Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0650: QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

EnterpriseS0650MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

QakBot matters because ATT&CK describes it as a long-running, modular Windows banking trojan that evolved into a delivery agent for ransomware, including ProLock and Egregor. For leaders, the key decision value is not just “malware prevention”; it is whether the organization can quickly recognize a Windows endpoint moving from infection into discovery, credential collection, persistence, command-and-control, and potential ransomware staging behavior.

Executive priority

Prioritize QakBot as a resilience and incident-readiness test case for Windows environments. The supplied relationships connect it to financially motivated activity, email-based distribution context through TA551, initial access broker context through TA577, and ransomware-linked ecosystem context through Storm-1811. Executives should ask whether SOC, identity, endpoint, email/web, and incident response teams can prove coverage for the behaviors ATT&CK associates with this malware: obfuscation, WMI execution, scheduled tasks, process injection, discovery, keylogging, local data collection, and exfiltration over C2.

Technical view

ATT&CK lists QakBot for Windows and provides no official detection text, so defenders should validate behavior-based coverage from the related techniques rather than rely on the malware name alone. Focus testing and hunts on Windows execution and persistence via WMI and Scheduled Task, stealth via obfuscated files, packing, binary padding, masqueraded file types, command obfuscation, fileless storage, and process injection/process hollowing. Discovery coverage should include application windows, user context, network configuration, internet connectivity, remote systems, and network connections. Collection and credential-risk coverage should include local data access and keylogging indicators, with network analytics for exfiltration over an existing C2 channel.

Likely telemetry

  • Windows endpoint process creation, parent/child process, command-line, and script execution telemetry
  • WMI activity and remote/local WMI execution records
  • Windows Scheduled Task creation, modification, and execution events
  • Endpoint file metadata, file writes, suspicious extensions or file-type mismatches, packed or padded binaries, and obfuscation indicators
  • Memory and EDR telemetry relevant to process injection or process hollowing

Detection direction

  • Do not depend on static QakBot indicators alone; ATT&CK relationships show multiple obfuscation and evasion behaviors that can change file appearance and weaken hash-based controls.
  • Validate Windows behavior detections for WMI execution, scheduled task abuse, suspicious process injection or hollowing, and command obfuscation.
  • Correlate discovery behaviors that may be individually noisy: user discovery, network configuration discovery, internet connectivity checks, remote system discovery, application window discovery, and network connection enumeration.
  • Tune detections around legitimate administration activity, especially WMI, scheduled tasks, and network discovery commands, by using baselines for expected administrative accounts, hosts, and maintenance windows.
  • Confirm visibility into collection and credential-risk behaviors such as local data access and keylogging-related signals; absence of this telemetry should be documented as a response limitation.

Mitigation priorities

  • Harden and monitor Windows execution paths most relevant to the supplied relationships: WMI, Scheduled Task, script/command execution, and suspicious child-process chains.
  • Reduce delivery and evasion risk with layered email/web controls, attachment and HTML handling policies, and endpoint controls that inspect behavior rather than only file hashes.
  • Limit blast radius through least privilege, administrative account separation, and controls that reduce the value of captured credentials or keystrokes.
  • Improve endpoint resilience with EDR coverage capable of observing process injection, process hollowing, fileless storage, and suspicious persistence activity.
  • Segment critical systems and monitor internal discovery so a compromised Windows host cannot easily map or reach high-value systems.
Analyst notes and limits

This take is based on ATT&CK S0650 QakBot version 1.3 and the supplied relationships. The most decision-relevant point is QakBot’s evolution from banking trojan to ransomware delivery agent and its mapped behaviors across discovery, stealth, execution, persistence, collection, credential access, and exfiltration. Because ATT&CK provides no official detection section for this object, coverage should be proven with local telemetry and behavior validation.

The supplied object lists Windows as the QakBot platform but does not specify tactics on the malware object itself and provides no official detection guidance. Related techniques include platforms beyond Windows, but those broader platforms should not be assumed for QakBot without additional evidence. This summary does not establish current activity, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

QakBot

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably ProLock and Egregor.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

71 rows
Domain ID Name Relationship / procedure
Enterprise T1218.010 Regsvr32 Sub-technique

QakBot can use Regsvr32 to execute malicious DLLs.[2]CitationCyberint Qakbot May 2021[4]CitationTrend Micro Black Basta October 2022CitationNCC Group Black Basta June 2022CitationDeep Instinct Black Basta August 2022
Enterprise T1564.001 Hidden Files and Directories Sub-technique

QakBot has placed its payload in hidden subdirectories.CitationTrend Micro Black Basta October 2022
Enterprise T1497.001 System Checks Sub-technique

QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.CitationTrend Micro Qakbot May 2020[4]
Enterprise T1018 Remote System Discovery

QakBot can identify remote systems through the net view command.CitationCrowdstrike Qakbot October 2020[3]CitationTrend Micro Black Basta October 2022
Enterprise T1005 Data from Local System

QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.[2][3]
Enterprise T1090.002 External Proxy Sub-technique

QakBot has a module that can proxy C2 communications.[3]
Enterprise T1059.001 PowerShell Sub-technique

QakBot can use PowerShell to download and execute payloads.CitationGroup IB Ransomware September 2020
Enterprise T1059.003 Windows Command Shell Sub-technique

QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.CitationCrowdstrike Qakbot October 2020[4][3]CitationTrend Micro Black Basta October 2022
Enterprise T1518.001 Security Software Discovery Sub-technique

QakBot can identify the installed antivirus product on a targeted system.CitationCrowdstrike Qakbot October 2020[4][4][3]
Enterprise T1106 Native API

QakBot can use GetProcAddress to help delete malicious strings from memory.[4]
Enterprise T1027.001 Binary Padding Sub-technique

QakBot can use large file sizes to evade detection.CitationTrend Micro Qakbot May 2020CitationGroup IB Ransomware September 2020
Enterprise T1543.003 Windows Service Sub-technique

QakBot can remotely create a temporary service on a target host.CitationNCC Group Black Basta June 2022
Enterprise T1568.002 Domain Generation Algorithms Sub-technique

QakBot can use domain generation algorithms in C2 communication.CitationTrend Micro Qakbot May 2020
Enterprise T1685 Disable or Modify Tools

QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.CitationGroup IB Ransomware September 2020
Enterprise T1083 File and Directory Discovery

QakBot can identify whether it has been run previously on a host by checking for a specified folder.[4]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

QakBot can maintain persistence by creating an auto-run Registry key.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020[1]CitationGroup IB Ransomware September 2020
Enterprise T1027.011 Fileless Storage Sub-technique

QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[2]CitationGroup IB Ransomware September 2020
Enterprise T1036.008 Masquerade File Type Sub-technique

The QakBot payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022
Enterprise T1135 Network Share Discovery

QakBot can use net share to identify network shares for use in lateral movement.CitationTrend Micro Qakbot May 2020[3]
Enterprise T1055.012 Process Hollowing Sub-technique

QakBot can use process hollowing to execute its main payload.[4]
Enterprise T1059.007 JavaScript Sub-technique

The QakBot web inject module can inject Java Script into web banking pages visited by the victim.[3]CitationTrend Micro Black Basta October 2022
Enterprise T1218.007 Msiexec Sub-technique

QakBot can use MSIExec to spawn multiple cmd.exe processes.CitationCrowdstrike Qakbot October 2020
Enterprise T1140 Deobfuscate/Decode Files or Information

QakBot can deobfuscate and re-assemble code strings for execution.CitationCyberint Qakbot May 2021[4][3]
Enterprise T1114.001 Local Email Collection Sub-technique

QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.CitationKroll Qakbot June 2020[1][3]
Enterprise T1204.001 Malicious Link Sub-technique

QakBot has gained execution through users opening malicious links.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020[1][4][3]CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022
Enterprise T1124 System Time Discovery

QakBot can identify the system time on a targeted host.[3]
Enterprise T1204.002 Malicious File Sub-technique

QakBot has gained execution through users opening malicious attachments.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020[1]CitationCyberint Qakbot May 2021[4][3]CitationGroup IB Ransomware September 2020CitationDeep Instinct Black Basta August 2022CitationMicrosoft Ransomware as a Service
Enterprise T1041 Exfiltration Over C2 Channel

QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[3]
Enterprise T1033 System Owner/User Discovery

QakBot can identify the user name on a compromised system.[3]CitationTrend Micro Black Basta October 2022
Enterprise T1027.006 HTML Smuggling Sub-technique

QakBot has been delivered in ZIP files via HTML smuggling.CitationTrend Micro Black Basta October 2022CitationDeep Instinct Black Basta August 2022
Enterprise T1016.001 Internet Connection Discovery Sub-technique

QakBot can measure the download speed on a targeted host.[3]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

QakBot can RC4 encrypt strings in C2 communication.[3]
Enterprise T1027.010 Command Obfuscation Sub-technique

QakBot can use obfuscated and encoded scripts.CitationCyberint Qakbot May 2021CitationTrend Micro Black Basta October 2022
Enterprise T1071.001 Web Protocols Sub-technique

QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020[3]
Enterprise T1553.002 Code Signing Sub-technique

QakBot can use signed loaders to evade detection.[4]CitationDeep Instinct Black Basta August 2022
Enterprise T1027 Obfuscated Files or Information

QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.CitationCyberint Qakbot May 2021
Enterprise T1210 Exploitation of Remote Services

QakBot can move laterally using worm-like functionality through exploitation of SMB.CitationCrowdstrike Qakbot October 2020
Enterprise T1057 Process Discovery

QakBot has the ability to check running processes.[4]
Enterprise T1069.001 Local Groups Sub-technique

QakBot can use net localgroup to enable discovery of local groups.[3]CitationTrend Micro Black Basta October 2022
Enterprise T1574.001 DLL Sub-technique

QakBot has the ability to use DLL side-loading for execution.CitationDeep Instinct Black Basta August 2022
Enterprise T1016 System Network Configuration Discovery

QakBot can use net config workstation, arp -a, `nslookup`, and ipconfig /all to gather network configuration information.CitationCrowdstrike Qakbot October 2020[3]CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022CitationMicrosoft Ransomware as a Service
Enterprise T1539 Steal Web Session Cookie

QakBot has the ability to capture web session cookies.CitationKroll Qakbot June 2020[3]
Enterprise T1055 Process Injection

QakBot can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020[1][3]CitationTrend Micro Black Basta October 2022
Enterprise T1482 Domain Trust Discovery

QakBot can run nltest /domain_trusts /all_trusts for domain trust discovery.[3]
Enterprise T1074.001 Local Data Staging Sub-technique

QakBot has stored stolen emails and other data into new folders prior to exfiltration.CitationKroll Qakbot June 2020
Enterprise T1110 Brute Force

QakBot can conduct brute force attacks to capture credentials.CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020[3]
Enterprise T1553.005 Mark-of-the-Web Bypass Sub-technique

QakBot has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.CitationTrend Micro Black Basta October 2022
Enterprise T1185 Browser Session Hijacking

QakBot can use advanced web injects to steal web banking credentials.CitationCyberint Qakbot May 2021[3]
Enterprise T1497.003 Time Based Checks Sub-technique

The QakBot dropper can delay dropping the payload to evade detection.CitationCyberint Qakbot May 2021[3]
Enterprise T1105 Ingress Tool Transfer

QakBot has the ability to download additional components and malware.CitationTrend Micro Qakbot May 2020CitationCrowdstrike Qakbot October 2020[1]CitationCyberint Qakbot May 2021[3]CitationGroup IB Ransomware September 2020
Enterprise T1120 Peripheral Device Discovery

QakBot can identify peripheral devices on targeted systems.CitationTrend Micro Qakbot May 2020
Enterprise T1095 Non-Application Layer Protocol

QakBot has the ability use TCP to send or receive C2 packets.[3]
Enterprise T1566.002 Spearphishing Link Sub-technique

QakBot has spread through emails with malicious links.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020[1][4][3]CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

QakBot can make small changes to itself in order to change its checksum and hash value.CitationCrowdstrike Qakbot October 2020CitationCyberint Qakbot May 2021
Enterprise T1112 Modify Registry

QakBot can modify the Registry to store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.[2]CitationGroup IB Ransomware September 2020
Enterprise T1566.001 Spearphishing Attachment Sub-technique

QakBot has spread through emails with malicious attachments.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020[1]CitationCyberint Qakbot May 2021[4][3]CitationGroup IB Ransomware September 2020CitationDeep Instinct Black Basta August 2022CitationMicrosoft Ransomware as a Service
Enterprise T1056.001 Keylogging Sub-technique

QakBot can capture keystrokes on a compromised host.CitationKroll Qakbot June 2020[1][3]
Enterprise T1091 Replication Through Removable Media

QakBot has the ability to use removable drives to spread through compromised networks.CitationTrend Micro Qakbot May 2020
Enterprise T1132.001 Standard Encoding Sub-technique

QakBot can Base64 encode system information sent to C2.CitationCrowdstrike Qakbot October 2020[3]
Enterprise T1059.005 Visual Basic Sub-technique

QakBot can use VBS to download and execute malicious files.CitationTrend Micro Qakbot May 2020 CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020[1]CitationCyberint Qakbot May 2021CitationGroup IB Ransomware September 2020CitationTrend Micro Black Basta October 2022
Enterprise T1082 System Information Discovery

QakBot can collect system information including the OS version and domain on a compromised host.CitationCrowdstrike Qakbot October 2020[4]CitationGroup IB Ransomware September 2020CitationMicrosoft Ransomware as a Service
Enterprise T1047 Windows Management Instrumentation

QakBot can execute WMI queries to gather information.[3]
Enterprise T1010 Application Window Discovery

QakBot has the ability to enumerate windows on a compromised host.[4]
Enterprise T1518 Software Discovery

QakBot can enumerate a list of installed programs.CitationGroup IB Ransomware September 2020
Enterprise T1049 System Network Connections Discovery

QakBot can use netstat to enumerate current network connections.[3]CitationTrend Micro Black Basta October 2022
Enterprise T1053.005 Scheduled Task Sub-technique

QakBot has the ability to create scheduled tasks for persistence.CitationTrend Micro Qakbot May 2020CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020[1][2]CitationCyberint Qakbot May 2021[3]CitationGroup IB Ransomware September 2020
Enterprise T1218.011 Rundll32 Sub-technique

QakBot has used Rundll32.exe to drop malicious DLLs including Brute Ratel C4 and to enable C2 communication.CitationCrowdstrike Qakbot October 2020[2]CitationCyberint Qakbot May 2021[4]CitationTrend Micro Black Basta October 2022
Enterprise T1572 Protocol Tunneling

The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.[3]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

QakBot has collected usernames and passwords from Firefox and Chrome.[3]
Enterprise T1027.002 Software Packing Sub-technique

QakBot can encrypt and pack malicious payloads.CitationCyberint Qakbot May 2021
Enterprise T1070.004 File Deletion Sub-technique

QakBot can delete folders and files including overwriting its executable with legitimate programs.CitationKroll Qakbot June 2020CitationCrowdstrike Qakbot October 2020[4]CitationGroup IB Ransomware September 2020
Associated objects

Groups, software, and campaigns

Group Enterprise

G0127: TA551

TA551 is a financially-motivated threat group that has been active since at least 2018. [1] The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. [2]

Group Enterprise

G1046: Storm-1811

Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Technique T1218.010: Regsvr32 Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1018: Remote System Discovery Enterprise uses · Group G0127: TA551 Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1090.002: External Proxy Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1106: Native API Enterprise uses · Group G1037: TA577 Enterprise uses · Technique T1027.001: Binary Padding Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1568.002: Domain Generation Algorithms Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1027.011: Fileless Storage Enterprise uses · Technique T1036.008: Masquerade File Type Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1055.012: Process Hollowing Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Technique T1218.007: Msiexec Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
dba2548fa18345cb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle dba2548fa183…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Qakbot December 2020

    Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Red Canary Qbot

    Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.

    Open source URL
  3. [3]
    Kaspersky QakBot September 2021

    Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

    Open source URL
  4. [4]
    ATT QakBot April 2021

    Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

    Open source URL
  5. [5]
    Pinkslipbot

    (Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)

  6. [6]
    QBot

    (Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)

  7. [7]
    QuackBot

    (Citation: Kaspersky QakBot September 2021)

  8. [8]
    mitre-attack S0650
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use