Reversing QakBot [ TLP: White]

Malware family: Banking Trojan ! Spyware !


Recently we been reversing sample of the QakBot was shared by JAMESWT_MHT.

Source: The Hackers News

Static and Dynamic Analysis

Static Analysis:Basic


hash’s of Qakbot sample.


Strings present in QakBot Sample.


Imports present in QakBot Sample.

Static Analysis: Advanced

Deploying we missed it our love “Ghidra” capabilities in analyzing the sample thus we deployed our fav. Cutter and IDA Pro.

First thing first: Reversing main .dll with Cutter.

Main .dll comes with only few functions , nearly around 13 functions.

Entry function:

Code of entry function.
Graph of Entry Function.

open_reg_key function:

Opens the registry key for modification.

Code of open_reg_key function.
Graph of open_reg_key.

fetch_module_rtrn_large_val function:

This particular function fetch the module handle if address is mapped into memory and returns the large integer value.

Code of fetch_module_rtrn_large_val.
Graph of fetch_module_rtrn_large_val function.

allocate_vrtl_mem_rtrn_large_val function:

Code of allocate_vrtl_mem_rtn_large_val function.
graph of allocate_vrtl_mem_rtn_large_val function.

fetch_stock_object_rtrn_null function:

Code of fetch_stock_object_rtrn_null function.
Graph of fetch_stock_object_rtrn_null function.

rtrn_null_load_icons_scramble_It_up function:

Code of rtrn_null_load_icons_scramble_It_up function.
Graph of rtrn_null_load_icons_scramble_It_up function.

Dynamic Analysis:Basic

VT Detection:

VirusTotal detection of Qakbot.

Registry Key Set:

These are the registry key set of the Qakbot dll.

Registry Key Deleted:

These are the registry key deleted.

Imports of .dll by this .dll:

These are the 4 .dll imported by Qakbot .dll.

Process Terminated:

These are processes terminated by the QakBot .dll.

Dynamic Analysis:Advanced

Debugging the .dll in shown that this .dll created the three other .dlls . One of the .dll name differ every time the main .dll is being opened in debugger. Going through the code in IDA PRO of these 3 .dll it strikes me that all the 3 .dlls are being having same code.

Static Analysis of one of the 3 .dll’s:

main_app function:

Cod of main_app function.
graph of main_app function.

system_info_fetcher function:

code of system_info_fetcher function.
Graph of system_info_fetcher function.

somewhat_main_loader_of_exploit function:

Code of somewhat_main_loader_of_exploit function.
Graph of somewhat_main_loader_of_exploit function.

This .dll also uses anti-debug technique as it imports RtlUnwind from KERNAL32.dll.

YARA Signature:

Yara signature of QakBot detection.

C2 server:


C2 server scan on VT.

That’s all for today.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store