Skip to content

S0650 QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.4312

Item Value
ID S0650
Associated Names Pinkslipbot, QuackBot, QBot
Version 1.1
Created 27 September 2021
Last Modified 01 May 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Pinkslipbot 12
QuackBot 1
QBot 4312

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.571
enterprise T1010 Application Window Discovery QakBot has the ability to enumerate windows on a compromised host.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder QakBot can maintain persistence by creating an auto-run Registry key.5749
enterprise T1185 Browser Session Hijacking QakBot can use advanced web injects to steal web banking credentials.81
enterprise T1110 Brute Force QakBot can conduct brute force attacks to capture credentials.671
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell QakBot can use PowerShell to download and execute payloads.9
enterprise T1059.003 Windows Command Shell QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.72111
enterprise T1059.005 Visual Basic QakBot can use VBS to download and execute malicious files.5
enterprise T1059.007 JavaScript The QakBot web inject module can inject Java Script into web banking pages visited by the victim.111
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service QakBot can remotely create a temporary service on a target host.12
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers QakBot has collected usernames and passwords from Firefox and Chrome.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding QakBot can Base64 encode system information sent to C2.71
enterprise T1005 Data from Local System QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.31
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging QakBot has stored stolen emails and other data into new folders prior to exfiltration.6
enterprise T1140 Deobfuscate/Decode Files or Information QakBot can deobfuscate and re-assemble code strings for execution.821
enterprise T1482 Domain Trust Discovery QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms QakBot can use domain generation algorithms in C2 communication.5
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.6
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography QakBot can RC4 encrypt strings in C2 communication.1
enterprise T1041 Exfiltration Over C2 Channel QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.1
enterprise T1210 Exploitation of Remote Services QakBot can move laterally using worm-like functionality through exploitation of SMB.7
enterprise T1083 File and Directory Discovery QakBot can identify whether it has been run previously on a host by checking for a specified folder.2
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories QakBot has placed its payload in hidden subdirectories.11
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading QakBot has the ability to use DLL side-loading for execution.10
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.9
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion QakBot can delete folders and files including overwriting its executable with legitimate programs.6729
enterprise T1105 Ingress Tool Transfer QakBot has the ability to download additional components and malware.574819
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging QakBot can capture keystrokes on a compromised host.641
enterprise T1036 Masquerading -
enterprise T1036.008 Masquerade File Type The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.911
enterprise T1112 Modify Registry QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.39
enterprise T1106 Native API QakBot can use GetProcAddress to help delete malicious strings from memory.2
enterprise T1135 Network Share Discovery QakBot can use net share to identify network shares for use in lateral movement.51
enterprise T1095 Non-Application Layer Protocol QakBot has the ability use TCP to send or receive C2 packets.1
enterprise T1027 Obfuscated Files or Information QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.8
enterprise T1027.001 Binary Padding QakBot can use large file sizes to evade detection.59
enterprise T1027.002 Software Packing QakBot can encrypt and pack malicious payloads.8
enterprise T1027.005 Indicator Removal from Tools QakBot can make small changes to itself in order to change its checksum and hash value.78
enterprise T1027.006 HTML Smuggling QakBot has been delivered in ZIP files via HTML smuggling.1110
enterprise T1027.010 Command Obfuscation QakBot can use obfuscated and encoded scripts.811
enterprise T1027.011 Fileless Storage QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.39
enterprise T1120 Peripheral Device Discovery QakBot can identify peripheral devices on targeted systems.5
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups QakBot can use net localgroup to enable discovery of local groups.111
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment QakBot has spread through emails with malicious attachments.564821910
enterprise T1566.002 Spearphishing Link QakBot has spread through emails with malicious links.56421911
enterprise T1057 Process Discovery QakBot has the ability to check running processes.2
enterprise T1055 Process Injection QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.564111
enterprise T1055.012 Process Hollowing QakBot can use process hollowing to execute its main payload.2
enterprise T1572 Protocol Tunneling The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy QakBot has a module that can proxy C2 communications.1
enterprise T1018 Remote System Discovery QakBot can identify remote systems through the net view command.7111
enterprise T1091 Replication Through Removable Media QakBot has the ability to use removable drives to spread through compromised networks.5
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task QakBot has the ability to create scheduled tasks for persistence.56743819
enterprise T1518 Software Discovery QakBot can enumerate a list of installed programs.9
enterprise T1518.001 Security Software Discovery QakBot can identify the installed antivirus product on a targeted system.7221
enterprise T1539 Steal Web Session Cookie QakBot has the ability to capture web session cookies.61
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing QakBot can use signed loaders to evade detection.210
enterprise T1553.005 Mark-of-the-Web Bypass QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.11
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec QakBot can use MSIExec to spawn multiple cmd.exe processes.7
enterprise T1218.010 Regsvr32 QakBot can use Regsvr32 to execute malicious DLLs.382111210
enterprise T1218.011 Rundll32 QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.738211
enterprise T1082 System Information Discovery QakBot can collect system information including the OS version and domain on a compromised host.729
enterprise T1016 System Network Configuration Discovery QakBot can use net config workstation, arp -a, nslookup, and ipconfig /all to gather network configuration information.71911
enterprise T1016.001 Internet Connection Discovery QakBot can measure the download speed on a targeted host.1
enterprise T1049 System Network Connections Discovery QakBot can use netstat to enumerate current network connections.111
enterprise T1033 System Owner/User Discovery QakBot can identify the user name on a compromised system.111
enterprise T1124 System Time Discovery QakBot can identify the system time on a targeted host.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link QakBot has gained execution through users opening malicious links.56421911
enterprise T1204.002 Malicious File QakBot has gained execution through users opening malicious attachments.5674821910
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.52
enterprise T1497.003 Time Based Evasion The QakBot dropper can delay dropping the payload to evade detection.81
enterprise T1047 Windows Management Instrumentation QakBot can execute WMI queries to gather information.1

Groups That Use This Software

ID Name References
G0127 TA551 2


  1. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  2. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  3. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. 

  4. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  5. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  6. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  7. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. 

  8. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. 

  9. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  10. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  11. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. 

  12. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.