[QuickNote] Qakbot 5.0 – Decrypt strings and configuration

[QuickNote] Qakbot 5.0 – Decrypt strings and configuration | 0day in {REA_TEAM} Home About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #2 : Intro To Olly Debug Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] 0day in {REA_TEAM} Stay updated via RSS Lịch April 2024 M T W T F S S 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Tìm kiếm Recent Posts – Bài mới [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc Archived: All My Technical Articles from VinCSS Empowering Malware Analysis with IDA AppCall Feature [QuickNote] The Xworm malware is being spread through a phishing email [QuickNote] Retrieve unknown python stealer from PyInstaller [QuickNote] DarkGate – Make AutoIt Great Again [QuickNote] Qakbot 5.0 – Decrypt strings and configuration [QuickNote] Phishing email distributes WarZone RAT via DBatLoader [QuickNote] Technical Analysis of recent Pikabot Core Module Bình luận gần nhất Week 04 – 2026… on [Samplepedia Solution] Unveili… Week 48 – 2025… on [Phân tích nhanh] Chiến dịch P… loilv on [Phân tích nhanh] Chiến dịch P… lemycanh on Empowering Malware Analysis wi… Thông tin các mối đe… on [QuickNote] Analysis of malwar… Pages About R4ndom’s Beginning Reverse Engineering Tutorials Tutorial #1 : What is Reverse Engineering Tutorial #10: The Levels Of Patching Tutorial #11: Breaking In Our Noob Skills Tutorial #12: A Tougher NOOBy Example Tutorial #13: Cracking a Real Program Tutorial #14: NAGS (And I don’t Mean Your Mother) Tutorial #15: Using The Call Stack Tutorial #16A: Dealing With Windows Messages Tutorial #16B: Self Modifying Code Tutorial #16C: Bruteforcing Tutorial #17: Working With Delphi Binaries Tutorial #18: Time Trials and Memory Breakpoints Tutorial #19: Patchers Tutorial #2 : Intro To Olly Debug Tutorial #20A: Working With Visual Basic Binaries, Pt. 1 Tutorial #20B: Working With Visual Basic Binaries, Pt 2 Tutorial #21: Anti-Debugging Techniques Tutorial #3: Using OllyDBG, Part 1 Tutorial #4: Using Olly, Part 2 Tutorial #5: Our First (Sort Of) Crack Tutorial #6: Our First (True) Crack Tutorial #7: More Crackmes Tutorial #8: Frame Of Reference Tutorial #9: No Strings Attached Tutorial #9: Solution Slugsnack’s Reversing Series by c0lo Slugsnack’s Reversing Series [1] Slugsnack’s Reversing Series [2] Slugsnack’s Reversing Series [3] Slugsnack’s Reversing Series [4] Slugsnack’s Reversing Series [5] Slugsnack’s Reversing Series [6] Chuyên mục 2011 in review (1) Another malicious document with CVE-2017–11882 (1) Bruce Dang… (1) Common Macro Malware Techniques (1) Flare-on 2016 {Sad_but_True} (1) Flare-On7 (3) [Flare-On7] Chal7-re_crowd write-up (Eng) (1) [Flare-On7] Chal7-re_crowd write-up (Vie) (1) [Flare-On7] Chal9-crackinstaller write-up (1) Fun with x64dbg theme (1) IDA Pro section (69) Fentanyl (IDAPython script) (1) Free IDA Pro Binary Auditing Training Material for University Lectures (1) Hex-Rays Decompiler Enhanced View (1) HexRaysCodeXplorer (1) IDA Patcher (1) IDA Plugin:labeless (1) IDA Pro Book (1) IDA Pro Python Editor v2 (1) IDA search string plugin (with source) (1) IDA Stealth Plugin (1) IDA Stingray (1) IDA Tutorial… (1) IDA Tutorials (50) Cách dump PE file từ bộ nhớ bằng IDA (1) Cracking basic with IDA Pro (1) Dùng thử IDA 5.2 và HexRays (1) Hex-Rays Decompiler Video Demo for IDA (1) IDA Pro Advanced changes our lif3! (1) IDA Pro Advanced_N0w 0r N3v3r (1) Keypatch (1) Make IDA Sig (1) Manual Unpacking with IDA Pro (Simple case) (1) Phân tích RCA crackme bằng Olly và IDA+HexRays (1) Reversing C++ programs with IDA pro and Hex-rays (1) REVERSING WITH IDA FROM SCRATCH (P1) (1) REVERSING WITH IDA FROM SCRATCH (P10) (1) REVERSING WITH IDA FROM SCRATCH (P11) (1) REVERSING WITH IDA FROM SCRATCH (P12) (1) REVERSING WITH IDA FROM SCRATCH (P13) (1) REVERSING WITH IDA FROM SCRATCH (P14) (1) REVERSING WITH IDA FROM SCRATCH (P15) (1) REVERSING WITH IDA FROM SCRATCH (P16) (1) REVERSING WITH IDA FROM SCRATCH (P17) (1) REVERSING WITH IDA FROM SCRATCH (P18) (1) REVERSING WITH IDA FROM SCRATCH (P19) (1) REVERSING WITH IDA FROM SCRATCH (P2) (1) REVERSING WITH IDA FROM SCRATCH (P20) (1) REVERSING WITH IDA FROM SCRATCH (P21) (1) REVERSING WITH IDA FROM SCRATCH (P22) (1) REVERSING WITH IDA FROM SCRATCH (P23) (1) REVERSING WITH IDA FROM SCRATCH (P24) (1) REVERSING WITH IDA FROM SCRATCH (P25) (1) REVERSING WITH IDA FROM SCRATCH (P26) (1) REVERSING WITH IDA FROM SCRATCH (P27) (1) REVERSING WITH IDA FROM SCRATCH (P28) (1) REVERSING WITH IDA FROM SCRATCH (P29) (1) REVERSING WITH IDA FROM SCRATCH (P3) (1) REVERSING WITH IDA FROM SCRATCH (P30) (1) REVERSING WITH IDA FROM SCRATCH (P31) (1) REVERSING WITH IDA FROM SCRATCH (P32) (1) REVERSING WITH IDA FROM SCRATCH (P33) (1) REVERSING WITH IDA FROM SCRATCH (P34) (1) REVERSING WITH IDA FROM SCRATCH (P35) (1) REVERSING WITH IDA FROM SCRATCH (P36) (1) REVERSING WITH IDA FROM SCRATCH (P37) (1) REVERSING WITH IDA FROM SCRATCH (P4) (1) REVERSING WITH IDA FROM SCRATCH (P5) (1) REVERSING WITH IDA FROM SCRATCH (P6) (1) REVERSING WITH IDA FROM SCRATCH (P7) (1) REVERSING WITH IDA FROM SCRATCH (P8) (1) REVERSING WITH IDA FROM SCRATCH (P9) (1) Understanding Code (1) [Crackme]Find-the-flag-by-ExtremeCoders (1) IDA-Pro 6.x Lowercase ARM Instructions (1) IDASkins – advanced skinning for IDA Pro (1) Malwarebytes crackme writeup (1) RetDec — machine-code decompiler (1) REtypedef – Reverse typedef substitution for IDA Pro (1) [IDA Plugin] Snowman (1) [Plug-in]IDA Unicode strings v3.0 (1) Linux (11) Auto start vmware script (1) BackTrack 4 Beta is out (1) FluxBox cho BackTrack Beta 4 (2) Artwiz font (1) Hướng dẫn : Sử dụng chương trình Scuba để rà soát security cho Oracle Database (1) Hướng dẫn cài đặt BackTrack (1) Installing Oracle 9i on RHEL5. (1) Linux RCE Starting Guide from SilkCut (1) Some tutor about using BackTrack (2) 1.4 Netcat The Almighty (1) 1.5 Using Wireshark (Ethereal) (1) Truy vấn thông tin các Patch đã được apply vào OracleDB (1) Movie (10) Die For Metal – Manowar (1) Feeling about Prison Break SE01 (1) Fifa 09 Advanced Skills Tutorial (1) Fifa 09 Standard Skills Tutorial (1) FIFA 09 Tricks Tutorials For PS2 (1) Heart Of Steel – Manowar (1) Kings Of Metal (1) SheepWolf! (1) Music (4) Cat's in the Cradle !! (Nghe và cảm nhận) (1) Cây và Gió – The Sand (1) Dế mèn-TheWall (1) Forever autumn_Lake of Tears (1) MustangPanda – Enemy At The Gate (1) My Tutorials (63) A Deep Dive into Zloader – the Silent Night (1) Archived: All My Technical Articles from VinCSS (1) Command Line Plugin (1) Diving into a PlugX sample of Mustang Panda group (1) Empowering Malware Analysis with IDA AppCall Feature (1) Fix Foxit Reader (1) Fix Foxit Reader_Part2 (1) How to crack BlackBerry App! (1) Just another CVE-2017-0199 sample in the wild world! (1) Keygen Tutorials (5) Kĩ thuật Internal Keygen (1) Kĩ thuật Internal Keygen_Ví dụ 2 (1) Phân tích ASM và code Keygen (1) Xây dựng Keygen Form trong VC++ (1) Đưa ảnh vào Keygen Form (1) Malware analysis “KẾ HOẠCH, NHIỆM VỤ TRỌNG TÂM NĂM 2020.doc” (1) Manual Unpacking IcedID Write-up (1) PE Tutorials (1) Phát hiện DDE Attack bằng công cụ Profiler (1) Phân tích nhanh một sample… (1) Quick analysis CobaltStrike loader and shellcode (1) Quick analysis note about DealPly (Adware) (1) Quick analysis note about GuLoader (or CloudEyE) (1) Sample nhắm vào “Tập đoàn Dầu khí Việt Nam” (1) Sử dụng IceSword để Remove Rootkits (1) Solution for KeyGenMe_by_ZeroTen_#1 (1) Solution for KLiZMA's UnpackMe #1 (1) Solution for NrZ0e1's CrackMe #1 (1) Solution for Zart's mishka tribute (1) SomeCrypto~01 (1) SomeCrypto~02 (1) Sublime Text (The latest build: 3059) (1) Tìm hiểu PE file qua các ví dụ cơ bản (1) Uncovering Suspected Malware Distributed By Individuals from Vietnam (1) Unprotecting-the-crypter (2) Thực hành với NtPacker (1) Unveiling Qakbot: Exploring one of the Most Active Threat Actors (1) [Case study] Decrypt strings using Dumpulator (1) [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc (1) [QuickNote.En] CobaltStrike SMB Beacon Analysis (1) [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam (1) [QuickNote] Analysis of Pandora ransomware (1) [QuickNote] Another nice PlugX sample (1) [QuickNote] CobaltStrike SMB Beacon Analysis (1) [QuickNote] DarkGate – Make AutoIt Great Again (1) [QuickNote] Decrypting the C2 configuration of Warzone RAT (1) [QuickNote] Emotet epoch4 & epoch5 tactics (1) [QuickNote] Examining Formbook Campaign via Phishing Emails (1) [QuickNote] Phishing email distributes WarZone RAT via DBatLoader (1) [QuickNote] Qakbot 5.0 – Decrypt strings and configuration (1) [QuickNote] Retrieve unknown python stealer from PyInstaller (1) [QuickNote] Technical Analysis of recent Pikabot Core Module (1) [QuickNote] Techniques for decrypting BazarLoader strings (1) [QuickNote] The Xworm malware is being spread through a phishing email (1) [QuickNote] VidarStealer Analysis (1) [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader (1) [Write-up] Chal6 {Flareon4} (1) [Write-up] Chal7 {Flareon4} (1) [Z2A] Custom sample 1 challenge write-up (1) [Z2A]Bimonthly malware challege – Emotet (1) Đánh cờ vi diệu … (1) {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1) OllyDbg Tutorials (48) OllyDbg tut_1 (1) OllyDbg tut_10 (1) OllyDbg tut_11 (1) OllyDbg tut_12 (1) OllyDbg tut_13 (1) OllyDbg tut_14 (1) OllyDbg tut_15 (1) OllyDbg tut_2 (1) OllyDbg tut_3 (1) OllyDbg tut_4 (1) OllyDbg tut_5 (1) OllyDbg tut_6 (1) OllyDbg tut_7 (1) OllyDbg tut_8 (1) OllyDbg tut_9 (1) OllyDBg_tut16 (1) OllyDbg_tut17 (1) OllyDbg_tut18 (1) OllyDbg_tut19 (1) OllyDbg_tut20 (1) OllyDbg_tut21 (1) OllyDbg_tut22 (1) OllyDbg_tut23 (1) OllyDBG_tut24 (1) OllyDBG_tut25 (1) OllyDbg_tut26 (1) OllyDbg_tut27 (1) OllyDbg_tut28 (1) OllyDbg_tut29 (1) OllyDbg_tut30 (1) OllyDbg_tut31 (1) OllyDbg_tut32 (1) Other Tutorials (76) A Method for Detecting Obfuscated Calls in Malicious Binaries (1) Advanced Windows Debugging – Part 1 (1) Advanced Windows Debugging – Part 2 (1) An Exercise in RSA Reversal (RSA128 + MD5) (1) Anti-Reverse Engineering Guide (1) Anti-Unpacker Tricks 2 – Part 8 (1) Armadillo – ECDSA Patching (1) Armadillo 5.xx – 8.xx (Password Patcher) (1) Armadillo 7.00 (CopyMem2 + Import Elimination + Strategic Code Splicing) (1) Automatic Binary Deobfuscation (1) Basic of Reversing by c0lo!! (1) Basic types of software of protection (1) Code Obfuscation and Malware Detection (1) CodeBreakers Magazine Collections (1) CRACKING BẰNG PHƯƠNG PHÁP DÙNG POINT-H (1) Debug tutorial (1) Decompilers and Beyond (1) Discovering Variables in Executables (1) ExeCryptor 2.4.x (Tips and Tricks) (1) IDA Pro Demo Video (1) Inference and Analysis of Formal Models of Botnet (1) Introduction to File Infection Techniques (1) Java Reversing (1) Kernel Malware – The Attack from Within (1) Keygenning GameShield (1) Lần đầu với software của android OS (1) Malicious Software and its Underground Economy (1) Mass Malware Analysis – A Do It Yourself Kit (1) Olly Schemes-Căn chỉnh màu cho Olly (1) OllyEye plug-in (1) Primer on Android OS Reversing (1) Private exe Protector unpacking (1) Results of Bad Protection Implementation (1) Reverse Engineering of the Android File System (1) Reverse Engineering Technqiues (1) Reverse Engineering with OllySocketTrace (1) REVERSING GENERALS – PART III (1) REVERSING-GENERALS (Phần I) (1) REVERSING-GENERALS (Phần II) (1) RLPack 1.21 + WinLicense 2.0x (Unpacking) (1) Run TTProtect v1.05 in OllyDbg! (1) Silence's Unpacking Tour: The Enigma Protector (vol.1) (1) Theories and Methods of Code-Caves (1) TLS Callback in VC++ (1) Underhood on Armadillo License Removal (1) Unofficial Reversing On The S40 Revealed (Part 1) (1) Watch Your Hack V6.1 (1) Yahoo Archive Decode (1) [ARTUT] Manual Unpack and Fix of PECompact 2xx-3xx (1) [QuickNote] MountLocker – Some pseudo-code snippets (1) Practical Malware Analysis (1) RE Tools (65) Arma Raider 3.3 (1) Armadillo v6.xx Finger-Print-Patcher V0.1 (1) BitDiffer 1.3.0.13 – most cattle DLL Library comparison tool! (1) CodeWalker: Another AntiRootkit Tool (1) Delphi Decompiler 1.1.0.194 (1) Exeinfo for Win32 by A.S.L (1) FileAlyzer 1.6.0.4 (1) Msieve 1.39 + GUI 1.1 (1) OllyDbg – EvO_DBG (1) OllyDbg 2.0.1.1 (Final) (1) OllyDbg 2.01 (1) OllyDbg 2.01 alpha 4 (1) Ollydbg moded for Execryptor & THEMIDA (1) OllyDBG v2 (1) Oreans UnVirtualizer 1.3 (1) Oreans UnVirtualizer ODBG Plug-in (1) Overaly type detector/Extractor/Viewer (PEiD Plugin), Under SEH TM (1) P32Dasm (1) PatchDiff2 (1) PEiD v0.95 Build date: Oct 21, 2008 (1) PeStudio 8.01 (1) Phantom 1.45 (1) PROTECTiON iD v6.1.3 (1) ResEdit 1.4.4.16 (1) StrongOD v0.18 [2008.09.18] (1) Stud_PE 2.6.0.6 (1) Trial-Reset 3.4 Final (1) Universal Import Fixer (UIF) v1.2 (FINAL) (1) VB Decompiler (1) WinHex (1) x64 SEH & Explorer Suite Update (1) [Leaked]Hiew v8.40 (1) REA's Tutorials Archive (5) Palm Cracking Beginner (1) REA_Books (3) REA Unpacking Ebook (1) REA-cRaCkErTeAm Tutorials (1) Reverse Engineering of Object Oriented Code (1) Reversing.Kr {Some write-ups) (15) Chal1. Easy Crack Challenge (1) Chal10. CSHOP Challenge (1) Chal11. Direct3D_FPS Challenge (1) Chal12. Twist1 Challenge (1) Chal13. AutoHotkey1 Challenge (1) Chal14. HateIntel Challenge (1) Chal15. CSharp (1) Chal2. Easy Unpack Challenge (1) Chal3. Replace Challenge (1) Chal4. Easy Keygen Challenge (1) Chal5. Music Player Challenge (1) Chal6. ImagePrc Challenge (1) Chal7. Position Challenge (1) Chal8. Easy ELF Challenge (1) Chal9. Ransomware Challenge (1) Sysinternals (1) System Security and Binary Code Analysis (1) Things to REMEMBER… (1) Trà đá hacking #02 (1) Uncategorized (99) Dây rock! (1) Watch Your Hack (bản dịch Tiếng Việt) (1) [Note] Conditional BreakPoint with OllyDbg v1 & v2 (1) [x64dbg plugin] SlothBP (1) [x64dbg plugin] xAnalyzer (1) Đào tạo tại Sài Gòn (Trà_Đá_Hacking#7) (1) peonimusha Bl0g An error has occurred; the feed is probably down. Try again later. Top Posts [QuickNote] Decrypting the C2 configuration of Warzone RAT [QuickNote] Techniques for decrypting BazarLoader strings Bruce Dang... [Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader Shock!! Winrar has been keygen by FFF TEAM PE.Explorer.v1.99.R4 [QuickNote] Phishing email distributes WarZone RAT via DBatLoader Diving into a PlugX sample of Mustang Panda group [QuickNote] Another nice PlugX sample [Phân tích nhanh] Chiến dịch Phishing giả mạo Cơ quan Thuế để phát tán mã độc Các bài đã đăng January 2026 (1) November 2025 (1) September 2025 (1) October 2024 (1) September 2024 (1) August 2024 (1) June 2024 (1) April 2024 (2) January 2024 (1) September 2023 (1) July 2023 (1) May 2023 (1) April 2023 (1) March 2023 (1) January 2023 (1) December 2022 (3) September 2022 (1) June 2022 (2) April 2022 (1) March 2022 (1) February 2022 (1) January 2022 (2) December 2021 (1) September 2021 (1) August 2021 (1) July 2021 (1) May 2021 (2) February 2021 (1) December 2020 (1) October 2020 (4) September 2020 (1) August 2020 (1) July 2020 (1) June 2020 (4) April 2020 (1) March 2020 (1) February 2020 (2) December 2019 (3) November 2019 (2) October 2019 (3) September 2019 (1) August 2019 (2) July 2019 (3) June 2019 (2) May 2019 (2) April 2019 (2) March 2019 (7) February 2019 (4) January 2019 (2) December 2018 (1) November 2018 (2) October 2018 (1) September 2018 (1) August 2018 (1) July 2018 (1) June 2018 (1) March 2018 (1) January 2018 (1) December 2017 (3) November 2017 (1) October 2017 (3) July 2017 (1) May 2017 (2) April 2017 (1) February 2017 (2) November 2016 (2) October 2016 (1) September 2016 (1) August 2016 (1) July 2016 (1) May 2016 (3) April 2016 (1) January 2016 (13) December 2015 (1) November 2015 (1) October 2015 (4) September 2015 (3) August 2015 (2) May 2015 (4) April 2015 (2) March 2015 (1) February 2015 (1) December 2014 (7) November 2014 (7) October 2014 (4) August 2014 (1) July 2014 (8) May 2014 (1) April 2014 (2) March 2014 (2) February 2014 (3) January 2014 (5) December 2013 (4) November 2013 (2) October 2013 (2) September 2013 (2) August 2013 (2) July 2013 (6) June 2013 (2) February 2013 (1) November 2012 (1) June 2012 (1) April 2012 (3) March 2012 (6) February 2012 (1) January 2012 (5) December 2011 (3) October 2011 (1) September 2011 (2) August 2011 (2) July 2011 (3) May 2011 (4) January 2011 (1) December 2010 (1) October 2010 (1) September 2010 (3) August 2010 (3) July 2010 (1) June 2010 (4) May 2010 (1) April 2010 (5) March 2010 (4) February 2010 (5) January 2010 (19) December 2009 (8) November 2009 (1) August 2009 (1) July 2009 (1) May 2009 (2) April 2009 (6) March 2009 (17) February 2009 (10) January 2009 (13) December 2008 (11) November 2008 (12) October 2008 (17) September 2008 (51) Blogroll Benina Blog Levis's Bl0g ML(l4w) Blog Quyle's Bl0g RE Team TrietPTM's Blog Vic's Bl0g Yêu chim sẻ Statistics - Lượt truy cập 897,197 hits [QuickNote] Qakbot 5.0 – Decrypt strings and configuration Posted: April 24, 2024 in My Tutorials , [QuickNote] Qakbot 5.0 - Decrypt strings and configuration Tags: cybersecurity , encryption , IDA , Idapython , Malware Analysis , Qakbot , Qbot , ReverseEngineering , Security , technology 2 1. Sample overview Hash: af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f In this new sample, threat actor has updated Qakbot’s codebase to support 64-bit versions of Windows. 2. Decrypt strings Here is the pseudocode for the string decryption functions in the 64-bit and 32-bit versions: As the pictures show, the decryption process in the 64-bit version is similar to the previous version. However, the difference is that the xor_key_blob in this new version has been encrypted. Therefore, before performing the decryption to the original string, it will call the qbot_decrypt_xor_key_blob function ( 0x180011504 ) which I have circled in red above to decrypt the original xor_key_blob . The qbot_decrypt_xor_key_blob function performs the following main tasks: (1) Calculates the SHA256 hash for the blob data at addresses 0x180029700 (0x9F bytes) and 0x180028150 (0x63 bytes) and uses the calculated hash values as the AES Key . (2) The first 16 bytes of the enc_xor_key_blob at addresses 0x18002AFE0 (0xA0 bytes) and 0x1800281C0 (0xD0 bytes) are used as the AES IV : (3) Decrypts the encrypted blob data ( except for the first 16 bytes used as AES IV ) using AES in CBC mode. The result is the xor_key_blob used to decrypt the strings. The entire decryption process is described through CyberChef as follows: With the decrypted xor_key_blob above, we can completely write an idapython script to decrypt the strings and add comments related to the decrypted strings to facilitate the analysis of Qakbot code. Here is my idapython script ( Don’t blame my code if you don’t want your eyes to bleed :), just wanted to share it in case someone need to use it for reference. ) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters import idautils, idc, idaapi, ida_bytes decrypt_routine1 = 0x18000DE90 decrypt_routine2 = 0x18000DE50 enc_strings_blob1 = 0x1800297A0 xor_bytes_array = b'\xc3\x4c\x4a\xd8\x7e\x10\xf2\xe9\x05\xe6\xe2\x8e\xaf\xfb\x6b\x32\xc3\x55\xb7\xbe\x9c\x8b\xd9\xc7\xf3\xd3\xa1\x87\xf7\xa7\xb8\x76\xb4\xc8\x2c\x74\x56\xbd\x03\xbc\xa9\x71\xfb\x4b\x89\x52\x95\x2c\x76\xd4\x94\xbf\x64\x23\xfa\x0a\x26\x46\x5e\xa9\x74\xd8\x1c\x2e\x47\x40\x98\x05\x3e\xde\x71\x65\x60\x3b\x03\x0a\x37\x8a\x29\x0e\xaa\x93\xcf\xc7\x35\x3e\x08\x6a\x2c\xab\x22\x6c\xd0\xef\x19\x37\xf3\xe2\x38\xfc\x34\x1b\x84\x61\x84\x0f\xa0\x78\xd1\xdd\x19\x5b\xc0\xcd\xb1\xc0\xb5\x9f\x00\x65\x04\xfa\x89\x39\xa5\xa3\x33\x60\xbf\x75\x5f\x10\xa6' decrypt_routine3 = 0x180002AB8 decrypt_routine4 = 0x180002A78 enc_strings_blob2 = 0x1800282A0 xor_bytes_array2 = b'\xa8\x34\xed\x43\x82\x7d\x35\x98\x52\x5b\x04\x43\x01\x49\xc8\x9e\xbb\x30\xd5\x98\x2e\xf5\x9a\x03\x7b\x02\x46\x13\x1f\x9b\x32\x9e\x1b\x77\xc3\xf9\xe0\xc8\x83\x4b\x94\xa5\x64\xa0\xf3\x04\x45\xe3\xa0\x8f\xda\xc0\x3a\xac\xb7\xa1\x7d\x0c\x2f\x45\x0d\x05\x32\x5b\xd3\x19\xb3\x62\xef\x5d\xa1\x26\x2f\xb5\xfc\x4a\xb3\xc3\xa5\x41\x93\x18\xb4\x41\xa5\xd5\x83\xa5\x7d\x26\x34\x9f\xcd\x7f\x1b\x3e\xe8\x73\x22\xeb\x1b\x3c\x27\xa2\xb3\x00\x3c\x93\xdc\xd2\xae\xf1\x02\x2e\x3e\x8b\xbe\xd1\x11\xd1\x42\x01\x39\xc0\x32\x6c\x78\x98\x9b\xf8\x2c\x81\xeb\x56\x5c\x29\xc1\x1e\x8a\xd5\xea\x8a\xcf\xb3\x4d\x01\x7a\x4e\x7b\xa1\xc9\x19\x01\x61\xef\x05\x3c\x76\x13\xc6\x93\x4a\x7e\x4e\x66\x71\xb9\xb7\xfc\x42\xb2\x36\x33\xaf\xca\xa8\x74\xd1\xeb\xf3\x90\xa5\xf8\xd3\xce\x94\x55\x4c\xe1\x96\x35\xa8\x34\xed\x43\x82\x7d\x35\x98\x52\x5b\x04\x43\x01\x49\xc8\x9e\xbb\x30\xd5\x98\x2e\xf5\x9a\x03\x7b\x02\x46\x13\x1f\x9b\x32\x9e\x1b\x77\xc3\xf9\xe0\xc8\x83\x4b\x94\xa5\x64\xa0\xf3\x04\x45\xe3\xa0\x8f\xda\xc0\x3a\xac\xb7\xa1\x7d\x0c\x2f\x45\x0d\x05\x32\x5b\xd3\x19\xb3\x62\xef\x5d\xa1\x26\x2f\xb5\xfc\x4a\xb3\xc3\xa5\x41\x93\x18\xb4\x41\xa5\xd5\x83\xa5\x7d\x26\x34\x9f\xcd\x7f\x1b\x3e\xe8\x73\x22\xeb\x1b\x3c\x27\xa2\xb3\x00\x3c\x93\xdc\xd2\xae\xf1\x02\x2e\x3e\x8b\xbe\xd1\x11\xd1\x42\x01\x39\xc0\x32\x6c\x78\x98\x9b\xf8\x2c\x81\xeb\x56\x5c\x29\xc1\x1e\x8a\xd5\xea\x8a\xcf\xb3\x4d\x01\x7a\x4e\x7b\xa1\xc9\x19\x01\x61\xef\x05\x3c\x76\x13\xc6\x93\x4a\x7e\x4e\x66\x71\xb9\xb7\xfc\x42\xb2\x36\x33\xaf\xca\xa8\x74\xd1\xeb\xf3\x90\xa5\xf8\xd3\xce\x94\x55\x4c\xe1\x96\x35' index_bound1 = 0x1836 index_bound2 = 0x5AD black_list_xref_addr = [0x180014173, 0x180014106] def decrypt(idx): """ string decoding method """ if idx >= index_bound1: return # oob output = "" while True: c = idc.get_wide_byte(enc_strings_blob1 + idx) ^ xor_bytes_array[(idx % len(xor_bytes_array))] if c == 0: break output += chr(c) idx += 1 return output def decrypt2(idx): """ string decoding method """ if idx >= index_bound2: return # oob output = "" while True: c = idc.get_wide_byte(enc_strings_blob2 + idx) ^ xor_bytes_array2[(idx % len(xor_bytes_array2))] if c == 0: break output += chr(c) idx += 1 return output def create_str_comment(idx, ea): """ method to create the comments at offset to string decoding method """ decStr = decrypt(idx) idc.set_cmt(ea, decStr, 0) return True def create_str_comment2(idx, ea): """ method to create the comments at offset to string decoding method """ #index_value = get_operand_value(ca, 1) decStr = decrypt2(idx) idc.set_cmt(ea, decStr, 0) return True def decrypt_strings(func_addr): """ decode all of the strings """ for x in idautils.XrefsTo(func_addr, 0): xref_addr = x.frm if xref_addr in black_list_xref_addr or not ida_bytes.is_code(ida_bytes.get_full_flags(xref_addr)): continue str_idx_arg_ea = idaapi.get_arg_addrs(xref_addr)[0] if idc.print_insn_mnem(str_idx_arg_ea) == "pop": str_idx_value = idc.get_operand_value(idc.prev_head(str_idx_arg_ea), 0) elif idc.print_insn_mnem(str_idx_arg_ea) == "push": str_idx_value = idc.get_operand_value(str_idx_arg_ea, 0) else: str_idx_value = idc.get_operand_value(str_idx_arg_ea, 1) if str_idx_value < 0xFFFF: create_str_comment(str_idx_value, xref_addr) def decrypt_strings2(func_addr): """ decode all of the strings """ for x in idautils.XrefsTo(func_addr, 0): xref_addr = x.frm if xref_addr in black_list_xref_addr or not ida_bytes.is_code(ida_bytes.get_full_flags(xref_addr)): continue str_idx_arg_ea = idaapi.get_arg_addrs(xref_addr)[0] if idc.print_insn_mnem(str_idx_arg_ea) == "pop": str_idx_value = idc.get_operand_value(idc.prev_head(str_idx_arg_ea), 0) elif idc.print_insn_mnem(str_idx_arg_ea) == "push": str_idx_value = idc.get_operand_value(str_idx_arg_ea, 0) else: str_idx_value = idc.get_operand_value(str_idx_arg_ea, 1) if str_idx_value < 0xFFFF: create_str_comment2(str_idx_value, xref_addr) def main(): decrypt_strings(decrypt_routine1) decrypt_strings(decrypt_routine2) decrypt_strings2(decrypt_routine3) decrypt_strings2(decrypt_routine4) output = open("all_decrypted_strings_with_index.txt","w") decrypted = "" # for decrypt all strings print('[+] Decrypt all strings with index boundary is {}'.format(hex(index_bound1))) decrypted += '[+] Decrypt all strings with index boundary is {}\n'.format(hex(index_bound1)) idx = 0 while idx < index_bound1: dec_str = decrypt(idx) print("index: %s, decrypted string: %s" % (hex(idx), dec_str)) decrypted += "index: %s, decrypted string: %s \n" % (hex(idx), dec_str) idx += len(dec_str) + 1 print('[+] Decrypt all strings with index boundary is {}'.format(hex(index_bound2))) decrypted += '\n[+] Decrypt all strings with index boundary is {}\n'.format(hex(index_bound2)) idx = 0 while idx < index_bound2: dec_str = decrypt2(idx) print("index: %s, decrypted string: %s" % (hex(idx), dec_str)) decrypted += "index: %s, decrypted string: %s\n" % (hex(idx), dec_str) idx += len(dec_str) + 1 output.write(decrypted) output.close() if __name__ == '__main__': main() view raw qakbot_5_ idapython_decrypt_strings.py hosted with ❤ by GitHub Here is my results: This is the full list of all decrypted strings: [+] Decrypt all strings with index boundary is 0x1836 index: 0x0, decrypted string: %SystemRoot%\SysWOW64\xwizard.exe index: 0x22, decrypted string: .dat index: 0x27, decrypted string: kernelbase.dll index: 0x36, decrypted string: WBJ_IGNORE index: 0x41, decrypted string: mpr.dll index: 0x49, decrypted string: %SystemRoot%\explorer.exe index: 0x63, decrypted string: %SystemRoot%\System32\CertEnrollCtrl.exe index: 0x8c, decrypted string: https index: 0x92, decrypted string: SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe index: 0x104, decrypted string: open index: 0x109, decrypted string: root\SecurityCenter2 index: 0x11e, decrypted string: %SystemRoot%\SysWOW64\SndVol.exe index: 0x13f, decrypted string: %u.%u.%u.%u.%u.%u.%04x index: 0x156, decrypted string: 1234567890 index: 0x161, decrypted string: %SystemRoot%\System32\Utilman.exe index: 0x183, decrypted string: snxhk_border_mywnd index: 0x196, decrypted string: %SystemRoot%\SysWOW64\wextract.exe index: 0x1b9, decrypted string: avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe index: 0x1df, decrypted string: Win32_PhysicalMemory index: 0x1f4, decrypted string: Caption index: 0x1fc, decrypted string: ByteFence.exe index: 0x20a, decrypted string: aswhooka.dll index: 0x217, decrypted string: dwengine.exe;dwarkdaemon.exe;dwwatcher.exe index: 0x242, decrypted string: %SystemRoot%\SysWOW64\grpconv.exe index: 0x264, decrypted string: VRTUAL;VMware;VMW;Xen index: 0x27a, decrypted string: SELECT * FROM AntiVirusProduct index: 0x299, decrypted string: %s\%08X.dll index: 0x2a5, decrypted string: wininet.dll index: 0x2b1, decrypted string: avp.exe;kavtray.exe index: 0x2c5, decrypted string: rundll32.exe index: 0x2d3, decrypted string: Create index: 0x2da, decrypted string: WQL index: 0x2de, decrypted string: %SystemRoot%\System32\sethc.exe index: 0x2fe, decrypted string: AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe index: 0x351, decrypted string: Software\Classes index: 0x362, decrypted string: vkise.exe;isesrv.exe;cmdagent.exe index: 0x384, decrypted string: LastBootUpTime index: 0x393, decrypted string: MS_VM_CERT;VMware;Virtual Machine index: 0x3b5, decrypted string: Winsta0 index: 0x3bd, decrypted string: .dll index: 0x3c2, decrypted string: Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status index: 0x40c, decrypted string: SonicWallClientProtectionService.exe;SWDash.exe index: 0x43c, decrypted string: t=%s time=[%02d:%02d:%02d-%02d/%02d/%d] index: 0x464, decrypted string: SystemRoot index: 0x46f, decrypted string: CommandLine index: 0x47b, decrypted string: %SystemRoot%\SysWOW64\explorer.exe index: 0x49e, decrypted string: SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet index: 0x4d0, decrypted string: %s\system32\ index: 0x4dd, decrypted string: SELECT * FROM Win32_OperatingSystem index: 0x501, decrypted string: wbj.go index: 0x508, decrypted string: System32 index: 0x511, decrypted string: CynetEPS.exe;CynetMS.exe;CynetConsole.exe index: 0x53b, decrypted string: C:\INTERNAL\__empty index: 0x54f, decrypted string: cmd.exe index: 0x557, decrypted string: SOFTWARE\Microsoft\Windows\CurrentVersion\Run index: 0x585, decrypted string: */* index: 0x589, decrypted string: MsMpEng.exe index: 0x595, decrypted string: image/pjpeg index: 0x5a1, decrypted string: {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X} index: 0x5e8, decrypted string: urlmon.dll index: 0x5f3, decrypted string: type=0x%04X index: 0x5ff, decrypted string: TRUE index: 0x604, decrypted string: Win32_ComputerSystem index: 0x619, decrypted string: %SystemRoot%\System32\backgroundTaskHost.exe index: 0x646, decrypted string: ALLUSERSPROFILE index: 0x656, decrypted string: .exe index: 0x65b, decrypted string: \\.\pipe\ index: 0x665, decrypted string: advapi32.dll index: 0x672, decrypted string: application/x-shockwave-flash index: 0x690, decrypted string: %ProgramFiles%\Windows Media Player\wmplayer.exe index: 0x6c1, decrypted string: ntdll.dll index: 0x6cb, decrypted string: %SystemRoot%\SysWOW64\Utilman.exe index: 0x6ed, decrypted string: CfGetPlatformInfo index: 0x6ff, decrypted string: userenv.dll index: 0x70b, decrypted string: LocalLow index: 0x714, decrypted string: FALSE index: 0x71a, decrypted string: coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe index: 0x749, decrypted string: Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe index: 0x787, decrypted string: image/jpeg index: 0x792, decrypted string: image/gif index: 0x79c, decrypted string: displayName index: 0x7a8, decrypted string: Name index: 0x7ad, decrypted string: Win32_PnPEntity index: 0x7bd, decrypted string: .cfg index: 0x7c2, decrypted string: APPDATA index: 0x7ca, decrypted string: winsta0\default index: 0x7da, decrypted string: %SystemRoot%\SysWOW64\CertEnrollCtrl.exe index: 0x803, decrypted string: %SystemRoot%\SysWOW64\backgroundTaskHost.exe index: 0x830, decrypted string: pstorec.dll index: 0x83c, decrypted string: RepUx.exe index: 0x846, decrypted string: aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz index: 0x86d, decrypted string: \sf2.dll index: 0x876, decrypted string: %SystemRoot%\System32\dxdiag.exe index: 0x897, decrypted string: CSFalconService.exe;CSFalconContainer.exe index: 0x8c1, decrypted string: vbs index: 0x8c5, decrypted string: WRSA.exe index: 0x8ce, decrypted string: crypt32.dll index: 0x8da, decrypted string: setupapi.dll index: 0x8e7, decrypted string: c:\saurufdifsdudqat.sys index: 0x8ff, decrypted string: %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe index: 0x935, decrypted string: netapi32.dll index: 0x942, decrypted string: SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths index: 0x97c, decrypted string: VMware;PROD_VIRTUAL_DISK;VIRTUAL-DISK;XENSRC;20202020 index: 0x9b2, decrypted string: %SystemRoot%\System32\grpconv.exe index: 0x9d4, decrypted string: SpyNetReporting index: 0x9e4, decrypted string: wtsapi32.dll index: 0x9f1, decrypted string: wpcap.dll index: 0x9fb, decrypted string: Packages index: 0xa04, decrypted string: %SystemRoot%\explorer.exe index: 0xa1e, decrypted string: regsvr32.exe index: 0xa2c, decrypted string: aswhookx.dll index: 0xa39, decrypted string: Content-Type: application/x-www-form-urlencoded index: 0xa69, decrypted string: %SystemRoot%\SysWOW64\SearchIndexer.exe index: 0xa91, decrypted string: %SystemRoot%\SysWOW64\AtBroker.exe index: 0xab4, decrypted string: %SystemRoot%\System32\WerFault.exe index: 0xad7, decrypted string: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths index: 0xb0c, decrypted string: vmnat.exe index: 0xb16, decrypted string: SubmitSamplesConsent index: 0xb2b, decrypted string: SysWOW64 index: 0xb34, decrypted string: shell32.dll index: 0xb40, decrypted string: wmic process call create 'expand "%S" "%S"' index: 0xb6d, decrypted string: ROOT\CIMV2 index: 0xb78, decrypted string: Win32_Product index: 0xb86, decrypted string: LOCALAPPDATA index: 0xb93, decrypted string: %SystemRoot%\SysWOW64\mobsync.exe index: 0xbb5, decrypted string: ws2_32.dll index: 0xbc0, decrypted string: WScript.Sleep %u Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) WSCript.Sleep 2000 Set fso = CreateObject("Scripting.FileSystemObject") fso.DeleteFile("%s") index: 0xd02, decrypted string: bcrypt.dll index: 0xd0d, decrypted string: SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet index: 0xd44, decrypted string: abcdefghijklmnopqrstuvwxyz index: 0xd5f, decrypted string: fshoster32.exe index: 0xd6e, decrypted string: %SystemRoot%\System32\SearchIndexer.exe index: 0xd96, decrypted string: reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s" index: 0xdc5, decrypted string: Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") errReturn = objProcess.Create("%s", null, nul, nul) index: 0xe99, decrypted string: gdi32.dll index: 0xea3, decrypted string: Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2") Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'") For Each objFile in colFiles objFile.Copy("%s") Next index: 0xf8f, decrypted string: Win32_Process index: 0xf9d, decrypted string: SELECT * FROM Win32_Processor index: 0xfbb, decrypted string: user32.dll index: 0xfc6, decrypted string: Win32_Bios index: 0xfd1, decrypted string: %SystemRoot%\SysWOW64\explorer.exe index: 0xff4, decrypted string: MBAMService.exe;mbamgui.exe index: 0x1010, decrypted string: %SystemRoot%\SysWOW64\mspaint.exe index: 0x1032, decrypted string: frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe;dumper64.exe;user_imitator.exe;Velociraptor.exe index: 0x12f8, decrypted string: %SystemRoot%\System32\wextract.exe index: 0x131b, decrypted string: egui.exe;ekrn.exe index: 0x132d, decrypted string: select index: 0x1335, decrypted string: %SystemRoot%\System32\wermgr.exe index: 0x1356, decrypted string: iphlpapi.dll index: 0x1363, decrypted string: SOFTWARE\Microsoft\Windows Defender\SpyNet index: 0x138e, decrypted string: %SystemRoot%\SysWOW64\dxdiag.exe index: 0x13af, decrypted string: %SystemRoot%\SysWOW64\WerFault.exe index: 0x13d2, decrypted string: %SystemRoot%\System32\AtBroker.exe index: 0x13f5, decrypted string: %SystemRoot%\SysWOW64\sethc.exe index: 0x1415, decrypted string: %S.%06d index: 0x141d, decrypted string: c:\\ index: 0x1422, decrypted string: S:(ML;;NW;;;LW) index: 0x1432, decrypted string: fmon.exe index: 0x143b, decrypted string: %SystemRoot%\System32\xwizard.exe index: 0x145d, decrypted string: cscript.exe index: 0x1469, decrypted string: Initializing database... index: 0x1482, decrypted string: xagtnotif.exe;AppUIMonitor.exe index: 0x14a1, decrypted string: %ProgramFiles%\Internet Explorer\iexplore.exe index: 0x14cf, decrypted string: Win32_DiskDrive index: 0x14df, decrypted string: aabcdeefghiijklmnoopqrstuuvwxyyz index: 0x1500, decrypted string: %SystemRoot%\System32\mobsync.exe index: 0x1522, decrypted string: %SystemRoot%\SysWOW64\wermgr.exe index: 0x1543, decrypted string: kernel32.dll index: 0x1550, decrypted string: %SystemRoot%\System32\mspaint.exe index: 0x1572, decrypted string: bdagent.exe;vsserv.exe;vsservppl.exe index: 0x1597, decrypted string: SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet index: 0x15c7, decrypted string: Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName index: 0x1610, decrypted string: NTUSER.DAT index: 0x161b, decrypted string: ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe index: 0x1648, decrypted string: from index: 0x164f, decrypted string: mcshield.exe index: 0x165c, decrypted string: %SystemRoot%\System32\SndVol.exe index: 0x167d, decrypted string: VMware;VMW;QEMU index: 0x168d, decrypted string: QEMU;VMware Pointing;VMware Accelerated;VMware SCSI;VMware SVGA;VMware Replay;VMware server memory;VirtualBox;CWSandbox;Virtual HD;QEMU;VirtIO;srootkit;vSockets;VBoxVideo;vmxnet;vmscsi;VMAUDIO;vmdebug;vm3dmp;vmrawdsk;vmx_svga;ansfltr;sbtisht;XENVIF;XENBUS;XENSRC;XENCLASS index: 0x179d, decrypted string: shlwapi.dll index: 0x17a9, decrypted string: csc_ui.exe index: 0x17b4, decrypted string: CrAmTray.exe index: 0x17c1, decrypted string: Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0 index: 0x1803, decrypted string: %ProgramFiles(x86)%\Internet Explorer\iexplore.exe [+] Decrypt all strings with index boundary is 0x5ad index: 0x0, decrypted string: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList index: 0x39, decrypted string: ProgramData index: 0x45, decrypted string: netstat -nao index: 0x52, decrypted string: %s "$%s = \"%s\"; & $%s" index: 0x6b, decrypted string: net localgroup index: 0x7a, decrypted string: powershell.exe index: 0x89, decrypted string: route print index: 0x95, decrypted string: "%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s index: 0x10a, decrypted string: Component_08 index: 0x117, decrypted string: ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER index: 0x160, decrypted string: net view index: 0x169, decrypted string: ipconfig /all index: 0x177, decrypted string: Self check index: 0x182, decrypted string: T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9 index: 0x1a9, decrypted string: 4Lm7DW&yMF*ELN4D8oNp0CtKUf*C2LAstORIBV index: 0x1d0, decrypted string: Start screenshot index: 0x1e1, decrypted string: %s.%u index: 0x1e7, decrypted string: adrclient.dll index: 0x1f5, decrypted string: net share index: 0x1ff, decrypted string: qwinsta index: 0x207, decrypted string: \System32\WindowsPowerShell\v1.0\powershell.exe index: 0x237, decrypted string: at.exe %u:%u "%s" /I index: 0x24c, decrypted string: Self test FAILED!!! index: 0x260, decrypted string: Component_07 index: 0x26d, decrypted string: whoami /all index: 0x279, decrypted string: /c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s" index: 0x2bb, decrypted string: error res='%s' err=%d len=%u index: 0x2d8, decrypted string: nltest /domain_trusts /all_trusts index: 0x2fa, decrypted string: .lnk index: 0x2ff, decrypted string: cmd index: 0x303, decrypted string: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F index: 0x355, decrypted string: %s \"$%s = \\\"%s\\\\; & $%s\" index: 0x374, decrypted string: ERROR: GetModuleFileNameW() failed with error: %u index: 0x3a6, decrypted string: schtasks.exe /Delete /F /TN %u index: 0x3c5, decrypted string: arp -a index: 0x3cc, decrypted string: Self check ok! index: 0x3db, decrypted string: cmd.exe /c set index: 0x3ea, decrypted string: %s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d index: 0x443, decrypted string: Microsoft index: 0x44d, decrypted string: powershell.exe -encodedCommand %S index: 0x46f, decrypted string: SELF_TEST_1 index: 0x47b, decrypted string: microsoft.com,google.com,kernel.org,www.wikipedia.org,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com index: 0x501, decrypted string: c:\ProgramData index: 0x510, decrypted string: nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s index: 0x54c, decrypted string: %u;%u;%u; index: 0x556, decrypted string: powershell.exe -encodedCommand index: 0x576, decrypted string: runas index: 0x57c, decrypted string: /teorema505 index: 0x588, decrypted string: Self test OK. index: 0x596, decrypted string: ProfileImagePath index: 0x5a7, decrypted string: p%08x 3. Decrypt configuration Based on the list of decrypted strings above, after analyzing the code and comparing it to the old idb of the 32-bit version, I found a string at offset 0x182 that is used for the decoding process of Campaign and C2 addresses of Qakbot: 0x182: “T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9” The decryption process in this new version has some changes compared to the old version that I described here : Configuration data is stored in the .data section instead of the resource as in the old version. AES is used for decryption instead of RC4. 3.1. Decrypt the Campaign Info Campaign decryption process as pseudo-code: Encrypted campaign info stored at section .data : The function qbot_aes_decrypt_and_check_sha256_wrap (0x180015D14) makes a call to the function qbot_aes_decrypt_and_check_sha256 . Based on the pseudocode above, the encrypted data is declared as a struct as follows: The code in function qbot_aes_decrypt_and_check_sha256 (0x1800163E8) reuses the qbot_decrypt_xor_key_blob function (0x180011504) that I described above to perform data decryption. Specifically: AES Key : SHA256("T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9") AES IV : The first 16 bytes of pbEncData The decrypted data includes the first 32 bytes (0x20) as the sha256 checksum , which is used to verify the integrity of the decrypted configuration. The entire pseudocode for the function is shown below: With the help of CyberChef, we can perform decryption as follows: 3.2. Decrypt Qabkot C2 addresses The method of decrypting C2 address list follows the same procedure as described above. A Python script can be rewritten to automate the entire process of decoding Campaign and C2 addresses. The results obtained are: # QakBot Config ---- ID : b'tchk08' b'40' : b'1' Timestamp : 21:22:34 31-01-2024 ---- # QakBot C2 address ``` 31.210.173.10:443 185.156.172.62:443 185.113.8.123:443 4. References Tracking 15 Years of Qakbot Development Writing a Qakbot 5.0 config extractor with Malcat Unveiling Qakbot: Exploring one of the Most Active Threat Actors QBOT Malware Analysis Deep Analysis of QBot Banking Trojan Share this: Share Share on Facebook (Opens in new window) Facebook Share on X (Opens in new window) X Print (Opens in new window) Print Email a link to a friend (Opens in new window) Email Like Loading... Related Comments Week 17 – 2024 – This Week In 4n6 says: April 28, 2024 at 6:24 PM […] 0day in {REA_TEAM}[QuickNote] Qakbot 5.0 – Decrypt strings and configuration […] Week 19 – 2024 – This Week In 4n6 says: May 12, 2024 at 6:53 PM […] 0day in {REA_TEAM}[QuickNote] Qakbot 5.0 – Decrypt strings and configuration […] Leave a comment Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. [QuickNote] Phishing email distributes WarZone RAT via DBatLoader [QuickNote] DarkGate – Make AutoIt Great Again Blog at WordPress.com. Comment Reblog Subscribe Subscribed 0day in {REA_TEAM} Join 173 other subscribers Sign me up Already have a WordPress.com account? Log in now. Privacy 0day in {REA_TEAM} Subscribe Subscribed Sign up Log in Copy shortlink Report this content View post in Reader Manage subscriptions Collapse this bar Loading Comments... Write a Comment... Email (Required) Name (Required) Website %d Design a site like this with WordPress.com Get started