GitHub Repo

Analytics Story: Qakbot

Updated Date: 2026-05-13 ID: 0c6169b1-f126-4d86-8e4f-f7891007ebc6 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

QakBot is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. QakBot is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware (ref. MITRE ATT&CK).

Why it matters

QakBot notably has made its way on the CISA top malware list for 2021. QakBot for years has been under continious improvement when it comes to initial access, injection and post-exploitation. Multiple adversaries use QakBot to gain initial access and persist, most notably TA551. The actor(s) behind QakBot possess a modular framework consisting of maldoc builders, signed loaders, and DLLs that produce initially low detection rates at the beginning of the attack, which creates opportunities to deliver additional malware such as Egregor and Cobalt Strike. (ref. Cybersecurity ATT) The more recent campaigns utilize HTML smuggling to deliver a ISO container that has a LNK and QakBot payload. QakBot will either load via regsvr32.exe directly, it will attempt to perform DLL sideloading.

Windows Common Abused Cmd Shell Risk Behavior

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2  WHERE source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*")
3  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 4
8| `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
Windows Process Injection In Non-Service SearchIndexer Process Injection TTP
Suspicious Regsvr32 Register Suspicious Path Regsvr32 TTP
Suspicious Copy on System32 Rename Legitimate Utilities Anomaly
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Create Remote Thread In Shell Application Process Injection TTP
Windows Masquerading Explorer As Child Process DLL TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Windows System Discovery Using Qwinsta System Owner/User Discovery Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Hunting
Windows DLL Side-Loading In Calc DLL TTP
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Service Created with Suspicious Service Name Service Execution Anomaly
Disable Defender Spynet Reporting Disable or Modify Tools TTP
Process Creating LNK file in Suspicious Location Spearphishing Link Anomaly
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly
Windows Regsvr32 Renamed Binary Regsvr32 TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
System Processes Run From Unexpected Locations Rename Legitimate Utilities Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Regsvr32 with Known Silent Switch Cmdline Regsvr32 Anomaly
Windows Schtasks Create Run As System Scheduled Task TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Network Discovery Using Route Windows App Internet Connection Discovery Hunting
Windows MsiExec HideWindow Rundll32 Execution Msiexec TTP
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Anomaly
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Anomaly
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection TTP
Services LOLBAS Execution Process Spawn Windows Service TTP
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Windows Process Injection Remote Thread Portable Executable Injection TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Anomaly
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows Process Execution in Temp Dir Match Legitimate Resource Name or Location, Create or Modify System Process Anomaly
Windows Process Injection Wermgr Child Process Process Injection Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows DLL Side-Loading Process Child Of Calc DLL Anomaly
Windows List ENV Variables Via SET Command From Uncommon Parent Process Injection Anomaly
System User Discovery With Whoami System Owner/User Discovery Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 3