{ "id": "01d5ba7d-2a4f-4ef9-9acb-f0e528084bd2", "created_at": "2026-04-06T00:09:56.024011Z", "updated_at": "2026-04-10T13:11:22.349332Z", "deleted_at": null, "sha1_hash": "9d0947318fda612eecbdb05ec35b0fd65da621b7", "title": "Researchers Decrypted Qakbot Banking Trojan’s Encrypted Registry Keys", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 278003, "plain_text": "Researchers Decrypted Qakbot Banking Trojan’s Encrypted\r\nRegistry Keys\r\nBy The Hacker News\r\nPublished: 2022-01-13 · Archived: 2026-04-05 13:00:26 UTC\r\nCybersecurity researchers have decoded the mechanism by which the versatile Qakbot banking trojan handles the\r\ninsertion of encrypted configuration data into the Windows Registry.\r\nQakbot, also known as QBot, QuackBot and Pinkslipbot, has been observed in the wild since 2007. Although\r\nmainly fashioned as an information-stealing malware, Qakbot has since shifted its goals and acquired new\r\nfunctionality to deliver post-compromise attack platforms such as Cobalt Strike Beacon, with the final objective of\r\nloading ransomware on infected machines.\r\n\"It has been continually developed, with new capabilities introduced such as lateral movement, the ability to\r\nexfiltrate email and browser data, and to install additional malware,\" Trustwave researchers Lloyd Macrohon and\r\nRodel Mendrez said in a report shared with The Hacker News.\r\nIn recent months, phishing campaigns have culminated in the distribution of a new\r\nloader called SQUIRRELWAFFLE, which acts as a channel to retrieve final-stage payloads such as Cobalt Strike\r\nhttps://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html\r\nPage 1 of 3\n\nand QBot.\r\nNewer versions of Qakbot have also gained the ability to hijack email and browser data as well as insert encrypted\r\nconfiguration information pertaining to the malware into the registry as opposed to writing them to a file on disk\r\nas part of its attempts to leave no trace of the infection.\r\n\"While QakBot is not going fully fileless, its new tactics will surely lower its detection,\" Hornetsecurity\r\nresearchers pointed out in December 2020.\r\nTrustwave's analysis into the malware aims to reverse engineer this process and decrypt the configuration stored in\r\nthe registry key, with the cybersecurity company noting that the key used to encrypt the registry key value data is\r\nderived from a combination of computer name, volume serial number, and the user account name, which is then\r\nhashed and salted along with a one-byte identifier (ID).\r\nhttps://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html\r\nPage 2 of 3\n\n\"The SHA1 hash result will be used as a derived key to decrypt the registry key value data respective to the ID\r\nusing the RC4 algorithm,\" the researchers said, in addition to making available a Python-based decryptor\r\nutility that can be used to extract the configuration from the registry.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html\r\nhttps://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html" ], "report_names": [ "researchers-decrypted-qakbot-banking.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d0947318fda612eecbdb05ec35b0fd65da621b7.pdf", "text": "https://archive.orkl.eu/9d0947318fda612eecbdb05ec35b0fd65da621b7.txt", "img": "https://archive.orkl.eu/9d0947318fda612eecbdb05ec35b0fd65da621b7.jpg" } }