 11\n\nBulk collection: IPs seen across multiple campaign names and ports\r\nSome findings from a small data set ~60 samples:\r\nNamed campaigns are typically short and not longer than a few samples over a few days.\r\nIP addresses are regularly reused and shared across campaigns\r\nMost prevalent campaigns are BB and obama prefixed\r\nMinor campaigns observed: azd , tok and rds with only one or two observed payload samples each.\r\nStrings analysis can also provide insights to sample behavior over time to assist analysis. A great example is the\r\nadding to process name list for anti-analysis checks.\r\nBulk collection: Strings highlighting anti-analysis check additions over time\r\nConclusion\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 10 of 11\n\nDuring this post I have explained the Qakbot decoding process and introduced an exciting new feature in\r\nVelociraptor. PE dumping is a useful capability and enables advanced capability at enterprise scale, not even\r\navailable in expensive paid tools. For widespread threats like Qakbot, this kind of content can significantly\r\nimprove response for the blue team, or even provide insights into threats when analyzed in bulk. In the coming\r\nmonths the Velociraptor team will be publishing a series of similar blog posts, offering a sneak peek at some of the\r\ntypes of memory analysis enabled by Velociraptor and incorporated into our training courses.\r\nI also would like to thank some of Rapid7’s great analysts - Jakob Denlinger and James Dunne for bouncing\r\nsome ideas when writing this post.\r\nReferences\r\n1. Malpedia, Qakbot\r\n2. Elastic, QBOT Malware Analysis\r\n3. Hasherezade, Hollows Hunter\r\n4. Windows.Carving.Qakbot\r\nSource: https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nhttps://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/"
	],
	"report_names": [
		"2023-04-05-qakbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e38836076d78b9354875c51cd245adbd9c011408.pdf",
		"text": "https://archive.orkl.eu/e38836076d78b9354875c51cd245adbd9c011408.txt",
		"img": "https://archive.orkl.eu/e38836076d78b9354875c51cd245adbd9c011408.jpg"
	}
}