Name | Description |
---|---|
Pinkslipbot | |
QuackBot | |
QBot |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.[5][6][3] |
Enterprise | T1010 | Application Window Discovery |
QakBot has the ability to enumerate windows on a compromised host.[4] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
QakBot can maintain persistence by creating an auto-run Registry key.[5][6][1][7] |
Enterprise | T1185 | Browser Session Hijacking |
QakBot can use advanced web injects to steal web banking credentials.[8][3] |
|
Enterprise | T1110 | Brute Force |
QakBot can conduct brute force attacks to capture credentials.[9][6][3] |
|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
QakBot can use PowerShell to download and execute payloads.[7] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[6][4][3] |
||
.005 | Command and Scripting Interpreter: Visual Basic |
QakBot can use VBS to download and execute malicious files.[5][9][6][1][8][7] |
||
.007 | Command and Scripting Interpreter: JavaScript |
The QakBot web inject module can inject Java Script into web banking pages visited by the victim.[3] |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
QakBot has collected usernames and passwords from Firefox and Chrome.[3] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
QakBot can Base64 encode system information sent to C2.[6][3] |
Enterprise | T1005 | Data from Local System |
QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.[2][3] |
|
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
QakBot has stored stolen emails and other data into new folders prior to exfiltration.[9] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
QakBot can deobfuscate and re-assemble code strings for execution.[8][4][3] |
|
Enterprise | T1482 | Domain Trust Discovery |
QakBot can run |
|
Enterprise | T1568 | .002 | Dynamic Resolution: Domain Generation Algorithms |
QakBot can use domain generation algorithms in C2 communication.[5] |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.[9][9][1][3] |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1041 | Exfiltration Over C2 Channel |
QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[3] |
|
Enterprise | T1210 | Exploitation of Remote Services |
QakBot can move laterally using worm-like functionality through exploitation of SMB.[6] |
|
Enterprise | T1083 | File and Directory Discovery |
QakBot can identify whether it has been run previously on a host by checking for a specified folder.[4] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.[7] |
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
QakBot can delete folders and files including overwriting its executable with legitimate programs.[9][6][4][7] |
Enterprise | T1105 | Ingress Tool Transfer |
QakBot has the ability to download additional components and malware.[5][6][1][8][3][7] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
QakBot can capture keystrokes on a compromised host.[9][1][3] |
Enterprise | T1036 | Masquerading | ||
Enterprise | T1112 | Modify Registry |
QakBot can store its configuration information in a randomly named subkey under |
|
Enterprise | T1106 | Native API |
QakBot can use |
|
Enterprise | T1135 | Network Share Discovery |
QakBot can use |
|
Enterprise | T1095 | Non-Application Layer Protocol |
QakBot has the ability use TCP to send or receive C2 packets.[3] |
|
Enterprise | T1027 | Obfuscated Files or Information |
QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.[8] |
|
.001 | Binary Padding | |||
.002 | Software Packing | |||
.005 | Indicator Removal from Tools |
QakBot can make small changes to itself in order to change its checksum and hash value.[6][8] |
||
Enterprise | T1120 | Peripheral Device Discovery |
QakBot can identify peripheral devices on targeted systems.[5] |
|
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
QakBot can use |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
QakBot has spread through emails with malicious attachments.[5][9][1][8][4][3][7] |
.002 | Phishing: Spearphishing Link |
QakBot has spread through emails with malicious links.[5][9][1][4][3][7] |
||
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | Process Injection |
QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe.[5][9][1][3] |
|
.012 | Process Hollowing |
QakBot can use process hollowing to execute its main payload.[4] |
||
Enterprise | T1572 | Protocol Tunneling |
The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.[3] |
|
Enterprise | T1090 | .002 | Proxy: External Proxy | |
Enterprise | T1018 | Remote System Discovery |
QakBot can identify remote systems through the |
|
Enterprise | T1091 | Replication Through Removable Media |
QakBot has the ability to use removable drives to spread through compromised networks.[5] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
QakBot has the ability to create scheduled tasks for persistence.[5][9][6][1][2][8][3][7] |
Enterprise | T1518 | Software Discovery | ||
.001 | Security Software Discovery |
QakBot can identify the installed antivirus product on a targeted system.[6][4][4][3] |
||
Enterprise | T1539 | Steal Web Session Cookie |
QakBot has the ability to capture web session cookies.[9][3] |
|
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing | |
Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
QakBot can use MSIExec to spawn multiple cmd.exe processes.[6] |
.010 | System Binary Proxy Execution: Regsvr32 | |||
.011 | System Binary Proxy Execution: Rundll32 |
QakBot can use Rundll32.exe to enable C2 communication.[6][2][8][4] |
||
Enterprise | T1082 | System Information Discovery |
QakBot can collect system information including the OS version and domain on a compromised host.[6][4][7] |
|
Enterprise | T1016 | System Network Configuration Discovery |
QakBot can use |
|
.001 | Internet Connection Discovery |
QakBot can measure the download speed on a targeted host.[3] |
||
Enterprise | T1049 | System Network Connections Discovery |
QakBot can use |
|
Enterprise | T1033 | System Owner/User Discovery |
QakBot can identify the user name on a compromised system.[3] |
|
Enterprise | T1124 | System Time Discovery | ||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
QakBot has gained execution through users opening malicious links.[5][9][1][4][3][7] |
.002 | User Execution: Malicious File |
QakBot has gained execution through users opening malicious attachments.[5][9][6][1][8][4][3][7] |
||
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.[5][4] |
.003 | Virtualization/Sandbox Evasion: Time Based Evasion |
The QakBot dropper can delay dropping the payload to evade detection.[8][3] |
||
Enterprise | T1047 | Windows Management Instrumentation |
ID | Name | References |
---|---|---|
G0127 | TA551 |