ktwr-/Qbot_C2_extracter.py

## Qbot_C2_extracter.py
import binascii
import pefile
import ipaddress

from Crypto.Cipher import ARC4
from Crypto.Hash import SHA1

key = b'\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe'
#2fbafdc0451de65322a9aee65f28be319ad9574e

def extract_resource(file_name, res_name):
    pe = pefile.PE(file_name)

    if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
        for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
            if hasattr(resource_type, 'directory'):
                for resource_id in resource_type.directory.entries:
                    if hasattr(resource_id, 'directory'):
                        if resource_id.name.string.decode() == res_name:
                            return pe.get_data(
                                resource_id.directory.entries[0].data.struct.OffsetToData,
                                resource_id.directory.entries[0].data.struct.Size
                            )


def data_decryptor(key_data, data):
    key= SHA1.SHA1Hash(key_data).digest()
    decrypted_config = ARC4.ARC4Cipher(key).decrypt(data)
    return decrypted_config

def main():
    # change file name.
    file_name = r"Qbot.dll"

    # You have to change resource name.
    resource_data = extract_resource(file_name, '89210AF9')
    decrypted_data = data_decryptor(key, resource_data)

    camp_data = decrypted_data[20:]
    if ( decrypted_data[:20] == SHA1.SHA1Hash(camp_data).digest()):
        print("[+] Qbot campaign ID")
        print("="*30)
        print(camp_data.decode('latin1'))
        print("="*30)
    # You have to change resource name.
    resource_data = extract_resource(file_name, '3C91E639')
    decrypted_data = data_decryptor(key, resource_data)
    ip_data = decrypted_data[20:]
    if( decrypted_data[:20] == SHA1.SHA1Hash(ip_data).digest()):
        print("[+] Qbot C2")
        print("="*30)
        k = 0
        ip_data = ip_data[1:]
        while(k < len(ip_data)):
            ip_item = ip_data[k:k+4]
            ip_port = ip_data[k+4:k+6]
            print("IP: {}".format(ipaddress.IPv4Address(ip_item)), end=':')
            print(int(binascii.hexlify(ip_port),16))
            k += 7
        print("="*30)

if __name__ == '__main__':
    main()
	import binascii
	import pefile
	import ipaddress

	from Crypto.Cipher import ARC4
	from Crypto.Hash import SHA1

	key = b'\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe'
	#2fbafdc0451de65322a9aee65f28be319ad9574e

	def extract_resource(file_name, res_name):
	pe = pefile.PE(file_name)

	if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
	for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:
	if hasattr(resource_type, 'directory'):
	for resource_id in resource_type.directory.entries:
	if hasattr(resource_id, 'directory'):
	if resource_id.name.string.decode() == res_name:
	return pe.get_data(
	resource_id.directory.entries[0].data.struct.OffsetToData,
	resource_id.directory.entries[0].data.struct.Size
	)


	def data_decryptor(key_data, data):
	key= SHA1.SHA1Hash(key_data).digest()
	decrypted_config = ARC4.ARC4Cipher(key).decrypt(data)
	return decrypted_config

	def main():
	# change file name.
	file_name = r"Qbot.dll"

	# You have to change resource name.
	resource_data = extract_resource(file_name, '89210AF9')
	decrypted_data = data_decryptor(key, resource_data)

	camp_data = decrypted_data[20:]
	if ( decrypted_data[:20] == SHA1.SHA1Hash(camp_data).digest()):
	print("[+] Qbot campaign ID")
	print("="*30)
	print(camp_data.decode('latin1'))
	print("="*30)
	# You have to change resource name.
	resource_data = extract_resource(file_name, '3C91E639')
	decrypted_data = data_decryptor(key, resource_data)
	ip_data = decrypted_data[20:]
	if( decrypted_data[:20] == SHA1.SHA1Hash(ip_data).digest()):
	print("[+] Qbot C2")
	print("="*30)
	k = 0
	ip_data = ip_data[1:]
	while(k < len(ip_data)):
	ip_item = ip_data[k:k+4]
	ip_port = ip_data[k+4:k+6]
	print("IP: {}".format(ipaddress.IPv4Address(ip_item)), end=':')
	print(int(binascii.hexlify(ip_port),16))
	k += 7
	print("="*30)

	if __name__ == '__main__':
	main()