{
	"id": "b0117efd-219d-40be-a0db-626927bb05e8",
	"created_at": "2026-04-06T00:07:42.244804Z",
	"updated_at": "2026-04-10T03:22:06.459344Z",
	"deleted_at": null,
	"sha1_hash": "4d071f6d7a0f255b58e89e1b53bc5bdf439c14f9",
	"title": "Duck Hunting with Falcon Complete: Remediating a Fowl Banking Trojan, Part 3",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 929501,
	"plain_text": "Duck Hunting with Falcon Complete: Remediating a Fowl\r\nBanking Trojan, Part 3\r\nBy The Falcon Complete Team\r\nArchived: 2026-04-05 18:56:19 UTC\r\nThis blog is the last in a three-part series presenting the CrowdStrike® Falcon Complete™ team’s analysis of the\r\nrecent QakBot campaigns observed in the wild and outlining a strategy for the remote identification of a QakBot-infected host. While Part 1 and Part 2 provided an analysis of techniques used by the threat actor to gain\r\nsuccessful infections, Part 3 provides recommendations for countermeasures that can be deployed via the\r\nCrowdStrike Falcon®® platform to prevent and contain infections before a widespread incident occurs. We also\r\noutline a strategy for how the team helps organizations recover from incidents via our remote remediation\r\ncapabilities. QakBot is an eCrime banking trojan that is capable of spreading laterally throughout a network.\r\nUtilizing a worm-like functionality, it spreads through brute forcing network shares, brute forcing Active\r\nDirectory user group accounts or via SMB exploitation. QakBot also employs a robust set of anti-analysis features\r\nto evade detection and frustrate analysis. Despite these protections, the CrowdStrike Falcon®® platform detects\r\nand prevents the malware from completing its execution chain.\r\nSolution: Prevention, Containment and Remediation\r\nThe Falcon Complete team’s approach to defeating the QakBot threat can be defined in several ways, depending\r\non the tailored approach created for the customer. The best way to defend against QakBot is never allowing it to\r\nget a foothold in the first place, and the Falcon platform offers the prevention policies that are effective in\r\nstopping QakBot in its tracks. For situations where prevention is not enabled, a strategy of containment and fast\r\nremote response allows our analysts to quickly remediate the infection via the Falcon Real Time Response (RTR)\r\nconsole, resulting in less downtime, less interference and more productivity.\r\nConfiguring Proper Prevention Policies\r\nPrevention policies are policies configured in the Falcon UI that allow organizations to customize how aggressive\r\nthe Falcon sensor is with detections and preventions. Organizations can choose to configure these policies\r\nthemselves or take advantage of the Falcon Complete team’s expertise to configure and offer guidance for best\r\npractices regarding these configurations.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 1 of 9\n\nFigure 1. Prevention policy settings as shown in the Falcon UI (click image to enlarge)\r\nFalcon’s next-gen antivirus has the ability to block malware based on machine learning and behavioral pattern\r\nanalysis. Being a non-signature-reliant platform with the proper prevention policies in place, Falcon reliably\r\nprevents known QakBot infections before any second-stage payloads are executed. With prevention policies\r\nconfigured like those depicted in Figure 1, we can see that the execution of a senate.m4a Zloader payload was\r\nblocked, and the detection details appear in the Falcon UI for analyst review (see Figure 2).\r\nFigure 2. Falcon blocking second-stage payload execution of senate.m4a (click image to enlarge)\r\nHost Network Containment via the Falcon UI\r\nIn the event that prevention policies are not set to actively block the QakBot threat — as is sometimes the case in\r\nmore sensitive environments — customers can take advantage of the 24/7/365 virtual security operations center\r\n(SOC) offered by Falcon Complete. In these cases, Falcon Complete will triage, stop lateral spread and remediate\r\nthe QakBot banking trojan threat. In the instance of an unprevented QakBot infection, the Falcon Complete team\r\nreceives a high-confidence alert for malicious files, triggered by Falcon’s machine-learning algorithms.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 2 of 9\n\nFigure 3. Detection in the UI as shown by Falcon (click image to enlarge)\r\nUpon expanding the alert, the analyst can recognize the QakBot threat by the tactics employed — many\r\ndiscovered during CrowdStrike’s tracking of this threat.\r\nFigure 4. Ability to network-contain hosts in emergency situations (click image to enlarge)\r\nIf among the pre-approved countermeasures, the analyst can network-contain the host to prevent the lateral spread\r\nof the info-stealer within the environment. This limits business impact and productivity loss for users, and saves\r\ntime and cleanup for your internal SOC team.\r\nRemediation with Falcon RTR\r\nQakBot malware is fairly simple in its functionality, but its capability to move laterally can be potentially\r\ndevastating in enterprise networks. Because of this worm-like spreading and its costly repercussions, the Falcon\r\nComplete team has classified the difficulty of the remediation process as “Hard.” The following is a brief\r\nillustration of the remote remediation process via Falcon Real Time Response (RTR).\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 3 of 9\n\nThe remediation of QakBot can be broken into three distinct steps:\r\n1. Killing the malicious processes (e.g., injected explorer)\r\n2. Removing the persistence mechanism (e.g., scheduled task, registry run key)\r\n3. Removing disk artifacts (e.g., binaries and directories).\r\nPlease note: Some of the examples in the following scenario have CrowdStrike Falcon® configured with\r\nDETECTIONS ONLY and PREVENTIONS off for illustrative purposes. A properly configured Falcon\r\ninstance, as noted previously, would prevent the activity presented here.\r\nSTEP 1. Finding and Killing the Malicious explorer.exe Process\r\nQakBot will create a new instance of the explorer.exe process and inject itself into the new process. It is\r\npossible for multiple instances of this process to occur, but responders must determine the malicious instance. It\r\nmay not be immediately clear which explorer.exe process is legitimate, but this can be determined by querying\r\nthe process with the “-Module” parameter, as shown in Figure 5.\r\nFigure 5. Query for explorer.exe process injection (click image to enlarge)\r\nIn the example in Figure 5, “gps” is a built-in alias for the “Get-Process” cmdlet, and the process id was\r\ndetermined by an early query (not shown). The legitimate explorer process will have several modules associated\r\nwith it, but the malicious instance will have very few — typically less than ten. In this case, Falcon had already\r\nprevented the injected process, but if there were a malicious instance present, it could be killed with the following\r\ncommand: “kill ‘\u003cPID\u003e.’”\r\nSTEP 2. Removing Persistence\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 4 of 9\n\nQakBot typically employs a scheduled task and a registry run key for persistence mechanisms on compromised\r\nhosts. Figure 6 shows a query for scheduled tasks on the affected host. The search can be assisted by the historical\r\nknowledge that will point to a binary in %AppData%, so this is used as a search string to quickly identify not only\r\nthe malicious TaskName but also the full path to the main binary.\r\nFigure 6. Query to find the path for scheduled task persistence mechanism (click image to enlarge)\r\nThe parent directory of the QakBot binary is a key indicator of compromise (IOC) and can be used later in the\r\nmanual remediation process and as an integral search string. In the query shown in Figure 6, the parameter “-\r\ncontext 10” shows the surrounding ten lines and will reveal the actual name of the task that is required for\r\nremoval. This can simply be deleted with the built-in CMD program schtasks.exe, like so:\r\nFigure 7. Removing the scheduled task (click image to enlarge)\r\nIn addition to scheduled tasks, QakBot will often create a registry run key to establish persistence. The modified\r\nvalue is placed under this key name:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. Figure 8 shows the output of\r\nthe query for this registry key.\r\nFigure 8. Registry query (click image to enlarge)\r\nIn Figure 8, we obtain the value of the malicious run key and again encounter the path to the main QakBot binary\r\nlocation. Removal of the key is performed with the command shown in Figure 9.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 5 of 9\n\nFigure 9. Removing the run key (click image to enlarge)\r\nSTEP 3. Removing Remaining Artifacts\r\nQakBot leaves file system residue in a few specific locations on infected hosts. The first one is the random\r\nalphabetically named folder located in C:\\Users\\*\\AppData\\Roaming\\Microsoft , identified in the remediation\r\nsteps above. The name of this directory is dynamic, but it will reliably contain QakBot’s core binary, .dat files and\r\nother resources. This initial download along with the temporary location of the loader’s initial execution may also\r\nrequire removal, as shown in Figure 10.\r\nFigure 10. Removal of residual file system artifacts (click image to enlarge)\r\nThe steps outlined above are the general process for identifying QakBot artifacts and successfully remediating a\r\nhost for the QakBot malware. This process is quite effective in singular instances, but in reality this is rarely the\r\ncase due to QakBot’s lateral movement capabilities. A properly configured Falcon platform is a critical component\r\nof a successful defense strategy to defeat this threat.\r\nConclusion\r\nQakBot has undergone a resurgence in both its delivery volumes and technical evolution. The potential impact\r\nfrom a successful QakBot infection includes (but is certainly not limited to) widespread lateral infections, theft of\r\nconfidential data, deployment of secondary payloads and loss of organizational prestige. Remediating these types\r\nof infections becomes more complicated with these variants’ ability to spread laterally to many hosts.\r\nFurthermore, with a transition to a more remote workforce, the capability to remotely remediate infections on\r\nhosts that are geographically distributed will become increasingly important as rebuilding systems becomes\r\nimpractical. The Falcon Complete team will continue to track this threat and monitor our clients’ environments for\r\nany notable developments. Despite QakBot’s anti-analysis and evasive capabilities, the CrowdStrike Falcon®\r\nplatform prevents this malware from completing its execution chain when it detects the VBScript execution. The\r\nFalcon Complete team deals with threats like this every day, providing our customers with the expertise required\r\nto remediate these infections and help organizations recover from potentially devastating incidents.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 6 of 9\n\nAppendix\r\nTable 1 below contains a mapping of QakBot tactics to the MITRE ATT\u0026CK® framework.\r\nTactic Technique Sub-Technique ID\r\nInitial Access Phishing Spear-Phishing Attachment T1566.001\r\nExecution User Execution\r\nMalicious Link, Malicious\r\nFile\r\nT1204.001, T1204.002\r\nExecution\r\nCommand and Scripting\r\nInterpreter\r\nPowerShell, CMD Shell,\r\nVisual Basic\r\nT1059.001, T1059.003,\r\nT1059.005\r\nExecution\r\nSigned Binary Proxy\r\nExecution\r\nMsiexec, Rundll32 T1218.007, T1218.011\r\nPersistence\r\nBoot or Logon Autostart\r\nExecution\r\nRegistry Run Keys /\r\nStartup Folder\r\nT1547.001\r\nPersistence Scheduled Task/Job Scheduled Task T1053.005\r\nDefense Evasion\r\nObfuscated Files or\r\nInformation\r\nNone T1027\r\nDefense Evasion Process Injection\r\nDynamic-link Library\r\nInjection\r\nT1055.001\r\nDefense Evasion\r\nVirtualization/Sandbox\r\nEvasion\r\nSystem Checks T1497.001\r\nDiscovery\r\nVirtualization/Sandbox\r\nEvasion\r\nUser Activity Based\r\nChecks\r\nT1497.002\r\nDiscovery Network Share Discovery None T1135\r\nCredential\r\nAccess\r\nBrute Force Password Guessing T1110.001\r\nLateral\r\nMovement\r\nRemote Services\r\nSMB/Windows Admin\r\nShares\r\nT1021.002\r\nCommand and\r\nControl\r\nApplication Layer Protocol Web Protocols T1071.001\r\nTable 1. MITRE ATT\u0026CK mapping\r\nIOCs associated with QakBot analyses are available in Table 2.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 7 of 9\n\nIndicator Purpose\r\nPicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exe\r\nQakBot binary\r\nnames\r\n“\u003c0-9\u003e{6,9}\\.zip”, “NUM_\u003c0-9\u003e{4,6}\\.vbs”\r\nRegular expression\r\nof observed\r\nfilename\r\nconvention of zip\r\narchives containing\r\nVBS that launches\r\nQakBot downloader\r\n“dfPEZd”, “ezQVN”, “wCdZgXH”\r\nScheduled Task\r\ntasknames\r\n\"\"\"C:\\windows\\System32\\WScript.exe\"\"\r\n\"\"C:\\Users\\*\\AppData\\Local\\Temp\\Temp1_*.zip\\NUM_*.vbs\"\"\r\nCommand line\r\nexample of initial\r\nexecution\r\nC:\\Users\\*\\Downloads\\“\u003c0-9\u003e{6,9}\\.zip\"\r\nInitial QakBot\r\ndownload path.\r\nObserved as an 8 or\r\n9-character numeric\r\nname.\r\nC:\\Users\\*\\AppData\\Local\\Temp\\Temp1_“\u003c0-9\u003e{6,9}\\.zip\\NUM_\u003c0-9\u003e{4,6}\\.vbs\r\nExecution path of\r\nVB downloader\r\nscript\r\n%AppData%\\lwob\\esexydry.dll %AppData%\\PicturesViewer.dll\r\n%APPDATA%\\dasfdsfsdf.exe %APPDATA%\\Iwhoq\\pozypua.dll\r\n%APPDATA%\\IE\\GGYJG27Z\\dasfdsfs.df\u003c1\u003e.exe C:\\Users\\Public\\tmpdir\r\nQakBot binary\r\npaths in home\r\ndirectories,\r\nobserved as a\r\nalphabetical name\r\nunder an\r\nalphabetical folder\r\nin %AppData%, or\r\npre-named\r\nPicturesViewer,\r\nPaintHelper\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry run key\r\npersistence\r\nTable 2. IOCs associated with QakBot\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 8 of 9\n\nAdditional Resources\r\nRead “Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1” and “Duck\r\nHunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2” in this series.\r\nFind out how CrowdStrike can help your organization answer its most important security questions: Visit\r\nthe CrowdStrike Services webpage.\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the\r\nproduct webpage.\r\nLearn more about CROWDSTRIKE FALCON® INTELLIGENCE™ threat intelligence by visiting the\r\nwebpage.\r\nLearn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon\r\nproducts webpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/"
	],
	"report_names": [
		"duck-hunting-with-falcon-complete-qakbot-countermeasures"
	],
	"threat_actors": [],
	"ts_created_at": 1775434062,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d071f6d7a0f255b58e89e1b53bc5bdf439c14f9.pdf",
		"text": "https://archive.orkl.eu/4d071f6d7a0f255b58e89e1b53bc5bdf439c14f9.txt",
		"img": "https://archive.orkl.eu/4d071f6d7a0f255b58e89e1b53bc5bdf439c14f9.jpg"
	}
}