{ "id": "9d3e0986-9764-47f9-adb7-e64f180e24c6", "created_at": "2026-04-06T01:29:46.476534Z", "updated_at": "2026-04-10T03:28:20.57934Z", "deleted_at": null, "sha1_hash": "cdabcf7453193e3a0a2f19bd7199ab67d33213db", "title": "Similarity between Qealler/Pyrogenic variants -Part 0x3", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66374, "plain_text": "Similarity between Qealler/Pyrogenic variants -Part 0x3\r\nBy Ayush Anand\r\nPublished: 2020-02-04 · Archived: 2026-04-06 00:58:10 UTC\r\nFebruary 4, 2020\r\nJune 2018\r\nFirst Old Qealler sample [4] (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22)  found on ANY.RUN\r\nAug-Sep 2018\r\nThe tweet[1] by @James_inthe_box first mentioned the Old Qealler. @jeFF0Falltrades posted Qealler Unloaded\r\ndeep dive analysis [2] .\r\nJan-Feb 2019\r\nMultiple cyber security company posted articles[3] about Qealler variant using the Qazagne Python credential\r\nharvester.\r\nApril 2019\r\nBased on ANY.RUN submissions, Old Qealler variant using the Qazagne stopped around April 2019\r\nAug 2019 – Now\r\nBased on ANY.RUN submissions, Qealler tagged samples started around Aug 2019 and continue till now Aug\r\n2020.\r\ngrade\r\nNote: When this post mention Old Qealler it means that the variant which was using the Qazagne Python\r\ncredential harvester.\r\nSimilarity between Qealler variants\r\nFor easy/fast comparison, I have imported unpacked code of both Qealler variant in Eclipse IDE.  I will compare\r\nthis Old Qealler (MD5: 8D564A18B902461C19936CCB1F4E2F12) [5] and new Pyrogenic/Qealler sample (MD5:\r\nF0E21C7789CD57EEBF8ECDB9FADAB26B) [6] used in the previous posts. Highly recommended to read\r\nthrough the existing analysis of Old Qealler Unloaded[2] by @jeFF0Falltrades \u0026 article [3] by Zscaler.\r\nBoth Qealler variants use the same Qrypter packer variant.\r\nhttps://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/\r\nPage 1 of 3\n\n1. AES Key bbb6fec5ebef0d93\r\nYou will find multiple references to bbb6fec5ebef0d93 as shown below.  This is the AES key used in both variant.\r\n2. UUID Key 2a898bc98aaf6c96f2054bb1eadc9848eb77633039e9e9ffd833184ce553fe9b\r\nConfig is stored in a key value pair and key for UUID present in both variants. This key is also present in the Old\r\nQealler Unloaded[2]  article and the same string “Loaded:” is used in both variants.\r\n3. Systeminfo in JSON format\r\nIt collects the system info in JSON format before encrypting and sending it to CC.  Both Qealler variants use the\r\nsame key e.g osName, osVersion, osArch, totalMemory and code structure as shown below.  localIpAddress \u0026\r\nglobalIpAddress keys are added to the new Qealler version. \r\n4. ShutdownHook\r\nIt is used when we want to run some code when JVM is shutting down and both variants use the\r\naddShutdownHook()  to delete the files.\r\n5. QeallerV4 string\r\nFound this string “obfuscated/META-INF/QeallerV4.kotlin_module” in memory in the new Qealler/Pyrogenic\r\nsample. Maybe this is version 4 ?\r\nConclusion\r\nIn this Java malware analysis series we started with static analysis, then moved to Unpacking code using Java\r\nagent and in this last part we compared the Qealler variant. These above similarities are the most significant which\r\nI can find based on code analysis. I can conclude that the Malware author moved the Credential stealing from\r\nPython to Java based code.  Malware authors are experienced coder as they divided the source code in multiple\r\nsensible packages and gave proper name to functions, variables and classes.\r\nReferences\r\n1. Tweet by @James_inthe_box – (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22) First Old Qealler tweet Aug\r\n2018\r\n2. Qealler Unloaded by @jeFF0Falltrades – Sep 2018\r\n3. Qealler – a new JAR-based information stealer – Feb 2019\r\n4. ANY.RUN – (MD5: 65ab1ef8e9cef5c489d4b01cbb8a2a22) Old Qealler June 2018\r\n5. ANY.RUN – (MD5: 8D564A18B902461C19936CCB1F4E2F12) Old Qealler Sep 2018\r\n6. ANY.RUN – (MD5: F0E21C7789CD57EEBF8ECDB9FADAB26B) New Qealler/Pyrogenic Nov 2019\r\nThanks for reading. Feel free to connect with me on or LinkedIn for any suggestions or comments.\r\nFor more updates and exclusive content, subscribe to our newsletter. Stay sharp. Keep defending.😊\r\nhttps://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/\r\nPage 2 of 3\n\nSource: https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/\r\nhttps://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/" ], "report_names": [ "similarity-between-qealler-pyrogenic-variants-part-0x3" ], "threat_actors": [ { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438986, "ts_updated_at": 1775791700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdabcf7453193e3a0a2f19bd7199ab67d33213db.pdf", "text": "https://archive.orkl.eu/cdabcf7453193e3a0a2f19bd7199ab67d33213db.txt", "img": "https://archive.orkl.eu/cdabcf7453193e3a0a2f19bd7199ab67d33213db.jpg" } }