Created
October 3, 2022 14:12
-
-
Save ktwr-/e7294cfd43aaee3d2abc98dfcb5e2a19 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import binascii | |
import pefile | |
import ipaddress | |
from Crypto.Cipher import ARC4 | |
from Crypto.Hash import SHA1 | |
key = b'\\System32\\WindowsPowerShel1\\v1.0\\powershel1.exe' | |
#2fbafdc0451de65322a9aee65f28be319ad9574e | |
def extract_resource(file_name, res_name): | |
pe = pefile.PE(file_name) | |
if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'): | |
for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries: | |
if hasattr(resource_type, 'directory'): | |
for resource_id in resource_type.directory.entries: | |
if hasattr(resource_id, 'directory'): | |
if resource_id.name.string.decode() == res_name: | |
return pe.get_data( | |
resource_id.directory.entries[0].data.struct.OffsetToData, | |
resource_id.directory.entries[0].data.struct.Size | |
) | |
def data_decryptor(key_data, data): | |
key= SHA1.SHA1Hash(key_data).digest() | |
decrypted_config = ARC4.ARC4Cipher(key).decrypt(data) | |
return decrypted_config | |
def main(): | |
# change file name. | |
file_name = r"Qbot.dll" | |
# You have to change resource name. | |
resource_data = extract_resource(file_name, '89210AF9') | |
decrypted_data = data_decryptor(key, resource_data) | |
camp_data = decrypted_data[20:] | |
if ( decrypted_data[:20] == SHA1.SHA1Hash(camp_data).digest()): | |
print("[+] Qbot campaign ID") | |
print("="*30) | |
print(camp_data.decode('latin1')) | |
print("="*30) | |
# You have to change resource name. | |
resource_data = extract_resource(file_name, '3C91E639') | |
decrypted_data = data_decryptor(key, resource_data) | |
ip_data = decrypted_data[20:] | |
if( decrypted_data[:20] == SHA1.SHA1Hash(ip_data).digest()): | |
print("[+] Qbot C2") | |
print("="*30) | |
k = 0 | |
ip_data = ip_data[1:] | |
while(k < len(ip_data)): | |
ip_item = ip_data[k:k+4] | |
ip_port = ip_data[k+4:k+6] | |
print("IP: {}".format(ipaddress.IPv4Address(ip_item)), end=':') | |
print(int(binascii.hexlify(ip_port),16)) | |
k += 7 | |
print("="*30) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment