Open in app

Sign in

Write

Sign in

Qealler+QaZaqne ● Part 2

LYLC | Spear and Shield
3 min readOct 22, 2018

Qealler loader would run the following command to execute QaZaqne. python.exe [path]\qazaqne\main.py all According to LaZagne’s website, the program output should look like the following screenshot. Qealler loader would follow the LIB_QEALLER_URL value in the config to download a 7z file ( https://www.virustotal.com/#/file/a31497597cd9419dde7fc724b7e25a465f7d95ff7bd52cf3be59928499983608/details) and then use 7z program to de-compress it. The folder structure showed the Python program was included for the execution purpose.

The “qazaqne” folder included a “main.py” file, which appeared to be QaZaqne. The analysis revealed QaZaqne was a password stealer, which could use the following modules to extract the passwords from multiple places, such as browsers, credential manager and windows system (logon credentials and wifi credentials).

ApacheDirectoryStudio()
Autologon()
Dbvisualizer()
Chrome()
CocCoc()
CoreFTP()
Cyberduck()
Filezilla()
FtpNavigator()
GitForWindows()
IE()
Jitsi()
MavenRepositories()
Mozilla()
Composer()
Credman()
OpenSSHForWindows()
Opera()
Outlook()
Pidgin()
Puttycm()
RDPManager()
Robomongo()
Tortoise()
Skype()
SQLDeveloper()
Squirrel()
Unattended()
Vault()
Wifi()
WinSCP()
Cachedump()
Hashdump()
LSASecrets()

QaZaqne seemed to be based on LaZagne ( https://github.com/AlessandroZ/LaZagne) version 2.3. Its Help content is provided as below.

Qealler loader would run the following command to execute QaZaqne.

python.exe [path]\qazaqne\main.py all

According to LaZagne’s website, its output function could write the data into a file in JSON format.

However, instead of saving the data into a file, QaZaqne’s output function, shown as below, would display the gathered credentials in JSON format and added #fs# and #ff# around the JSON data.

An example is provided below.

This structure could allow Qealler loader to process the result, shown as below, and then send it to hxxp://159.65.84[.]42:9489/qealler-reloaded/ping, which was defined by “REPORT_URL” value in the config.

Judging by the open source intelligence, this version of QaZaqne was very likely to be released around 26 thAugust 2018. While Qealler was modified after that date, it continued using this version of QaZaqne in the campaigns since then.

Originally published at https://www.tumblr.com on October 22, 2018.

Malware
Incident Response

--

--

LYLC | Spear and Shield

Written by LYLC | Spear and Shield

2 Followers

Spear and Shield

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams