Configuration extraction tool for QBOT malware
docker build . -t qbot-config-extractor
Then we run the container with the -v flag to map a host directory to the docker container directory:
docker run -ti --rm -v \ "$(pwd)/data":/data qbot-config-extractor:latest -d /data/
We can either specify a single sample with -f option or a directory of samples with -d.
$ docker run -ti --rm -v $(pwd)/data:/data qbot-config-extractor:latest -f data/c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a === Strings === # Blob address: 0x100840a0 # Key address: 0x10084040 [0x0]: ProgramData [0xc]: /t4 [0x10]: EBBA [0x15]: netstat -nao [0x22]: jHxastDcds)oMc=jvh7wdUhxcsdt2 [0x40]: schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F ...truncated... === RESOURCE 1 === Key: b'\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe' Type: DataType.DOMAINS 18.104.22.168:443 22.214.171.124:995 126.96.36.199:443 188.8.131.52:443 184.108.40.206:443 220.127.116.11:443 18.104.22.168:443 ...truncated...Read more
As mentioned above, Docker is the recommended approach to running this project, however you can also run this locally. This project uses Poetry to manage dependencies, testing, and metadata. If you have Poetry installed already, from this directory, you can simply run the following commands to run the tool. This will setup a virtual environment, install the dependencies, activate the virtual environment, and run the console script.
poetry lock poetry install poetry shell qbot-config-extractor -h
Once that works, you can do the same sort of things as mentioned in the Docker instructions above.
See all top stories