The Definition Everyone interested in programming probably has run into the too-famous “try-catch” thing. It is not something new. So, it is basically what we will talk about today. I used to say that it is always good to understand what happens behind the scenes; I mean, speaking about try-catch, it is nothing mysterious; it is kind of easy and simple to understand. But most of the time, we are talking about the surface of this, we are not digging into the details.

The Qakbot Malware Family QBot is a modular information stealer also known as Oakboat, Pinkslipbot, Qbot or Quakbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. Loader When I got this sample, the first thing that caught my eye was the lack of strings and the number of sections with their names, which is not something normal in a binary.

Binary Ninja Plugin To start this second part of the custom sample analysis, I would like to add the script created using Binary Ninja. You can find the doc here. The script is not complex - if you have any suggestions to improve this, please share them with me :) - and it is probably not the fanciest code you have been seeing, but it is something that works, lol. It can be found on my Github page.

The IR Case Hi there, During an ongoing investigation, one of our IR team members managed to locate an unknown sample on an infected machine belonging to one of our clients. We cannot pass that sample onto you currently as we are still analyzing it to determine what data was exfilatrated. However, one of our backend analysts developed a YARA rule based on the malware packer, and we were able to locate a similar binary that seemed to be an earlier version of the sample we’re dealing with.