Our last grap post demonstrated on how to use grap to create and find patterns within QakBot samples.
This post focuses on QakBot’s documented strings decryption feature:
Create patterns to find the function where it is implemented Extract relevant variables (decryption key…) Automate decryption: within IDA as a standalone script using pefile and grap bindings References [1] - Reversing Qakbot - https://hatching.io/blog/reversing-qakbot/
[2] - Deep Analysis of QBot Banking Trojan - https://n1ght-w0lf.
Article Link: https://blog.quosec.net/posts/grap_qakbot_strings/