Skip to content

S0650 QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.1234

Item Value
ID S0650
Associated Names Pinkslipbot, QuackBot, QBot
Version 1.0
Created 27 September 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Pinkslipbot 34
QuackBot 3
QBot 1234

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.563
enterprise T1010 Application Window Discovery QakBot has the ability to enumerate windows on a compromised host.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder QakBot can maintain persistence by creating an auto-run Registry key.5617
enterprise T1185 Browser Session Hijacking QakBot can use advanced web injects to steal web banking credentials.93
enterprise T1110 Brute Force QakBot can conduct brute force attacks to capture credentials.863
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell QakBot can use PowerShell to download and execute payloads.7
enterprise T1059.003 Windows Command Shell QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.643
enterprise T1059.005 Visual Basic QakBot can use VBS to download and execute malicious files.5
enterprise T1059.007 JavaScript The QakBot web inject module can inject Java Script into web banking pages visited by the victim.3
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers QakBot has collected usernames and passwords from Firefox and Chrome.3
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding QakBot can Base64 encode system information sent to C2.63
enterprise T1005 Data from Local System QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.23
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging QakBot has stored stolen emails and other data into new folders prior to exfiltration.8
enterprise T1140 Deobfuscate/Decode Files or Information QakBot can deobfuscate and re-assemble code strings for execution.943
enterprise T1482 Domain Trust Discovery QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.3
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms QakBot can use domain generation algorithms in C2 communication.5
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.8
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography QakBot can RC4 encrypt strings in C2 communication.3
enterprise T1041 Exfiltration Over C2 Channel QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.3
enterprise T1210 Exploitation of Remote Services QakBot can move laterally using worm-like functionality through exploitation of SMB.6
enterprise T1083 File and Directory Discovery QakBot can identify whether it has been run previously on a host by checking for a specified folder.4
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.7
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion QakBot can delete folders and files including overwriting its executable with legitimate programs.8647
enterprise T1105 Ingress Tool Transfer QakBot has the ability to download additional components and malware.561937
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging QakBot can capture keystrokes on a compromised host.813
enterprise T1036 Masquerading The QakBot payload has been disguised as a PNG file.7
enterprise T1112 Modify Registry QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.27
enterprise T1106 Native API QakBot can use GetProcAddress to help delete malicious strings from memory.4
enterprise T1135 Network Share Discovery QakBot can use net share to identify network shares for use in lateral movement.53
enterprise T1095 Non-Application Layer Protocol QakBot has the ability use TCP to send or receive C2 packets.3
enterprise T1027 Obfuscated Files or Information QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.9
enterprise T1027.001 Binary Padding QakBot can use large file sizes to evade detection.57
enterprise T1027.002 Software Packing QakBot can encrypt and pack malicious payloads.9
enterprise T1027.005 Indicator Removal from Tools QakBot can make small changes to itself in order to change its checksum and hash value.69
enterprise T1120 Peripheral Device Discovery QakBot can identify peripheral devices on targeted systems.5
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups QakBot can use net localgroup to enable discovery of local groups.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment QakBot has spread through emails with malicious attachments.5819437
enterprise T1566.002 Spearphishing Link QakBot has spread through emails with malicious links.581437
enterprise T1057 Process Discovery QakBot has the ability to check running processes.4
enterprise T1055 Process Injection QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe.5813
enterprise T1055.012 Process Hollowing QakBot can use process hollowing to execute its main payload.4
enterprise T1572 Protocol Tunneling The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.3
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy QakBot has a module that can proxy C2 communications.3
enterprise T1018 Remote System Discovery QakBot can identify remote systems through the net view command.63
enterprise T1091 Replication Through Removable Media QakBot has the ability to use removable drives to spread through compromised networks.5
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task QakBot has the ability to create scheduled tasks for persistence.58612937
enterprise T1518 Software Discovery QakBot can enumerate a list of installed programs.7
enterprise T1518.001 Security Software Discovery QakBot can identify the installed antivirus product on a targeted system.6443
enterprise T1539 Steal Web Session Cookie QakBot has the ability to capture web session cookies.83
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing QakBot can use signed loaders to evade detection.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec QakBot can use MSIExec to spawn multiple cmd.exe processes.6
enterprise T1218.010 Regsvr32 QakBot can use Regsvr32 to execute malicious DLLs.294
enterprise T1218.011 Rundll32 QakBot can use Rundll32.exe to enable C2 communication.6294
enterprise T1082 System Information Discovery QakBot can collect system information including the OS version and domain on a compromised host.647
enterprise T1016 System Network Configuration Discovery QakBot can use net config workstation, arp -a, and ipconfig /all to gather network configuration information.637
enterprise T1016.001 Internet Connection Discovery QakBot can measure the download speed on a targeted host.3
enterprise T1049 System Network Connections Discovery QakBot can use netstat to enumerate current network connections.3
enterprise T1033 System Owner/User Discovery QakBot can identify the user name on a compromised system.3
enterprise T1124 System Time Discovery QakBot can identify the system time on a targeted host.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link QakBot has gained execution through users opening malicious links.581437
enterprise T1204.002 Malicious File QakBot has gained execution through users opening malicious attachments.58619437
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.54
enterprise T1497.003 Time Based Evasion The QakBot dropper can delay dropping the payload to evade detection.93
enterprise T1047 Windows Management Instrumentation QakBot can execute WMI queries to gather information.3

Groups That Use This Software

ID Name References
G0127 TA551 4


Back to top