{ "id": "28d26908-eec1-4a44-96cf-d0a54412f2f9", "created_at": "2026-04-06T00:16:33.853427Z", "updated_at": "2026-04-10T13:12:38.616778Z", "deleted_at": null, "sha1_hash": "5b33b6c1229be6c7857ec5661748a1199a3025ff", "title": "Duck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1000201, "plain_text": "Duck Hunting with Falcon Complete: Analyzing a Fowl Banking\r\nTrojan, Part 1\r\nBy Dylan Barker - Quinten Bowen - Ryan Campbell\r\nArchived: 2026-04-05 18:32:14 UTC\r\nAdversaries constantly develop new tactics that enhance their capabilities to deploy malware across networked\r\nenvironments and monetize infected systems. This blog is Part 1 of a three-part series detailing research and\r\nobservations by the CrowdStrike® Falcon Complete™ managed services team regarding one such malware\r\nvariant, QakBot (aka QBot), and its behavior in recent campaigns. In this blog we provide an overview of a recent\r\nQakBot campaign observed in the wild. Part 2 will feature an in-depth analysis of the evolution of QakBot tactics,\r\ntechniques and procedures (TTPs) through June 2020. We will culminate the series in Part 3 by outlining the\r\nFalcon Complete team's strategy for the remote remediation of a QakBot-infected host.\r\nThreat Background and Context\r\nQakBot is an eCrime banking trojan that has the potential to severely impact an organization’s ability to operate.\r\nQakBot can spread laterally throughout a network utilizing a worm-like functionality through brute-forcing\r\nnetwork shares and Active Directory user group accounts, or via server message block (SMB) exploitation.\r\nQakBot also employs a robust set of anti-analysis features to evade detection and frustrate analysis. Despite these\r\nevasion techniques, CrowdStrike Falcon®® detects and prevents this malware from completing its execution\r\nchain. QakBot has been observed for nearly a decade, and historically, it included traditional features of banking\r\ntrojans and information stealers. However, it has since evolved and expanded its capabilities. QakBot also shows\r\nno signs of slowing down — in fact, Falcon Complete observed a notable resurgence in its delivery volume,\r\nbeginning in April 2020, with regular updates through the summer months. Recent campaigns have been delivered\r\nprimarily via email, with attached ZIP archives containing a Visual Basic Script (VBS) downloader. In contrast,\r\nthere have also been several tactical outliers, such as Microsoft Word DOC-based deliveries along with campaigns\r\nthat included secondary malware payloads like Zloader. The following section covers static and dynamic analysis\r\nof the QakBot DOC-based delivery campaign. This analysis includes an overview of techniques used by the threat\r\nactor to obfuscate, hinder and attempt to prevent analysis of malicious documents delivered by QakBot to ensure a\r\nsuccessful infection of the victim.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 1 of 9\n\nFigure 1. Timeline of QakBot Campaigns (click image to enlarge)\r\nQakBot Introduces DOC-based Delivery\r\nAs QakBot surged in early April 2020, the operators leveraged a new tactic for delivery: a Microsoft Word\r\ndocument delivered via malspam that was weaponized with macros containing a malicious VB script. While\r\noperators shifted delivery tactics several times throughout the summer, the overall TTPs related to QakBot’s\r\nexecution chain remained largely the same, and analysis of this DOC file provides useful insights into the\r\ncapabilities of QakBot’s authors.\r\nStatic Analysis of Downloader DOC\r\nDocument Features\r\nIn early April, the team observed a document that was detected and blocked within a client environment.\r\nFilename: AGRMT_06052020_519.doc\r\nSHA256: b1e8b724380e6e041e3c2b4dfe5d4827fe0ae1bb0816b47d14d21d6f94194797\r\nThis was a typical phishing document that attempts to lure intended victims to enable macros that execute\r\nmalicious code.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 2 of 9\n\nFigure 2. User Prompt (click image to enlarge)\r\nThe malicious macro included in the document is locked — an example of the many anti-analysis and sandbox-evasion features included in these campaigns.\r\nFigure 3. Locked Macro Modules (click image to enlarge)\r\nThe locked macros prevent sandboxes from inspecting the macro content and also impede manual analysis. Once\r\nthis protection is bypassed, the contents of the Visual Basic for Applications (VBA) project are then available.\r\n Figure 4. Macros Now Accessible\r\nThe macros are highly obfuscated and broken down into either UserForm objects or modules containing more\r\ntypical Functions and Subs. The UserForm objects are structured in a variety of different text boxes, buttons and\r\nlabel objects that don’t actually execute code themselves, but hold string data in their tags that is called by\r\nFunctions in the macros code.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 3 of 9\n\nFigure 5. Modules and Objects (click image to enlarge)\r\nMacro De-obfuscation\r\nThe macro contents are extracted to a text editor for continued static analysis and easier de-obfuscation. The\r\nmacros are extensively obfuscated with a variety of anti-analysis techniques. This includes using several lines of\r\ngarbage code, along with confusing variable assignments, string reversals and an interesting string encoding\r\ntechnique that leverages nested conversions. The two components of greatest interest are the functions that include\r\nan encoding algorithm and a block of strings that contain the encoded URLs, from which the code will attempt to\r\ndownload the next-stage payload.\r\nFigure 6. Encoding Algorithm (click image to enlarge)\r\nThe encoding algorithm leverages the VBA Mid function to perform operations on URL strings. The $Mid\r\nfunction sets the text block, sets the starting position of the text’s index, and then instructs it to select the number\r\nof characters (in this case, 1). It is also wrapped in a For Loop that instructs the Function to loop over the length of\r\nthe string in reverse order. Finally, it includes a series of string conversions following the loop operation. Each\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 4 of 9\n\ncharacter is converted to ASCII and then subtracted by a value of 1, then converted back into a character. This new\r\ncharacter string is actually Base64 encoded and must then be decoded to reveal the actual URL.\r\nFigure 7. Obfuscated URLs (click image to enlarge)\r\nFor example, the URLs are decoded by taking the last character in each string, converting it to ASCII, subtracting\r\nby 1 and then looping backward the length of the string. Finally, the Base64 string is decoded. The first variable in\r\nFigure 9, “dkekr(1),” which holds the string “o6HdvhEP5hEP5h{M5iHdkS4Mu:3Zv1H\r\nFigure 8. Decoded URL (click image to enlarge)\r\nThe VB code contains a total of six URLs that it will loop through until it receives a valid response to download\r\nthe next stage payload. It is necessary to break down this obfuscation to successfully identify all six of these\r\nindicators of compromise (IOCs). If only network log data or sandbox results are used, the infection chain may\r\nstop at the first valid response and not loop through all six URLs. The complete list of IOCs may then be\r\nimplemented in the appropriate network control such as a web proxy or firewall. When executed, the final macro\r\ncode as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot\r\npayload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the\r\nURL as seen above in Figure 8, and another is the full path to which the payload will initially be written:\r\n“C:\\Users\\Public\\tmpdir\\file”.\r\nFigure 9. Download Cradle (click image to enlarge)\r\nThe cradle appends “1.exe” to the file named “file” and eventually writes itself to “C:\\Users\\Public” before\r\ncontinuing with the remainder of the execution chain if the appropriate anti-analysis checks are met. The\r\nexecution chain for this delivery style is shown below in Figure 10. Please note that the examples in the following\r\nscenarios have CrowdStrike Falcon® configured with DETECTIONS ONLY and PREVENTIONS OFF for\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 5 of 9\n\nillustrative purposes. A properly configured Falcon instance would prevent the activity presented here.\r\nFigure 10. Process Tree as Displayed in Falcon (click image to enlarge)\r\nThe Falcon Complete team frequently responds to detections where Falcon has prevented a successful QakBot\r\nphishing attempt. In these cases that have proper implementation of preventions, the remediation simply consists\r\nof removing the original attachment written to the disk and any associated residual script artifacts. In these cases,\r\nFalcon interrupts the infection before binaries are executed or persistence is established.\r\nConclusion\r\nQakBot has the potential to severely impact an organization due to its capability for lateral movement and data\r\ntheft. As we have seen, QakBot employs a robust set of anti-analysis features and has recently surged in its\r\noperational volume within the threat landscape. In this blog, we presented an analysis of a DOC-based QakBot\r\ndownloader. The threat actors behind QakBot, tracked by CrowdStrike Intelligence as MALLARD SPIDER, have\r\ndemonstrated the ability to rapidly re-tool, implement anti-analysis techniques and develop methods of advanced\r\nobfuscation in a short period. Stay tuned for Parts 2 and 3 where we delve deeper into our analysis and offer\r\nrecommendations for improving your defenses against QakBot and similar threats. As QakBot evolves, so does\r\nthe Falcon Complete team’s ability to adapt, react to and remediate this threat to protect our client environments.\r\nThe team provides the expertise to identify and remediate infections to help organizations recover from potentially\r\ndevastating incidents. The Falcon Complete team focuses on stopping breaches so CrowdStrike clients can focus\r\non their business goals and operations.\r\nAppendix\r\nTable 1 below contains a mapping of QakBot tactics to the MITRE ATT\u0026CK® framework.\r\nTactic Technique Sub-Technique ID\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 6 of 9\n\nInitial Access Phishing Spear-Phishing Attachment T1566.001\r\nExecution User Execution\r\nMalicious Link, Malicious\r\nFile\r\nT1204.001, T1204.002\r\nExecution\r\nCommand and Scripting\r\nInterpreter\r\nPowerShell, CMD Shell,\r\nVisual Basic\r\nT1059.001, T1059.003,\r\nT1059.005\r\nExecution\r\nSigned Binary Proxy\r\nExecution\r\nMsiexec, Rundll32 T1218.007, T1218.011\r\nPersistence\r\nBoot or Logon Autostart\r\nExecution\r\nRegistry Run Keys /\r\nStartup Folder\r\nT1547.001\r\nPersistence Scheduled Task/Job Scheduled Task T1053.005\r\nDefense Evasion\r\nObfuscated Files or\r\nInformation\r\nNone T1027\r\nDefense Evasion Process Injection\r\nDynamic-link Library\r\nInjection\r\nT1055.001\r\nDefense Evasion\r\nVirtualization/Sandbox\r\nEvasion\r\nSystem Checks T1497.001\r\nDiscovery\r\nVirtualization/Sandbox\r\nEvasion\r\nUser Activity Based\r\nChecks\r\nT1497.002\r\nDiscovery Network Share Discovery None T1135\r\nCredential\r\nAccess\r\nBrute Force Password Guessing T1110.001\r\nLateral\r\nMovement\r\nRemote Services\r\nSMB/Windows Admin\r\nShares\r\nT1021.002\r\nCommand and\r\nControl\r\nApplication Layer Protocol Web Protocols T1071.001\r\nTable 1. MITRE ATT\u0026CK Mapping IOCs associated with QakBot analyses are shown in Table 2.\r\nIndicator Purpose\r\nPicturesViewer.dll, PicturesViewer.exe, PaintHelper.dll, PaintHelper.exe, file1.exe\r\nQakBot binary\r\nnames\r\n“\u003c0-9\u003e{6,9}\\.zip”, “NUM_\u003c0-9\u003e{4,6}\\.vbs” Regular expression\r\nof observed\r\nfilename\r\nconvention of zip\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 7 of 9\n\narchives containing\r\nvbs to that launches\r\nQakBot downloader\r\n“dfPEZd”, “ezQVN”, “wCdZgXH”\r\nScheduled Task\r\ntasknames\r\n\"\"\"C:\\windows\\System32\\WScript.exe\"\"\r\n\"\"C:\\Users\\*\\AppData\\Local\\Temp\\Temp1_*.zip\\NUM_*.vbs\"\"\r\nCommand line\r\nexample of initial\r\nexecution\r\nC:\\Users\\*\\Downloads\\“\u003c0-9\u003e{6,9}\\.zip\"\r\nInitial QakBot\r\ndownload path.\r\nObserved as an 8 or\r\n9-character numeric\r\nname.\r\nC:\\Users\\*\\AppData\\Local\\Temp\\Temp1_“\u003c0-9\u003e{6,9}\\.zip\\NUM_\u003c0-9\u003e{4,6}\\.vbs\r\nExecution path of\r\nVB downloader\r\nscript\r\n%AppData%\\lwob\\esexydry.dll %AppData%\\PicturesViewer.dll\r\n%APPDATA%\\dasfdsfsdf.exe %APPDATA%\\Iwhoq\\pozypua.dll\r\n%APPDATA%\\IE\\GGYJG27Z\\dasfdsfs.df\u003c1\u003e.exe C:\\Users\\Public\\tmpdir\r\nQakBot binary\r\npaths in home\r\ndirectories,\r\nobserved as an\r\nalphabetical name\r\nunder an\r\nalphabetical folder\r\nin %AppData%, or\r\npre-named\r\nPicturesViewer,\r\nPaintHelper\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nRegistry run key\r\npersistence\r\nTable 2. IOCs Associated with QakBot\r\nAdditional Resources\r\nRead Part 2 and Part 3 of the Duck Hunting with Falcon Complete blog series.\r\nFind out how CrowdStrike can help your organization answer its most important security questions: Visit\r\nthe CrowdStrike Services webpage.\r\nLearn how any size organization can achieve optimal security with Falcon Complete by visiting the\r\nproduct webpage.\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 8 of 9\n\nLearn more about CROWDSTRIKE FALCON® INTELLIGENCE™ threat intelligence by visiting the\r\nwebpage.\r\nLearn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon\r\nproducts webpage.\r\nTest CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.\r\nSource: https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nhttps://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/" ], "report_names": [ "duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1" ], "threat_actors": [ { "id": "aa5b200f-a6c6-4d17-bc65-911d9a7bf4ef", "created_at": "2022-10-25T16:07:23.866039Z", "updated_at": "2026-04-10T02:00:04.765416Z", "deleted_at": null, "main_name": "Mallard Spider", "aliases": [ "Gold Lagoon" ], "source_name": "ETDA:Mallard Spider", "tools": [ "Egregor", "Mimikatz", "Oakboat", "PinkSlip", "Pinkslipbot", "ProLock", "PwndLocker", "QakBot", "Qbot", "QuackBot", "QuakBot" ], "source_id": "ETDA", "reports": null }, { "id": "d5cb8d20-b5b9-4ec6-9660-3dded9bd3c89", "created_at": "2023-01-06T13:46:39.204681Z", "updated_at": "2026-04-10T02:00:03.245695Z", "deleted_at": null, "main_name": "MALLARD SPIDER", "aliases": [ "GOLD LAGOON" ], "source_name": "MISPGALAXY:MALLARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434593, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b33b6c1229be6c7857ec5661748a1199a3025ff.pdf", "text": "https://archive.orkl.eu/5b33b6c1229be6c7857ec5661748a1199a3025ff.txt", "img": "https://archive.orkl.eu/5b33b6c1229be6c7857ec5661748a1199a3025ff.jpg" } }