Info stealers are nothing new, and Qulab is no exception. Designed to get in quick and get as much data as they can, these malicious programs steal all personal information about you from your computer. In particular, Qulab is know in its current iterations to steal information from browsers, including:
- login credentials and history
- file transfer protocol credentials
- Discord and telegram logs
- Steam information and accounts
It can copy any file that ends in .txt, .maFile, and wallet.dat—in case you have anything important lying around.
How it works
Qulab is built in a scripting language called AutoIT. Generally used to automate monotonous tasks done with a keyboard and mouse, AutoIT gives the hacker the same power as a programming language, while making it easier (in most cases) to program due to it being written in a simpler language. Once executed on your computer, Qulab sets up a few important settings, namely no tray icon, which prevents you from seeing it running. Then, Qulab starts to replace things like windows function calls and database queries with slightly modified code. By modifying these common functions to use custom versions, the malwares reduces its reliance on the computer it is infecting and allows it to cause more damage.
After running on the you computer, the malware quickly sets up persistence on the computer through well-know methods—such as running the program on computer startup—and a less well-known method that reruns the malware on any major computer change, such as:
- changing any computer settings
- network status changes
- connecting to or disconnecting from charger on a laptop
- being idle for a set period of time
The “clipper” functionality of Qulab revolves around watching what is in your clipboard (the place that stores data you copy) and changing it if it matches certain parameters. One of the most notable is that it will replace wallet IDs for cryptomining account so that the earned money proceeds to go into the hacker’s account rather than yours. If you do not have cryptomining on your computer then it won’t do anything but slow down your computer.
The “browser stealer” function checks to see which browsers you have installed and then immediately attempts to steal files with any important information. The most notable are wallet.dat, login data that is stored on the browser, and history.
Discord , a online chat service, saves messages and chat history on its local computer when installed. Qulab looks for these files and if it finds them it decrypts them and sends them off to the hacker.
Qulab also attempts to hijack steam sessions, and if the computer uses the Steam Desktop Authenticator, Qulab also attempts to steal a file that provides authentication details. This is becoming common for most information stealers.
After all this data as been extracted, Qulab sends it to the hacker and then continues to scan every couple of seconds to see if any new information has arrived.
Who is affected?
One of the scary things about Qulab is that it is very affordable on the dark web. Coming in at only $30 with support optional, it no longer takes a master hacker to obtain a powerful, flexible information stealer. It could be slipped into downloads from illegitimate sources or used in malspam campaigns.
Indicators of Compromise
- %PAYLOAD_NAME%.module.exe (7zip)
- %PAYLOAD_NAME%.sqlite.module.exe (sqlite3.dll)
- IP 220.127.116.11
What you can do
If you or someone you know is infected with Qulab malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Qulab from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech04 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html