{
	"id": "18122925-9acd-45f9-86cd-c08057fc1915",
	"created_at": "2026-04-10T03:20:50.548851Z",
	"updated_at": "2026-04-10T13:12:14.992003Z",
	"deleted_at": null,
	"sha1_hash": "0b15d8f2d9560bef8ffdf5dbcf7b7b8640bb5496",
	"title": "Qakbot levels up with new obfuscation techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 270547,
	"plain_text": "Qakbot levels up with new obfuscation techniques\r\nBy Ashlee Benge\r\nPublished: 2019-05-02 · Archived: 2026-04-10 03:05:13 UTC\r\nThursday, May 2, 2019 11:04\r\nExecutive summary\r\nQakbot, also known as Qbot, is a well-documented banking trojan that has been around since 2008. Recent\r\nQakbot campaigns, however, are utilizing an updated persistence mechanism that can make it harder for users to\r\ndetect and remove the trojan. Qakbot is known to target businesses with the hope of stealing their login credentials\r\nand eventually draining their bank accounts. Qakbot has long utilized scheduled tasks to maintain persistence. In\r\nthis blog post, we will detail an update to these schedule tasks that allows Qakbot to maintain persistence and\r\npotentially evade detection.\r\nInfection chain\r\nVictims of this malware are typically infected via a dropper. Once infected, a victim machine will create a\r\nscheduled task. This task will execute a JavaScript downloader that makes a request to one of several hijacked\r\ndomains.\r\nThe command line string that create this task is:\r\nC:\\Windows\\system32\\schtasks.exe /create /tn {guid} /tr cmd.exe /C \"start /MIN\r\nC:\\Windows\\system32\\cscript.exe /E:javascript \"C:\\Users\\USERNAME\\ymwoyf.wpl\" /sc WEEKLY /D\r\nTUE,WED,THU /ST 12:00:00 /F\r\nThis downloader is executed using the command:\r\ncmd.exe /C start /MIN C:\\Windows\\system32\\cscript.exe /E:javascript C:\\ProgramData\\\\puigje.wpl\"\r\nC:\\Windows\\system32\\cscript.exe /E:javascript C:\\ProgramData\\puigje.wpl\r\nCisco Talos first observed a spike in requests to these hijacked domains on April 2, 2019. This coincides with\r\nDNS changes made to these domains on March 19, 2019. Additionally, the comment string \"CHANGES 15.03.19\"\r\nis contained within the malicious JavaScript downloader, suggesting this actor updated the code on March 15.\r\nThis indicates that these changes to the Qbot persistence mechanism seem to coincide with the launch of a new\r\ncampaign.\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 1 of 7\n\nAn example downloader with dated comment line.\r\nThis downloader always requests the URI \"/datacollectionservice[.]php3.\" from these hijacked domains. The\r\ndomains used by the downloader for this request are XOR encrypted at the beginning of the JavaScript. The\r\nresponse to this request is obfuscated data that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz. The first\r\n1,000 bytes of data are saved to the first .zzz file, while the remainder goes to the second file. The data in these\r\nfiles is decrypted with the code contained in the JavaScript downloader.\r\nAn example of the JavaScript used to decode the obfuscated .zzz files.\r\nAdditionally, a scheduled task is created to execute a batch file.\r\nAn example of this batch file.\r\nThis code serves to reassemble the malicious Qakbot executable from the two .zzz files, using the type command.\r\nThe two .zzz files are then deleted after the reassembled executable is run. The functionality of the Qakbot\r\nmalware remains the same.\r\nConclusion\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 2 of 7\n\nThere has been a change in the infection chain of Qakbot that makes it more difficult for traditional anti-virus\r\nsoftware to detect. This may allow the download of the malware to go undetected, as the malware is obfuscated\r\nwhen it is downloaded and saved in two separate files. These files are then decrypted and reassembled using the\r\ntype command. Detection that is focused on seeing the full transfer of the malicious executable would likely miss\r\nthis updated version of Qakbot. Because of this update to persistence mechanisms, the transfer of the malicious\r\nQbot binary will be obfuscated to the point that some security products could miss it.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 3 of 7\n\nIOCs\r\nC2 domains observed\r\nlg[.]prodigyprinting[.]com\r\nhp[.]prodigyprinting[.]com\r\nlayering[.]wyattspaintbody[.]net\r\npainting[.]duncan-plumbing[.]com\r\nQakbot hashes\r\n00e4f65b721b334c3aa40e0c0fdc63107965874981fbfef1fc6a3ebb9d6c8d1c\r\n042b8c8ae4525b7fd067c6960def5bb01817bf884db9db0db42c2a3cb10ff327\r\n0633c16d45f6fdc9fd6ba13c86572bfb571e2307ea051e2c119b59458000b51d\r\n0dbf3f0a6a6b77eddd6e63849f2cea98edb855847a51ec313e7b764c5a5a3a59\r\n104d491cd7c6e3f7930edb780bed08fc88012a0f7f77f01ef987f270c9169b49\r\n1430582ad86023fe4b75f4721158ab72c28bef13592ad4462ac30f7b0784cc37\r\n20e53f19fb58b36c93fff100d0e003ff6e88017d6ee6ae8e56d72ba3e1827250\r\n21898a62a58602b67b39ea4c5ce971be4d73c861a1abff22337d2531f7b18d29\r\n2f5b2a72e40226c54871113b18d4e62c76d4cd05eb50a84c02774ed13daee411\r\n33e97cb8c1508b7795748e54634ebcd9b04259f14ef1f5dce32bad765885649a\r\n386796dcf6f731d43182b57dcaf1f7a9db346f84fdde59ea4c40e574983dd4e3\r\n3bd16f8213ff33b7e6ad5ba0974c2674e9a8f5a4b2a914006dbe060cec57d56e\r\n3c5fe3251afef44143b119f6ca45503dda70b51e006b882e9b0666a380c99774\r\n3f1eb5d603074d6d56d99cad4a31fad015e45855e9dbf0ea3ae1969077358a25\r\n42f6a0b64b8dda86c3905a12c3921ead06fa3f24b1231d1bcac7762fb54437d2\r\n45cbe796d27e48e8983eba169a72c5c3da03053ffd9ea519173482bed8af666e\r\n47df7cecfaf49a99c3ac8ebd5b47e4afe46658428dfc4818d7a968e0d84d6e19\r\n482f9255b94f1a7813e3cf631ac4bd14c559694b6162fadc6888a83d5c8f18dd\r\n485dda6eb0574979a04ba831df8ca0588cf034b3005d17153fb56088d31fd487\r\n4ca4665d30d38df77d13ed756d2310faaabc42e3eb3a1b18c26e1698f3e073bd\r\n4efdd3448fbaaa164c0735891512ece65f78d9160ffef0f1983e9539b1c502d7\r\n507d93bc04f4a52e451ec8e212f52397ff25b93e4ea3c9ab54fdd24c2c200171\r\n523789702a134745c78a1430ccc1704650181b2f4f773862d44d45ccf139b93f\r\n52b9d903cf6e578f781af3b1f38263fb2d81282a188e25cacf765d723d3de563\r\n5ac4fbe00b773cbeb52c58234a5d2676f1cf0961385eb6b73934fccdf82a6605\r\n630ba9a1630e90bdbe3d1f63161dc07714818f5b3010f6f9af6e624746529975\r\n6372b115bd5eb33d586519ce478ce161420c53e3d92103f2d8b2bb0e6efedfb8\r\n63cb6cf78b6263ccb6308de73f8084debacf62b88315809473f5b7ffbf9fcbf8\r\n668e1c7275dd3000fd0f24f2a5f9004fc5fd5293c646ad44882122889a99f353\r\n68b9de2981e3d74fbc83b3e26a45eda5611fd1791362d775e12b6db5f1f5f646\r\n6d0f5953b6a2234e00e720b297cdfa12a4d9074a92b85e9e5c508938b5907a0a\r\n6e840301949f41830b927ef569e581d349820387a3ff45a90ef4ec8e4f6f0e86\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 4 of 7\n\n6f840523ce151950e40e24bfedc27e6ba17a9f65b2a4c3105b543b44e153037d\r\n7086dd6a001e339ae9f789301de2fda398964799094587d55a8860199cdcbcba\r\n72a45d06936294c83c321d4fb312bdaa9b3afdc089975021f4b80d1046f62623\r\n75822e46bf9e827346da33141b8b69bb6210a29f2996d246d565e9567f95e9fe\r\n7758f78992fe71389e36b63d0b22f174d67b8139a80c96df5ebdcef7f1eaa954\r\n7772c892e7a846a7c7d852b73237f2d5e3aea485d423ddccfd7b66262b2a0a7a\r\n77833ef35c69cee4d6c43b13330ef71f08db13290d3d079040ab5d0298a57ccf\r\n78b83e6f1612dd86338faadbccd2b05ecdbcdf221ab694daa6fe1ce0928e2d68\r\n78e917a47f28905498694ec901ae7619c46c71d5f57879ad0a43a451d107b8a1\r\n7e9e493e41fab952e0a5681782a54954447abc3df6ef1d1860e59e586ea6c990\r\n81788d067834ea0298b88cc251ac4b56820bbb85c77345b35886c9af1b139e1c\r\n82bf2bf053fc21efd2b09403bb489d1f32e30ff4523a50963f05394524264ac6\r\n83a60ac3d70283ff82eeacdb500a204170c5ffcc6f59cbc30c0e7a5410ecb293\r\n83c4d91f93f56abf7504faa83a01a84210eb55de991131240a55dd22cb3cb55a\r\n87bf71ceaeacb6a70d86e6ff96ba4e1d2232c2b84242e8cef7ba30b5de47b4a4\r\n89b01325e7a7a8e41d598d07efec7ade3b5da72a97d0a02054c8be8edf41ceb7\r\n8a8e093089e7d144e5cbef20b5010a27da9c29ac0d64a924bb311a3a50ea5b05\r\n8b88a48e14aec83e1c87fe6ca7a66ad718a82276766756f5741fb446bfc0db8f\r\n8bbb44176e94f4e65cc6862e62f3b1544617edc889105e9af07886c0a62942ac\r\n8fa303e89e0f25b4929d3a175c948e3b5a1b257a50911f3eeaaab7f3218077e3\r\n9430fe8f223db4b551ed77e61ac6d38efee348940018ae9e1c15827f53cc618d\r\n9548afeb0037077a1e98feabe952472b6882eccd4c8ef6e1d3a93370198fa6a5\r\n99005c7ebde6c9d72e84fbf246c7b8aacc8e3c39132834b846a5ed4d49b1dcd5\r\n9926bc84e414ad65947461955bf043fe1dd11358f5d517785f6d0571b9acf548\r\n996ebea3b2e4b269cc10051f8a5d90cb0e68dee16a6000ff35bac85cb17024d4\r\n9f2bf3c3efdd1e388f87a64bac0bfc4b756cc923b428e85ef9e67a86f79c0bc7\r\na0ea5b224ee2a85334cf434805edb9dd57b100975fd3c0a564b03d28a5203ee2\r\na4416996ae9e25b496a343f5a94366ea33ac8797eccd289a83402978b03d371f\r\naa11c00bc40f9bea2aff915d9cbf89e067aabdf764e52d664e7337545ffca04b\r\nabdcb3156ed4bcc5bce29f621ee8593fec625f74b3d1580cd1aa6e7557f822cf\r\nbd1190f7470b3219446024c9b85d1533d5ba56d24bcc618adfb05333c350ec8b\r\nbddac88644d3e23abba825283df777b76676b5348fd7225aa3dc3ead39ff7201\r\nbef299f5cff4b601adc6c8cde21d22465d19846f2f97d81fa8ea2439a4867864\r\nc075b937f4ad0b6077253ad1ebc8cf531c6f1ba167f90cd6ed77fc7a44684340\r\nc4f10d10da4598d970ada132f7a476f74902143567d45afd4858d4d9fa7210af\r\nc6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0\r\nc6ef40e940c92b8399792521eb677f5238e21ecf99834826990153efa41064ba\r\nc77ed215f5ca3eb4b5ab6926b32392c4d58bcaaa9ad1d585632372e7f059360f\r\nc97049d43b38577c01ef508c6ba5f6d15a3002728e5896b5d4982ee206a12a8b\r\ncd00617dd8eac1a70bff92d029861487197eb486deb0c4c66542af50309bc535\r\ncd9d8c6c3bc14559d5da15887c5c12be6ac6241b9c36d1fcc0063ad489d14bb5\r\ncdac2ca810ed43d4bd9bf7ade4b0a8dbc26fbeed3f11eee1aa5cb8334b6d6105\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 5 of 7\n\nd8b5067443c940864e972369e259a0826bb3774487c8605d6e5e870510d41504\r\nda823b80766ffc75ed32751ea6ded68e132976d28416fb78bddccd489372f069\r\ne30ddbd161e44cf7823b1850604d1cf87d4b9c9af8d0407bde05e7bb758a0559\r\ne3f9e76406739c68be2cd6a228131a63662e16fcf757c6251f5e4d0905ab3cd0\r\ne8f943454ab41dbd019434e0716d923fb87547cf73306b164ada93612d5f263f\r\ne8fff8ac794b44fade6bdf14f08104012bafff894e44003b84808a5bfd2cebbb\r\ne946b516013cb6cff31e21ee2ccabd1b8ce1e5ed5a4f9e36ffad07c4d880e417\r\nedf907d35b16877a6ff344bdb62852f0f1c418bc4f83072b518204e398e61365\r\nf9969aaab5276399d486a0619840e41e63340c1106f1e2652eb098052d8a2241\r\nfa3bc57c23c5f60050d5b6673681d8bc170d5c9417cfc4c231d3794800400315\r\nfe294978397abe1f23b88e47a94d516c977cd0c9cb368bcdc20f5f3899daf6bd\r\nJavascript hashes\r\ndd8c25c7483acb627935b3ec6de505aa7fdf95ee4db8108b89d0deb57510217c\r\n581fe44b3da62d2155452beeda2f20f63fa042271a97cd8e016b4f6f6f8b575f\r\n37f2b74550724859eb8b30fd60d8580c0e4eb6dc64d5d55e46774967fb0b9719\r\n9a849f42734c1bad3fa3c3b5cb5d8781c21e6241f8977636774384e6177756f2\r\n88b780e35400a63e5f2526e67287508865801f4c176b449c9bd9897a6f4d099e\r\nb853bf59cbfa95d5c76c76b5cf583d867929ffd164e248e33f55929ce0f65456\r\n84defbc371379f548cbfc7837128f33c35a2a95835d93e287c6c2f7f8428d910\r\nfa209beccf0fe4883b900462ecdf25f7a405adc962f393e116a556f4018773a3\r\nf7ea4652a096c007a233fb588d7a1b129a1b68829f78d58bb67b33c3582f032d\r\n16ea880880c3466e3ff95bc3df309242861b0d43600862b0e9f563bda90d00d3\r\n11447fbf6b64d137ab09ae7c861719169650a06ccc44abf0bcbbac8f5830343b\r\ne57062a03e0397ba7b5edba76b92f6e00e00a3f5f3126335a152803ba9dea5a9\r\nf3667a47b00bd70f06cefa19de31ccd818095638059f2fe237096741c6b47863\r\n86e07fcea780307b1ef2151b19a41170262947193b7b5b8998203ee0bb648c14\r\nd0fefd2af365336288bc8d7c9bb3d840e483cccf8c2afe493e3dc71e402a78c8\r\n3876816f0cc13e72c2ed64e857090c6a78106b9accc5f8d8fd90652a293890be\r\n170f58ca16e031ce31d117ba36a525189cfe4a08fece3fe1d65f18d293e2c7fe\r\ne64d432aac6c9209d84b9e9b9b77bae4148dba91f49e2871c6a14a2d0777e8e0\r\n8041bc11d40ef808f9a25a5b3d2104aa67e6ba5a696d1bd352ccdf8b3039df9b\r\n1333715b86d4009eb40b92675ed494dda786c275ccdcd59644ea3b0408df3d08\r\n59dbf5984c48109a16de20656a3305269f4afa66e8864276e69d900d6cfe92c0\r\n5468b140b70a7c6566cc7bc60e11e32d0165015df59fc448588fa9f7c68a5c94\r\n82a13c434e21f40bf5f1e7e2694784e2152834c3c5e7188026efd4d698d63d8d\r\n2ce2651e7ea2ece2b45cadbf7ef916a998d14bbf3830631cf1de6c4c28a97d80\r\nce65b98b78ee749c5db5cb678cb6a8f21f568446a9e7433f6cb3c2d648602512\r\nb76cc76001cb245697bab1d14b0b0a9c85dc0a034d70f70cc7b4a207124b932f\r\nc9ce209cbc4d3a733ed2dc6ff65318ab0d49506a9b406e8c11805b762c80d2b0\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 6 of 7\n\nSource: https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nhttps://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html"
	],
	"report_names": [
		"qakbot-levels-up-with-new-obfuscation.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791250,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b15d8f2d9560bef8ffdf5dbcf7b7b8640bb5496.pdf",
		"text": "https://archive.orkl.eu/0b15d8f2d9560bef8ffdf5dbcf7b7b8640bb5496.txt",
		"img": "https://archive.orkl.eu/0b15d8f2d9560bef8ffdf5dbcf7b7b8640bb5496.jpg"
	}
}