Procmon malware analysis12/20/2023 On a guest VM it will equal to 1.Īfter the Anti-Analysis checks, QBot drops a copy of itself along with a configuration file at "%APPDATA%\Microsoft\".įinally, QBot starts the dropped copy in a new process and overwrites itself with a legitimate executable, here it’s "calc.exe". On a physical machine the last bit will be equal to 0. Then it is executed with EAX=1 to get the processors features. First it is executed with EAX=0 to get the CPU vendor and compares it with GenuineIntel (Intel processor). The last check is done using CPUID instruction. We can use IDAPython to decrypt the strings and add them as comments. The decryption routine accepts one argument which is the index to the string then it XORs it with a hardcoded bytes array until it encounters a null byte. Most of QBot strings are encrypted (stored in a continuous blob) and they are decrypted on demand. So we just need 2 breakpoints at VirtualAlloc() and VirtualProtect(). It allocates memory for the unpacked code using VirtualAlloc() and changes memory protection using VirtualProtect(). QBot is packed with a custom packer, but the unpacking process is really simple. Notice the misleading URL, it looks like it’s downloading a PNG image but the raw data says something else.The VBS file tries to download Qbot from different places: The zip file contains a very obfuscated VBS file which downloads and launches Qbot executable. The infection flow for this campaign is as follows:įirst, the victim receives a phishing email with a link to a malicious zip file. QBot can be delivered in various different ways including Malspam (Malicious Spam) or dropped by other malware families like Emotet. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems. QBot is a modular information stealer also known as Qakbot or Pinkslipbot. Command 21: Collecting Installed Applications.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |