{
	"id": "5cf84e46-9057-413d-8de1-80e836774730",
	"created_at": "2026-04-06T00:19:01.157455Z",
	"updated_at": "2026-04-10T03:21:18.296533Z",
	"deleted_at": null,
	"sha1_hash": "f6acc2c49f1c2931acd6feb174bb03d20ab1533f",
	"title": "Qakbot Series: String Obfuscation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 264018,
	"plain_text": "Qakbot Series: String Obfuscation\r\nPublished: 2022-04-10 · Archived: 2026-04-05 14:23:34 UTC\r\nIn late March 2022, I was requested to analyze a software artifact. It was an instance of Qakbot, a modular\r\ninformation stealer known since 2007. Differently to other analyses I do as part of my daily job, in this particular\r\ncase I can disclose wide parts of it with you readers. I’m addressing them in a post series. Here, I’ll discuss about\r\nthe string obfuscation techinque based on this specific sample.\r\nLooking at the strings embedded into a software artifact is one of the first approaches an analyst may attempt\r\nduring the triaging stage. For those of you don’t know what I’m talking about, strings are sequences of bytes that,\r\nonce interpreted as characters, form meaningful words. During the process that starts with a program source code\r\nand ends with that program being compiled and ready to run, strings are usually preserved. What does that mean?\r\nIt means that if you have a string in the source code, e.g. a path or a function name, then that string will lie into the\r\nobject code after the compilation of the sources. Strings may be an useful source of information to quickly\r\nunderstand the capabilities of a piece of software and immediately focus on specific areas of the artifact deserving\r\na closer look. Strings can be statically extracted, i.e. you don’t need to exectute the software to obtain them.\r\nNaturally, malware developers know the importance of the strings during the analyis process. Therefore, they tend\r\nto hide this source of information from their products. One easy and cheap technique to hide strings like variable\r\nnames and function names is to stripe them from the binary. This is acheavable simply by compiling the source\r\nwith particular flags. Another technique aimed at hiding the most valuable strings is called string obfuscation.\r\nString obfuscation consists in storing the strings in encrypted or obfuscated form so that they cannot be recognized\r\nand extracted from the artifact. Those strings are decrypted at runtime and consumed by the software when they\r\nare needed. The Qakbot sample I analyzed implements a string obfuscation technique.\r\nIndeed, the strings analysis for the sample object of analysis wasn’t really fruitful when I tried to do it. There were\r\nnot so many meaningful strings overall and most of them were unreferenced or, in general, not providing any\r\ninsight. There was only one exception: the presence of 18 very long and apparently meaningless strings. We\r\npostpone a discussion about their purpose to another post since it regards another anti-analysis technique. The\r\nreason why the string analysis wasn’t so effective is that the vast majority of them are obfuscated to hide evidence\r\nof the malware capabilities.\r\nhttps://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/\r\nPage 1 of 3\n\nFigure 1\r\n-\r\nQakbot string deobfuscation function\r\nAll the meaningful and relevant strings are stored in obfuscated form in two continuous blobs. The first blob is\r\nlocated at 0xb542b8 and the second blob is located at 0xb551f8. A string is de-obfuscated by xor-ing the specific\r\npart of the blob with a key stored as a continuous sequence of bytes. Each blob is xor-ed with a different key.\r\nThere are two instances of the function implementing the string de-obfuscation, one starts at 0xb302c6 and\r\nanother one starts at 0xb227a1. As you may notice from Figure 1, showing the decompiled code for one of those\r\ninstances, it expects four arguments: the blob where the string is contained, the size of the blob, the xoring key,\r\nand the starting offset of the obfuscated string within the blob.\r\ndef deobfuscate_string(blob1: bytes, p1: int, blob2: bytes, p3: int) -\u003e bytes:\r\n l8 = 0\r\n i = p3\r\n if p3 \u003c= p1:\r\n while i \u003c= p1:\r\n if blob2[i % 0x5a] == blob1[i]:\r\n l8 = i - p3\r\nhttps://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/\r\nPage 2 of 3\n\nbreak\r\n i += 1\r\n lc = bytearray([0] * (l8))\r\n i = 0\r\n if l8 \u003e 0:\r\n while i \u003c l8:\r\n lc[i] = blob2[(p3 + i) % 0x5a] ^ blob1[p3:][i]\r\n i += 1\r\n return bytes(lc)\r\nListing 1\r\n-\r\nPython translation of the string deobfuscation function\r\nListing 1 shows a Python3 translation of the Qakbot string deobfuscation function. I had to code it since the offset\r\nof many strings into the sample code is computed at runtime instead of being hardcoded. That function replicates\r\nthe algorithm implemented in the sample. Here you will find a complete list of the de-obfuscated strings produced\r\nby our script. For each string I mention the containing blob and the starting offset within the blob. In that list\r\nyou’ll find a lot of potentially interesting elements regarding the malware capabilities. I’ll discuss about some of\r\nthem in the coming blog posts.\r\nAs always, if you want to share comments or feedbacks (rigorously in broken Italian or broken English) do not\r\nesitate to drop me a message at admin[@]malwarology.com.\r\nSource: https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/\r\nhttps://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/"
	],
	"report_names": [
		"qakbot-series-string-obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434741,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f6acc2c49f1c2931acd6feb174bb03d20ab1533f.pdf",
		"text": "https://archive.orkl.eu/f6acc2c49f1c2931acd6feb174bb03d20ab1533f.txt",
		"img": "https://archive.orkl.eu/f6acc2c49f1c2931acd6feb174bb03d20ab1533f.jpg"
	}
}