Similarity between Qealler/Pyrogenic variants -Part 0x3

In this last part, we will compare Old Qealler with new Qealler/Pyrogenic variant. The previous posts Pyrogenic Infostealer static analysis – Part 0x1 & Unpacking Pyrogenic/Qealler using Java agent -Part 0x2  went through the latest Pyrogenic/Qealler [6] statically and dumping the unpacked code using Java agent.

CONTENTS
  1. Brief Timeline
  2. Similarity between Qealler variants
  3. Conclusion
  4. References

Brief Timeline

First Old Qealler sample [4] (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22)  found on ANY.RUN

The tweet[1] by @James_inthe_box first mentioned the Old Qealler. @jeFF0Falltrades posted Qealler Unloaded deep dive analysis [2] .

Multiple cyber security company posted articles[3] about Qealler variant using the Qazagne Python credential harvester.

Based on ANY.RUN submissions, Old Qealler variant using the Qazagne stopped around April 2019  

Based on ANY.RUN submissions, Pyrogenic tagged sample started around Aug 2019 and continuing till now Feb 2020.

June 2018

First Old Qealler sample [4] (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22)  found on ANY.RUN

Aug - Sep 2018

The tweet[1] by @James_inthe_box first mentioned the Old Qealler. @jeFF0Falltrades posted Qealler Unloaded deep dive analysis [2] .

Jan-Feb 2019

Multiple cyber security company posted articles[3] about Qealler variant using the Qazagne Python credential harvester.

Apr 2019

Based on ANY.RUN submissions, Old Qealler variant using the Qazagne stopped around April 2019  

Aug 2019 - Now

Based on ANY.RUN submissions, Pyrogenic tagged sample started around Aug 2019 and continuing till now Feb 2020.

grade

Note: When this post mention Old Qealler it means that the variant which was using the Qazagne Python credential harvester.

Similarity between Qealler variants

For easy/fast comparison, I have imported unpacked code of both Qealler variant in Eclipse IDE.  I will compare this Old Qealler (MD5: 8D564A18B902461C19936CCB1F4E2F12) [5] and new Pyrogenic/Qealler sample (MD5: F0E21C7789CD57EEBF8ECDB9FADAB26B) [6] used in the previous posts. Highly recommended to read through the existing analysis of Old Qealler Unloaded[2] by @jeFF0Falltrades & article [3] by Zscaler.

Both Qealler variants using the same Qrypter packer variant.

1. AES Key bbb6fec5ebef0d93

You will find multiple reference to bbb6fec5ebef0d93 as shown below.  This is the AES key used in both variant.

2. UUID Key 2a898bc98aaf6c96f2054bb1eadc9848eb77633039e9e9ffd833184ce553fe9b

Config is stored in key value pair and key for UUID present in both variant. This key is also present in Old Qealler Unloaded[2]  article and the same string “Loaded:” is used in both variant.

3. Systeminfo in JSON format

It collect the system info in JSON format before encrypting and sending it to CC.  Both Qealler variant uses the same key e.g osName, osVersion, osArch, totalMemory and code structure as shown below.  localIpAddress & globalIpAddress key are added to new Qealler version. 

4. ShutdownHook

It is used when we want to run some code when JVM is shutting down and both variant uses the addShutdownHook()  to delete the files.

5. QeallerV4 string

Found this string “obfuscated/META-INF/QeallerV4.kotlin_module” in memory in the new Qealler/Pyrogenic sample. May be this is version 4 ?

Conclusion

In this Java malware analysis series we started with static analysis, then moved to Unpacking code using Java agent and in this last part we compared the Qealler variant. These above similarity is the most significant which I can find based on code analysis. I can conclude that the Malware author moved the Credential stealing from Python to Java based code.  Malware authors are experienced coder 🙂 as they divided the source code in multiple sensible packages and gave proper name to functions, variables and classes. Hope you enjoyed this last post in this series, please comment with your suggestions/feedbacks or DM me on Twitter, Happy Reversing 🙂.

References

  1. Tweet by @James_inthe_box – (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22) First Old Qealler tweet Aug 2018
  2. Qealler Unloaded by @jeFF0Falltrades – Sep 2018
  3. Qealler – a new JAR-based information stealer – Feb 2019
  4. ANY.RUN – (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22) Old Qealler June 2018
  5. ANY.RUN – (MD5: 8D564A18B902461C19936CCB1F4E2F12) Old Qealler Sep 2018
  6. ANY.RUN – (MD5: F0E21C7789CD57EEBF8ECDB9FADAB26B) New Qealler/Pyrogenic Nov 2019

Related Posts

2 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu