{"description": "Enterprise techniques used by QakBot, ATT&CK software S0650 (v1.3)", "name": "QakBot (S0650)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to use HTTP and HTTPS in communication with C2 servers.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to enumerate windows on a compromised host.(Citation: ATT QakBot April 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can maintain persistence by creating an auto-run Registry key.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use advanced web injects to steal web banking credentials.(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1110", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can conduct brute force attacks to capture credentials.(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use PowerShell to download and execute payloads.(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use cmd.exe to launch itself and to execute multiple C2 commands.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use VBS to download and execute malicious files.(Citation: Trend Micro Qakbot May 2020)\n(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "The [QakBot](https://attack.mitre.org/software/S0650) web inject module can inject Java Script into web banking pages visited by the victim.(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can remotely create a temporary service on a target host.(Citation: NCC Group Black Basta June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has collected usernames and passwords from Firefox and Chrome.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can Base64 encode system information sent to C2.(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has stored stolen emails and other data into new folders prior to exfiltration.(Citation: Kroll Qakbot June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can deobfuscate and re-assemble code strings for execution.(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can run nltest /domain_trusts /all_trusts for domain trust discovery.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use domain generation algorithms in C2 communication.(Citation: Trend Micro Qakbot May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can target and steal locally stored emails to support thread hijacking phishing campaigns.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can RC4 encrypt strings in C2 communication.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can send stolen information to C2 nodes including passwords, accounts, and emails.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can move laterally using worm-like functionality through exploitation of SMB.(Citation: Crowdstrike Qakbot October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify whether it has been run previously on a host by checking for a specified folder.(Citation: ATT QakBot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has placed its payload in hidden subdirectories.(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to use DLL side-loading for execution.(Citation: Deep Instinct Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can delete folders and files including overwriting its executable with legitimate programs.(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to download additional components and malware.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can capture keystrokes on a compromised host.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "The [QakBot](https://attack.mitre.org/software/S0650) payload has been disguised as a PNG file and hidden within LNK files using a Microsoft File Explorer icon.(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can modify the Registry to store its configuration information in a randomly named subkey under HKCU\\Software\\Microsoft.(Citation: Red Canary Qbot)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use GetProcAddress to help delete malicious strings from memory.(Citation: ATT QakBot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use net share to identify network shares for use in lateral movement.(Citation: Trend Micro Qakbot May 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability use TCP to send or receive C2 packets.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.(Citation: Cyberint Qakbot May 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use large file sizes to evade detection.(Citation: Trend Micro Qakbot May 2020)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can encrypt and pack malicious payloads.(Citation: Cyberint Qakbot May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can make small changes to itself in order to change its checksum and hash value.(Citation: Crowdstrike Qakbot October 2020)(Citation: Cyberint Qakbot May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.006", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has been delivered in ZIP files via HTML smuggling.(Citation: Trend Micro Black Basta October 2022)(Citation: Deep Instinct Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use obfuscated and encoded scripts.(Citation: Cyberint Qakbot May 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can store its configuration information in a randomly named subkey under HKCU\\Software\\Microsoft.(Citation: Red Canary Qbot)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify peripheral devices on targeted systems.(Citation: Trend Micro Qakbot May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use net localgroup to enable discovery of local groups.(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has spread through emails with malicious attachments.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Deep Instinct Black Basta August 2022)(Citation: Microsoft Ransomware as a Service)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has spread through emails with malicious links.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to check running processes.(Citation: ATT QakBot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can inject itself into processes including explore.exe, Iexplore.exe, Mobsync.exe., and wermgr.exe.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use process hollowing to execute its main payload.(Citation: ATT QakBot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "The [QakBot](https://attack.mitre.org/software/S0650) proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has a module that can proxy C2 communications.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify remote systems through the net view command.(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to use removable drives to spread through compromised networks.(Citation: Trend Micro Qakbot May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to create scheduled tasks for persistence.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can enumerate a list of installed programs.(Citation: Group IB Ransomware September 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify the installed antivirus product on a targeted system.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has the ability to capture web session cookies.(Citation: Kroll Qakbot June 2020)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use signed loaders to evade detection.(Citation: ATT QakBot April 2021)(Citation: Deep Instinct Black Basta August 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.005", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has been packaged in ISO files in order to bypass Mark of the Web (MOTW) security measures.(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use MSIExec to spawn multiple cmd.exe processes.(Citation: Crowdstrike Qakbot October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use Regsvr32 to execute malicious DLLs.(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Trend Micro Black Basta October 2022)(Citation: NCC Group Black Basta June 2022)(Citation: Deep Instinct Black Basta August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has used Rundll32.exe to drop malicious DLLs including [Brute Ratel C4](https://attack.mitre.org/software/S1063) and to enable C2 communication.(Citation: Crowdstrike Qakbot October 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can collect system information including the OS version and domain on a compromised host.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020)(Citation: Microsoft Ransomware as a Service)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use net config workstation, arp -a, `nslookup`, and ipconfig /all to gather network configuration information.(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)(Citation: Microsoft Ransomware as a Service)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can measure the download speed on a targeted host.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can use netstat to enumerate current network connections.(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify the user name on a compromised system.(Citation: Kaspersky QakBot September 2021)(Citation: Trend Micro Black Basta October 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can identify the system time on a targeted host.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has gained execution through users opening malicious links.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[QakBot](https://attack.mitre.org/software/S0650) has gained execution through users opening malicious attachments.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Deep Instinct Black Basta August 2022)(Citation: Microsoft Ransomware as a Service)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.(Citation: Trend Micro Qakbot May 2020)(Citation: ATT QakBot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "The [QakBot](https://attack.mitre.org/software/S0650) dropper can delay dropping the payload to evade detection.(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[QakBot](https://attack.mitre.org/software/S0650) can execute WMI queries to gather information.(Citation: Kaspersky QakBot September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by QakBot", "color": "#66b1ff"}]}