{
	"id": "6ae1517d-3e7b-4d76-b91d-39e18ad824b1",
	"created_at": "2026-04-06T00:10:58.127493Z",
	"updated_at": "2026-04-10T13:12:53.569507Z",
	"deleted_at": null,
	"sha1_hash": "f16e1eb49419caa3e0ec99e4d0c12c0e20da950c",
	"title": "\"Qealler\" a new JAR-based Information Stealer | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3624518,
	"plain_text": "\"Qealler\" a new JAR-based Information Stealer | Zscaler\r\nBy Mohd Sadique\r\nPublished: 2019-02-06 · Archived: 2026-04-05 23:18:23 UTC\r\nRecently, the Zscaler ThreatLabZ team came across a new type of malware called Qealler, which is written in Java and\r\ndesigned to silently steal sensitive information from an infected machine.\r\nQealler is a highly obfuscated Java loader that deploys a Python credential harvester.\r\nWe first saw this payload hit Zscaler Cloud Sandbox on Jan 21, 2019, and below is a screenshot of the detonation report.\r\nFig. 1: Zscaler Cloud Sandbox report\r\nThis threat makes use of social engineering techniques to initiate the infection, as the malicious JAR file has to be executed\r\nby the user. These malicious JAR files are portrayed as invoice-related files, requiring the user to double-click on the file to\r\nopen it.\r\nWe have been monitoring this campaign for the past two weeks, and the malware has been quite active, spiking this week.\r\nFig. 2: Hits of Qealler in a week\r\nThe malicious JAR file (named Remittance.jar), which we analyzed, was getting downloaded from a compromised site\r\n(hiexsgroup.co[.]uk). It is heavily obfuscated with Proguard Java obfuscator. After deobfuscation and decompilation, we saw\r\nencrypted URLs that are accessible by a key, as shown in the figure below.\r\nFig. 3: Accessing encrypted URLs\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 1 of 9\n\nThe sample has a “synchronized” file that contains key-value pairs.\r\nFig. 4: Key-Value pair of encrypted URLs\r\nOn execution, this sample first creates two file paths in %USERPROFILE% by checksum of hardcoded strings.\r\nFig. 5: File Path creation\r\nFile path 1:\r\n%USERPROFILE%\\\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\\\CRC32(“qealler”)\\\\CRC32(“lib”)\\\\CRC32(\r\nEquivalent to:\r\n%USERPROFILE%\\\\a60fcc00\\\\bda431f8\\\\a90f3bcc\\\\83e7cdf9\r\nFile Path 2:\r\n%USERPROFILE%\\\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\\\CRC32(“qealler”)\\\\CRC32(“lib”)\\\\CRC32(\r\nEquivalent to:\r\n%USERPROFILE%\\\\a60fcc00\\\\bda431f8\\\\a90f3bcc\\\\db2bf213\r\nIf the above two files don’t exist, the malicious file decrypts the URL, downloads these two files, and stores them in the\r\nsame place.\r\nFig. 6: Encrypts and drops downloaded module\r\nThe value of LIB_7Z_URL in the synchronized file is\r\n“xVQR4PWAw91AhkgaMsQVAVV1igV7HSOV1dqWgFN23eQtkNRd23RzTnPVGB9/iVYA” which is decoded by\r\nBASE64 and decrypted by AES-EBC with the hardcoded key “bbb6fec5ebef0d93”.\r\nThe final URL after decryption is hxxp://82.196.11[.]96:55326/lib/7z\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 2 of 9\n\nThe value of LIB_QEALLER_URL in the synchronized file is\r\n“xVQR4PWAw91AhkgaMsQVAaWhGxVQIpMxX60ZE+OpV3KjNnWvOARi0rccZaVSvle8”, it is also decrypted by the\r\nsame algorithm with the same key.\r\nThe final URL is hxxp://82.196.11[.]96:54869/lib/qealler\r\nThe sample downloads the data from these URLs and encrypts it using the AES algorithm with the key generated by\r\nSecureRandom() having hardcoded seed value\r\n“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”.\r\nAES key: 39 3e df 7e fc 58 be 20 60 e4 78 bb 4a 91 38 72\r\nAfter encryption, it stores both files at the below locations to avoid further downloading in the next run:\r\n%USERPROFILE%\\\\a60fcc00\\\\bda431f8\\\\a90f3bcc\\\\83e7cdf9 (/lib/7z)\r\n%USERPROFILE%\\\\a60fcc00\\\\bda431f8\\\\a90f3bcc\\\\db2bf213 (/lib/qealler)\r\nFig. 7: Created path and dropped files\r\nAlong with these two files, the virus creates another file path with the following algorithm and stores an encrypted unique\r\nmachine ID in it. The ID is generated by a random number of system nanoTime.\r\nMachine ID path:\r\n%USERPROFILE%\\\\CRC32(“2a890bc98aaf6c96f2054bb1eadc9848eb17633039e9e9ffd833104ce553fe9b”)\\\\CRC32(“qealler”)\\\\CRC32(“machine”)\\\\CR\r\nEquivalent to:\r\n%USERPROFILE%\\\\a60fcc00\\\\bda431f8\\\\1505df84\\\\bf396750\\\\98dd4acc\\\\99de3ada\r\nAfter the downloading and decryption steps are completed, the sample stores a decrypted copy of 83e7cdf9 and db2bf213 in\r\nthe %TEMP% directory with the name “_.tmp”.\r\n _502560701855008616300501457487639.tmp\r\n_502562165489004300569223733573535.tmp\r\n_502560701855008616300501457487639.tmp (/lib/7z) is again a JAR file that doesn’t have any Java code inside, but\r\ncontains three PE files inside the libraries as shown in Fig 8.\r\nFig. 8: Content of _502560701855008616300501457487639.tmp (/lib/7z)\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 3 of 9\n\n7za.exe is a repackaged version of 7-zip to ensure the malware executes successfully even if the user does not have it\r\ninstalled by default.\r\nThe 7-zip (7za.exe) and its modules (7za.dll, 7zxa.dll) will be extracted from 7z.jar by the main sample and saved in the\r\n%TEMP% directory with the name “7z_.exe” and “7z_.dll”.\r\n7z_502574395484008643130462441900754.exe\r\n7z_502567545558005642490654395727502.dll\r\n7z_502579570140002751296504101539829.dll\r\nAfter extraction, the 7-zip executable is called by the main sample with the following command-line options:\r\n %TEMP%\\\\7z_502574395484008643130462441900754.exe x %TEMP%\\\\_502562165489004300569223733573535.tmp -\r\no%TEMP% -p”bbb6fec5ebef0d936db0b031b7ab19b6” -mmt -aoa -y\r\nThe downloaded Qealler module _502562165489004300569223733573535.tmp (/lib/qealler) is a password-protected file\r\nwith 7-zip.\r\nThe above command will extract the Qealler module in the %TEMP% directory with the password:\r\nbbb6fec5ebef0d936db0b031b7ab19b6\r\n-mmt: use multithreading mode\r\n-aoa: set overwrite mode\r\n-y: assume yes for all the prompts\r\nThe Qealler module is the key component of this malware.\r\nThe extracted Qealler module contains Python 2.7.12 with the installed packages to ensure the malware will execute even if\r\nthe user does not have it installed by default.\r\nThe Qealler also has a directory named QaZaqne. It is a custom version of the open source project called LaZagne. LaZagne\r\nis used to retrieve lots of passwords stored on a local computer. This is the same functionality of QaZagne, which finds and\r\nsteals credentials of the most commonly used software from local machines.\r\nFig. 9: Content of extracted _502562165489004300569223733573535.tmp (/lib/qealler)\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 4 of 9\n\nAfter extraction, the main sample (Remittance.jar) executes a Python file of QaZagne (main.py) with the following option\r\nand takes the JSON output:\r\n%TEMP%\\\\qealler\\\\python\\\\python.exe %TEMP%\\qealler\\qazaqne\\main.py all\r\nFig. 10: Stealer functions in QaZaqne module\r\nThis will get the credentials of all the software shown in the figure below:\r\nFig. 11: Qealler steals credentials of the software in this table\r\nThe output of the QaZagne on an infected Windows machine is shown in Fig 12. It is in JSON format and contains the\r\ncredentials of CoreFTP and a Windows credential manager. It always starts with #fs# and ends with #ff#.\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 5 of 9\n\nFig. 12: JSON output of QaZaqne module\r\nThe main sample parses this output, fetches below system information, and encrypts it using an AES-EBC algorithm with\r\nkey “bbb6fec5ebef0d93”.\r\nFig. 13: Fetch and encrypt system info\r\nThe final information scraped from the infected machine before encryption is shown below.\r\nFig. 14: Scrapped data from an infected machine\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 6 of 9\n\nHere, machine_id is a unique ID generated by system nanoTime and uuid is encrypted in a synchronized file.\r\nThis output is encrypted and encoded with BASE64 and sent to the command-and-control (C2) server, whose URL is an\r\nencrypted value of the key “d7c363a2019dac744cf076e11433547a47907e2c2f781e2d1c8f59a40c57dd03” in a synchronized\r\nfile.\r\nC2 URL: hxxp://82.196.11[.]96:56636/qealler-reloaded/ping\r\nFig. 15: Data sent to C2\r\nIn the post headers, q-qealler-id is the encrypted machine ID and q-qealler-stub-id is the encrypted hash of the machine ID\r\nand system time.\r\nThe request body contains encrypted and encoded system information and stolen credentials.\r\nIf the C2 server is active and data is successfully sent to the server, it will respond with the encrypted status, which looks\r\nlike the following after decryption:\r\n {\"status\":\"2000\",\"message\":\"success\",\"extended\":[],\"time\":1548096059}\r\nIOCs:\r\nhiexsgroup.co[.]uk/?_sm_nck=1\r\nlcbodywowrksltd[.]online\r\nwillsonsolicitors[.]biz\r\nwillsonsolicitors[.]online\r\nwillsonsolicitors[.]store\r\nmcneilspecs[.]com\r\nmcneilspecs[.]org\r\nmcneilspecs[.]net\r\nprestigebuildersltd[.]com\r\nprestigebuildersltd[.]net\r\nlarrgroup.co[.]uk/remittance%20advice.jar\r\nprestonbuildersltd.co[.]uk/remittance%20advice.jar\r\notorgroup.co[.]uk/remittance%20advice.jar\r\nultrogroup.co[.]uk/remittance%20advice.jar\r\nstgeorgebuildltd.co[.]uk/remittance%20advice.jar\r\ngregoryteebuilders.co[.]uk/remittance%20advice.jar\r\ntxjxgroup.co[.]uk/remittance.jar\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 7 of 9\n\nkingagroup.co[.]uk/remittance%20advice.jar\r\nhiexgroup.co[.]uk/remittance%20advice.jar\r\nsalmogroup.co[.]uk/remittance%20advice.jar\r\n4f77bf588e0b721e68971059b0cefe21 (Remittance Advice.jar)\r\nb0ba5d6fdd26d81a6a2f050600ade3f0 (Remittance Advice.jar)\r\nd742beba17f7893b2b4989661652a66f (Remittance Advice.jar)\r\n61ecd8f17d405fa1c29dd78008011250 (Remittance Advice.jar)\r\nccac2b99cb4b72bc7728a8fc42ccc4ad (Remittance Advice.jar)\r\n76e87575e76b2ea28e1bb49e4c280152 (Remittance Advice.jar)\r\n7854ccf3208f805da7ec19a067ae3abe (Remittance Advice.jar)\r\nca741116466d5ddbcb76df00748bb885 (Remittance Advice.jar)\r\n9b7ebeff190cef02a7c22072d3d26ab3 (Remittance Advice.jar)\r\n639865eb7fac1b405b223cb4b7fe9ada ({E60A953D}-Remittance Advice.jar)\r\ne6fdc2140f6047fad60720cdf2157f9c (Remittance.jar)\r\naae120bf74131d04e47d99b16af41120 (Remittance.jar)\r\n3d43a83b1c8877e782ff69650ec00449 (Remittance.jar)\r\n4d433929f175c6df366aed139bf34f85 (Remittance.jar)\r\n2ed3b8cdc87a11437f5a15302ce047d6 (Remittance.jar)\r\n8e0f4cb12c6f2fef3a8ff731c195843d (Remittance.jar)\r\nfc20f0068b71cc74e9061a0ea2b5d45a (Cred_Adv043H3272.jar)\r\n791217f372c347f53003ae8a26a2fe54 (Cred_Adv043H3272.jar)\r\na593cb286e0fca1ca62e690022c6d918 (7z.jar)\r\n8d2c718599ed0aff7ab911e3f1966e8c (qealler.jar)\r\n5a8915c3ee5307df770abdc109e35083 (main.py)\r\n82.196.11[.]96:54869/lib/qealler\r\n82.196.11[.]96:443/lib/qealler\r\n128.199.60[.]13:443/lib/qealler\r\n37.139.12.136:443/lib/qealler\r\n192.81.222[.]28:41210/lib/qealler\r\n37.139.12[.]169:23980/lib/qealler\r\n37.139.12[.]169:16901/lib/qealler\r\n176.58.117[.]125:8676/lib/qealler\r\n176.58.117[.]125:8796/lib/qealler\r\n146.185.139[.]123:6521/lib/qealler\r\n159.65.84[.]42:10846/lib/qealler\r\n159.65.84[.]42:12536/lib/qealler\r\n139.59.76[.]44:4000/lib/qealler\r\n128.199.60[.]13:47222/lib/7z\r\n128.199.60[.]13:443/lib/7z\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 8 of 9\n\n128.199.60[.]13:46061/lib/7z\r\n82.196.11[.]96:54869/lib/7z\r\n82.196.11[.]96:443/lib/7z\r\n37.139.12[.]136:443/lib/7z\r\n192.81.222[.]28:39871/lib/7z\r\n176.58.117[.]125:8650/lib/7z\r\n176.58.117[.]125:8796/lib/7z\r\n159.65.84[.]42:11268/lib/7z\r\n82.196.11[.]96:56636/qealler-reloaded/ping\r\n37.139.12[.]136:36561/qealler-reloaded/ping\r\n128.199.60[.]13:56636/qealler-reloaded/ping\r\n192.81.222[.]28:46871/qealler-reloaded/ping\r\n176.58.117[.]125:5797/qealler-reloaded/ping\r\nSource: https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nhttps://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer"
	],
	"report_names": [
		"qealler-new-jar-based-information-stealer"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f16e1eb49419caa3e0ec99e4d0c12c0e20da950c.pdf",
		"text": "https://archive.orkl.eu/f16e1eb49419caa3e0ec99e4d0c12c0e20da950c.txt",
		"img": "https://archive.orkl.eu/f16e1eb49419caa3e0ec99e4d0c12c0e20da950c.jpg"
	}
}