{
	"id": "45dacb92-2ed6-40af-9eaf-cc732113cd2b",
	"created_at": "2026-04-06T00:22:36.010544Z",
	"updated_at": "2026-04-10T03:20:40.996785Z",
	"deleted_at": null,
	"sha1_hash": "bcce64d94424ceea904abc455a090b11bba66a54",
	"title": "Qealler Infostealer static analysis - Part 0x1 - Securityinbits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57033,
	"plain_text": "Qealler Infostealer static analysis - Part 0x1 - Securityinbits\r\nBy Ayush Anand\r\nPublished: 2020-01-06 · Archived: 2026-04-05 20:29:01 UTC\r\nQealler is heavily obfuscated Java based Infostealer which is quite active based on ANY.RUN submission. This\r\nwill be a three part blog series, this post will focus on Qealler/Pyrogenic static analysis, next part 0x2 we learn\r\nunpacking using Java agent and in the last part 0x3 we find similarity between Qealler/Pyrogenic variants based\r\non static code analysis . You may download the BankPaymAdviceVend_LLCRep.jar from ANY.RUN (MD5:\r\nF0E21C7789CD57EEBF8ECDB9FADAB26B) and follow along or download the latest Qealler sample from\r\nANY.RUN submission.\r\nCONTENTS\r\n1. Overview\r\n2. Quick dynamic analysis\r\n3. Packed Pyrogenic static analysis\r\n4. Conclusion\r\n5. References\r\nOverview\r\nIt’s currently targeting different regions e.g. Australian companies[1], Africa and the Middle East[2] based on the\r\nreferences. I will be using Bytecode Viewer to decompile Jar using FernFlower Java Decompiler. Let’s start with\r\nquick dynamic analysis. Our main goal for the blog series is to unpack this jar so we can analyse the capability\r\nand compare it with Qealler.\r\nQuick Dynamic Analysis\r\nConnect to CC 157.245.160[.]150 at port 80 and create the below process.\r\ncmd.exe /c chcp 1252 \u003e NUL \u0026 powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -\r\nCommand -\r\nDrop these two clean files sqlitejdbc.dll (MD5: a4e510d903f05892d77741c5f4d95b5d) and jnidispatch.dll\r\n(MD5: d2f0da769204b8c45c207d8f3d8fc37e) but it deletes these two file before exiting.\r\nConnect to bot.whatismyipaddress.com to get the public IP of the infected system.\r\nSteal credential from different applications\r\nPacked Pyrogenic static analysis\r\n1. Open the jar file in BCV (Bytecode Viewer), you will see multiple class files in different packages. Below\r\npic shows the main entry point of the jar file.\r\nhttps://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/\r\nPage 1 of 2\n\n2. For this sample, I found out that FernFlower decompiled the source code correctly. Select View -\u003e Pane 1 -\r\n\u003e FernFlower -\u003e Java in BCV as shown below.\r\n3. If you browse the different class files in BCV, you will find many encrypted class files which don’t\r\ntranslate to Java src code. e.g. one of them is shown below\r\n4. Based on the above encrypted class file, you can guess that there should be some decryption algorithm\r\nused to decrypt those files.\r\n5. Decryption algorithms can be custom or well known e.g. AES. Study this example java code [3]\r\n which\r\nencrypt/decrypt using AES.  Some of the keyword mentioned in the above java code e.g. getInstance can\r\nhelp us to find the encryption algorithm and doFinal can point to final decryption result.\r\n6. Let’s search for AES references after importing the decompiled src code to Eclipse IDE.\r\n7. Based on the above images which shows multiple references, we can confirm that this sample uses the algo\r\n“AES/ECB/PKCS5Padding” and key may be  generated using “PBKDF2WithHmacSHA1” . So it\r\nconfirmed that it doesn’t use any custom decryption algorithm.\r\n8. We can add our code to write the data to file after doFinal call and execute the sample in IDE to get the\r\ndumped class file  Then we can decompile the class file using BCV and continue analysis. But it can be\r\nmultiple layer obfuscation which can make our analysis harder and slower.\r\nConclusion\r\nThis above static analysis method to find the encryption routine and interesting breakpoint (doFinal) while\r\ndebugging is very useful in Java Malware analysis. Using this approach you will not miss any code path but this\r\nrequires more time and effort. So in the upcoming part 0x2 , we will unpack this malware using Java agent which\r\nwill speed up our analysis.\r\nThanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.\r\nFor more updates and exclusive content, subscribe to our newsletter. Stay sharp. Keep defending.😊\r\nJoin 150+ subscribers who get 0x1 actionable security bit every week.\r\nSource: https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/\r\nhttps://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/"
	],
	"report_names": [
		"pyrogenic-infostealer-static-analysis-part-0x1"
	],
	"threat_actors": [],
	"ts_created_at": 1775434956,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bcce64d94424ceea904abc455a090b11bba66a54.pdf",
		"text": "https://archive.orkl.eu/bcce64d94424ceea904abc455a090b11bba66a54.txt",
		"img": "https://archive.orkl.eu/bcce64d94424ceea904abc455a090b11bba66a54.jpg"
	}
}