Automate Qbot Malware String Decryption With Ghidra Script

View our malware analysis training: https://AGDCservices.com/training/ Follow me on Twitter for RE tips and resources: https://twitter.com/AGDCservices View our malware analysis products to aid in your RE efforts (Ghidra / python scripts, tools, and individual analysis results) https://github.com/agdcservices Get resources to help with learning malware analysis https://agdcservices.com/blog/resources-for-learning-malware-analysis/ Qbot is a common banking malware that includes hundreds of encrypted strings throughout the binary. You need to decrypt the strings to quickly identify locations of interest and extract key IOCs. This video provides a Ghidra script that will decrypt all of the obfuscated strings, put a comment of the decrypted string at the location of use, and print a list of all the strings for easy review. The script will also be run on a second variant to demonstrate how to locate the key variables needed for the scripts operation on any Qbot variant. The Ghidra decryption script, f5ff6dbf_String_Decryption.py, is on github for you to download and use to assist in your RE efforts. https://github.com/AGDCservices/Collection-Of-Individual-Malware-Analysis-Products Download the malware samples at https://malshare.com to review in your own analysis lab: Sample 1: f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790 Sample 2: da05722fd87989e188845773fce82c382b40d18e48130afa1f985cac6f63ca0f #ReverseEngineering #MalwareAnalysis #SRE #RE #Ghidra #QBot #Quakbot #Malware #Crypto