{ "id": "5cd06793-6aaf-4b90-8d59-59b01d4732ef", "created_at": "2026-04-06T00:19:01.390424Z", "updated_at": "2026-04-10T03:25:13.249632Z", "deleted_at": null, "sha1_hash": "2a82bb8d94a46f57b3ec1165a406682b5dc7500d", "title": "Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1790764, "plain_text": "Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves,\r\nPart 2\r\nBy The Falcon Complete Team\r\nArchived: 2026-04-05 17:54:05 UTC\r\nThis blog is Part 2 of a three-part blog series detailing the reemergence and evolution of QakBot in the spring and summer\r\nof 2020. In this installment we cover analysis of the QakBot ZIP-based delivery campaign, particularly one example that\r\nexhibited a tactical breakdown by the threat actor with a botched downloader. In addition, the CrowdStrike® Falcon\r\nComplete™ team will cover dynamic analysis of two experimental campaigns, one of which also includes an additional\r\nstage-two malware, Zloader.\r\nThreat Background and Context\r\nAs discussed in Part 1, QakBot is an eCrime banking trojan that has the potential to severely impact an organization’s ability\r\nto operate. QakBot has the ability to spread laterally throughout a network utilizing a worm-like functionality through brute\r\nforcing network shares, brute forcing Active Directory user group accounts or via server message block (SMB) exploitation.\r\nQakBot also employs a robust set of anti-analysis features to evade detection and frustrate analysis. Despite these\r\nprotections, the CrowdStrike Falcon®® platform detects and prevents this malware from completing its execution chain.\r\nFigure 1. Timeline of QakBot Campaigns (click image to enlarge)\r\nFailed Campaigns with “Broken” Downloader — Late April\r\nIn early-to-mid-April 2020, Falcon Complete identified an attempted, unsuccessful QakBot campaign. This was possibly an\r\nexample of a failed development cycle during the threat actor’s retooling efforts. This campaign diverged from the tactics,\r\ntechniques and procedures (TTPs) observed in the prior, DOC-based campaign. Instead, the delivery tactic includes a .ZIP\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 1 of 8\n\nattachment containing a malicious Visual Basic Script (VBS) dropper; however, due to a failure in error handling within the\r\n.VBS, the actor was unable to download and write the payload to disk successfully.\r\nFigure 2. The portion of the dropper responsible for writing QakBot to disk (click image to enlarge)\r\nIn this instance, the VBS dropper would reach out to an array of sites, beginning with\r\nhxxp\u003c:\u003e//millionsawesomeproducts\u003c.\u003ecom, in an attempt to download 444444.png from the distribution server — which is\r\nactually a Windows PE file — and would subsequently be written to disk with the name PaintHelper.exe.\r\nFigure 3. The malware distribution sites associated with the failed campaign (click image to enlarge)\r\nIf a 404 error was returned, the script would move on to the next site in the array, and attempt to download the malware and\r\nplace it into the user’s %TEMP% directory. The script would then proceed along the kill chain with a persistence mechanism\r\nin the form of a scheduled task with a GUID-based naming convention. The site in question did not have a DNS record\r\npublished — and thus, no HTTP response was returned because no connection could be made. Due to an apparent failure in\r\nerror handling in the QakBot dropper, the script would fail to infect the host and write a zero-byte, innocuous\r\nPaintHelper.exe to %TEMP%. It was discovered that via spoofing a DNS response and the subsequent 404 from the site, the\r\nQakBot loader would move on to the next site and successfully write its payload — PaintHelper.exe. Additionally, the\r\ndropper would encode the antivirus product in use, the current OS version and other system information into a Base64\r\nstring, and utilize GET strings to inform the malware distribution servers of this information, as shown in Figure 4.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 2 of 8\n\nFigure 4. Spoofing the DNS response and subsequent 404 to un-break the dropper; decoded Base64 sent as a GET parameter\r\nto the server (click image to enlarge)\r\nThis appears to be an implementation of hashbusting — a method of obfuscation in which a malware sample is subtly\r\nchanged on the fly so each sample has a different checksum. As a result, the SHA256 hash of each payload downloaded\r\nfrom the sites in question appeared to be unique. However, the SSDEEP fuzzy hash of this sample was as follows:\r\n6144:y2la96gEZbXtD/uY/HmJV8cc0em/wnXPKYGvZxYney3brNLFDPMTJYhr64Fgw:y2JvZbJYRwnXPKvZxYn7hLFPMdV4Fgw\r\nUnfortunately, the actors behind QakBot quickly recovered, and a new campaign was launched the week of May 25, 2020,\r\nwith no such mistakes and far more success. Despite this success, the operators continued development and experimentation\r\nwith additional delivery tactics as their campaigns persisted.\r\nQakBot Experiments with PicturesViewer.dll and Secondary Payloads\r\nThe following dynamic analysis was conducted on two iterations of QakBot observed and blocked within client\r\nenvironments. During mid-June, the actors behind the QakBot malware experimented with two disparate tactics that each\r\nonly lasted one day.\r\nThe first anomalous TTP payload was on June 11, 2020. QakBot would drop a Windows PE named\r\nPicturesViewer.dll, which differs from the PicturesViewer.exe seen in prior weeks and noted in the previous section.\r\nThe following day on June 12, QakBot downloaded and executed an additional Windows PE named senate.m4a.\r\nOnce executed, this binary would install additional malware from the ZeuS family known as Zloader, or Zbot.\r\nPlease Note: Some of the examples in the following scenario have CrowdStrike Falcon® configured with\r\nDETECTIONS ONLY and PREVENTIONS off for illustrative purposes. A properly configured Falcon instance as\r\nnoted above would prevent the activity presented here.\r\nDynamic Analysis of QakBot — June 11\r\nOn June 11, QakBot reemerged with new tactics. Beginning at approximately 13:47 UTC, Falcon Complete observed\r\nQakBot threat actors using a new .VBS payload. Once a user invokes this script, the process tree is as follows.\r\n1. Wscript makes subsequent DNS requests for a Stage Two payload\r\n2. ‘Rundll32.exe -\u003e PicturesViewer.dll, DllRegisterServer,’ allowing for C2 communication\r\n3. MSIExec, spawning multiple Cmd.exe processes and Explorer injection\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 3 of 8\n\n4. Commands run by the C2:\r\nCmd.exe /c net view /all /domain\r\nCmd.exe /c net view /all\r\nCmd.exe /c net config workstation\r\nCmd.exe /c ipconfig /all\r\nFigure 5. Process tree of QakBot as displayed in Falcon (click image to enlarge)\r\nIf we take a closer look at Wscript.exe, we can see the process reaches out to four suspicious-looking domains. Further\r\nanalysis of these four domains reveals an HTTP GET request for the following payloads.\r\nhxxp\u003c:\u003eameliasmoments\u003c.\u003ecom/wp-includes/js/thickbox/wifgyfro/8888888.jpg hxxp\u003c:\u003edigitalschoolfaridabad\u003c.\u003ein\r\n/courses/images/parallax/mjogqxakfxg/8888888.jpg hxxp\u003c:\u003eUniquehindunames\u003c.\u003ecom/ wp-content/uploads/cnesco/8888888.jpg hxxp\u003c:\u003eSometechsense\u003c.\u003ecom/ wp-includes/jtinymce/plugins/wptextpattern/tbpfdfelf/8888888.jpg\r\nFigure 6. Suspicious DNS requests as displayed in Falcon and Wireshark-captured GET request (click images to enlarge)\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 4 of 8\n\nFurther review of the dynamic behavior of MSIExec.exe shows process injection into Explorer, multiple files written to\r\ndisk, and multiple DNS requests, as shown below. Files written:\r\n%AppData%\\lwob\\esexydry.dll\r\n%AppData%\\PicturesViewer.dll\r\nFigure 7. Disk operations as displayed in Falcon (click image to enlarge)\r\nFigure 8. Further DNS requests as displayed in Falcon (click image to enlarge)\r\nDynamic Analysis of QakBot — June 12\r\nOn June 12, QakBot continued its evolution. The delivery method of a .ZIP file to malicious .VBS was the same, but this\r\ntime QakBot also dropped a Zloader payload on its victim. Beginning around 14:24 UTC, Falcon Complete observed\r\nQakBot threat actors using a new .VBS payload. Once the user invoked this script, the process tree is as follows.\r\n1. Wscript.exe\r\n2. WmiPrivSe.exe\r\n3. Rundll32 -\u003e %AppData%\\senate.m4a, DllRegisterServer\r\n4. MSIExec, spawning multiple Cmd.exe processes, DNS requests, and writing a few interesting files to disk\r\n5. Commands run by the C2:\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 5 of 8\n\nCmd.exe /c net view /all /domain\r\nCmd.exe /c net view /all\r\nCmd.exe /c net config workstation\r\nCmd.exe /c ipconfig /all\r\nFigure 9. Process tree as displayed in Falcon (click image to enlarge)\r\nWscript.exe does a number of things: It deletes the original QakBot.vbs and writes four files to disk in %APPDATA%\r\ninduce.flac, pep.csv, rhythm.tex and senate.m4a. Senate.m4a is deleted after full process execution. Looking closer at\r\nRundll32.exe, we can see that it’s executing a senate.m4a, DllRegisterServer. Further analysis shows senate.m4a is actually\r\na Zloader.dll. At the time of this writing, we are no longer seeing the senate.m4a Zloader being distributed by the QakBot\r\n.VBS delivery method. Continuing with the dynamic behavior of MSIExec.exe shows multiple files written to disk and\r\nmultiple DNS requests, as shown below. DNS requests:\r\nwithifceale\u003c.\u003etop/treusparq.php\r\nxeemoquo\u003c.\u003etop/treusparq.php\r\nleeephee\u003c.\u003etop/treusparq.php\r\ncccommercialcleaning\u003c.\u003ecom\u003c.\u003eau/wp-content/themes/twentyfifteen/1/spx139/dasfdsfsdf.exe\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 6 of 8\n\nFigure 10. DNS requests as displayed in Falcon (click image to enlarge)\r\nFiles written:\r\n%APPDATA%\\dasfdsfsdf.exe\r\n%APPDATA%\\Iwhoq\\pozypua.dll\r\n%APPDATA%\\IE\\GGYJG27Z\\dasfdsfs.df\u003c1\u003e.exe\r\nFigure 11. QakBot disk operations as displayed in Falcon (click image to enlarge)\r\nOnce the full QakBot and Zloader process execution is complete, persistence may be established through the following\r\nregistry key: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. The name of the value will\r\neither be randomly chosen or a GUID, targeting a PE in the %APPDATA%\\Roaming\\Microsoft\\ folder.\r\nConclusion\r\nAs we have seen, QakBot employs a robust set of anti-analysis features and has recently surged in its operational volume\r\nwithin the threat landscape. This blog provided an in-depth analysis of a botched QakBot downloader along with dynamic\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 7 of 8\n\nanalysis of experimental payloads that include a secondary malware stage: Zloader. The threat actors behind QakBot,\r\ntracked as MALLARD SPIDER, have demonstrated the ability to rapidly retool, implement anti-analysis techniques and\r\ndevelop methods of advanced obfuscation in a short period. Part 3 of this series will outline the Falcon Complete team's\r\nstrategy for the remote remediation of a QakBot-infected host.\r\nAdditional Resources\r\nRead Part 1 of this blog series.\r\nFind out how CrowdStrike can help your organization answer its most important security questions: Visit the\r\nCrowdStrike Services webpage.\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the product\r\nwebpage.\r\nLearn more about CROWDSTRIKE FALCON® INTELLIGENCE™ threat intelligence by visiting the webpage.\r\nLearn about CrowdStrike’s comprehensive next-generation endpoint protection platform by visiting the Falcon\r\nproducts webpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" ], "report_names": [ "duck-hunting-with-falcon-complete-qakbot-zip-based-campaign" ], "threat_actors": [ { "id": "aa5b200f-a6c6-4d17-bc65-911d9a7bf4ef", "created_at": "2022-10-25T16:07:23.866039Z", "updated_at": "2026-04-10T02:00:04.765416Z", "deleted_at": null, "main_name": "Mallard Spider", "aliases": [ "Gold Lagoon" ], "source_name": "ETDA:Mallard Spider", "tools": [ "Egregor", "Mimikatz", "Oakboat", "PinkSlip", "Pinkslipbot", "ProLock", "PwndLocker", "QakBot", "Qbot", "QuackBot", "QuakBot" ], "source_id": "ETDA", "reports": null }, { "id": "d5cb8d20-b5b9-4ec6-9660-3dded9bd3c89", "created_at": "2023-01-06T13:46:39.204681Z", "updated_at": "2026-04-10T02:00:03.245695Z", "deleted_at": null, "main_name": "MALLARD SPIDER", "aliases": [ "GOLD LAGOON" ], "source_name": "MISPGALAXY:MALLARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434741, "ts_updated_at": 1775791513, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2a82bb8d94a46f57b3ec1165a406682b5dc7500d.pdf", "text": "https://archive.orkl.eu/2a82bb8d94a46f57b3ec1165a406682b5dc7500d.txt", "img": "https://archive.orkl.eu/2a82bb8d94a46f57b3ec1165a406682b5dc7500d.jpg" } }