How to remove Qulab stealer from the system?

Also Known As: Qulab data stealer
Type: Trojan
Distribution: Moderate
Damage level: Severe

Qulab virus removal guide

What is Qulab?

Qulab is a high-risk malware written in AutoIt scripting language. The purpose of this malware is to steal various personal details. Presence of such malware may cause a variety of issues, including serious privacy issues, financial losses, and so forth.

Qulab malware

This malware targets a huge variety of data types. To start with, Qulab is categorized as a clipper, which means that it continually monitors the system's clipboard and replaces certain data. Qulab mostly searches for copied cryptowallet addresses and replaces them, which makes user paste a wrong address (which belongs to cyber criminals) without even knowing. This may cause two issues: 1) victims who use cryptomining applications may insert cyber criminals wallet's address and all generated revenue (mined currency) will go to criminals' pocket, or; 2) users may end up accidentally transferring cryptocurrency to cyber criminals. Qulab is also implemented with a grabbing feature which allows it to steal various files. Unlike other high-end infections, however, Qulab targets only three file formats (.txt, .maFile and wallet.dat) and checks only victim's desktop. As with most of data-stealing trojans, Qulab targets tens of web browsers and records various information, including cookies, web data, saved account credentials, and other. Qulab steals the chatting logs of Discord application and targets Steam/Steam Desktop Authenticator applications to steal account credentials, as well as other sensitive data (e.g., trade links) as well. Lastly, Qulab steals various FTP credentials. Now what's interesting is that unlike most of data-stealing infections, Qulab does not use a Command & Control (C&C) server to transfer stolen data. Instead, all recorded information is sent to cyber criminals via Telegram, which is rather odd. One way or another, cyber criminals aim to generate as much revenue as possible. Therefore, they're more than likely to misuse stolen data in various ways (e.g., money transferring, online purchases, etc.) Hence, data having a data-tracking like Qulab installed on your computer might eventually lead to serious privacy issues, significant financial losses and even identity theft. We should also mention that developers sell Qulab for ~$30 in hacker forums. Moreover, AutoIt scripting language is rather simple (comparing to other high-end programming languages) and it requires ways less knowledge. Therefore, any wannabe cyber criminal can purchase and start distributing this malware. The more persons spread malware - the higher risk of infection is. If you think that your computer is infected with Qulab, then you should immediately perform a full system scan and eliminate all detected threats.

Threat Summary:
Name Qulab data stealer
Threat Type Trojan, Password stealing virus, Banking malware, Spyware
Detection Names Avast (Win32:Trojan-gen), BitDefender (Trojan.GenericKD.41446035), ESET-NOD32 (A Variant Of Win32/Packed.AutoIt.NQ), Kaspersky (Trojan.Win32.Stealer.qz), Full List (VirusTotal)
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.
Removal

To eliminate Qulab data stealer our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

There are dozens of data stealers that share similarities with Qulab. For example, Osiris, Proton Bot Loader, Ave Maria, and PsiXBot. Some of these infections are even more advanced - they allow cyber criminals to remotely control the system, download/install additional malware, and so forth. But, at the end of the day, infections like Qulab have one purpose: to generate revenue for the developers. They pose huge threat to user's privacy and computer safety.

How did Qulab infiltrate my computer?

It is known that crooks promote Qulab by presenting it as a rather inappropriate application called DeepNude. This application is designed to scan female photos and use various algorithms to replace all clothes with body parts that are covered. In other words, the app simply allowed users to "undress" women. Although the application supposedly wasn't developed with malicious intentions, many people started misusing it to create fake naked pictures which can be misused in various ways (e.g., to blackmail women). The application was shut down in the late June (developers removed all download links, shut down their website, all entries in GitHub were deleted as well). However, there are a lot of people who still want to get this application and, therefore, cyber criminals took advantage of this. There are many download links (especially in describtions of various YouTube videos) that present malicious executables as DeepNude application. The link usually leads to a Pastebin page which contains another link leading to either Mega or Mediafire file sharing websites. Users simply end up downloading and installing Qulab manually. However, proliferating malware via unofficial software download sources is not the only popular method used by cyber criminals. Such trojans are also likely to be distributed using email spam campaigns (malicious attachments), fake software updaters/cracks and other trojans (chain infections). In any case, the main reasons for computer infections are poor knowledge and reckless behavior.

How to avoid installation of malware?

To begin with, download programs only from official sources, using direct download links. Third party downloaders/installers are likely to include rogue applications, which is why such tools shouldn't be used. Moreover, keep installed applications and operating system up-to-date at all times. To achieve this, however, use only implemented functions or tools provided by the official developer. We should mention that software piracy is considered a cyber crime and since most of cracking tools are fake, the risk of infections is extremely high. For this reason, you should never attempt to crack any installed applications. Always be sure to handle all email attachments with care. Files/links received from suspicious/unrecognizable email addresses shouldn't be opened. Same goes for attachments that are irrelevant and do not concern you. Moreover, keep in mind that anti-virus/anti-spyware suites are more than likely to detect and eliminate malware before the system is harmed. For this reason, we highly recommend to have one of these tools installed and running at all times. The key to computer safety is caution. If you believe that your computer is already infected, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

List of browser data targeted by Qulab stealer:

  • .maFile
  • Cookies
  • Login Data
  • Web Data
  • cookies.sqlite
  • formhistory.sqlite
  • wallet.dat

List of web browsers targeted by Qulab Stealer:

360 Browser AVAST Browser Amigo
Blisk Breaker Browser Chromium
Chromodo CocCoc CometNetwork Browser
Comodo Dragon CyberFox Flock Browser
Ghost Browser Google Chrome IceCat
IceDragon K-Meleon Browser Mozilla Firefox
NETGATE Browser Opera Orbitum Browser
Pale Moon QIP Surf SeaMonkey
Torch UCBrowser Vivaldi
Waterfox Yandex Browser uCOZ Media

Qulab stealer promoted as DeepNude application in YouTube videos:

Qulab stealer promoted in YouTube videos

Screenshot of a Pastebin page containing download links of the fake DeepNude application (which is actually the Qulab stealer):

Qulab stealer promoted in Pastebin

Instant automatic removal of Qulab data stealer: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Qulab data stealer. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using  Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

 

manual malware removal step 3Extract the downloaded archive and run Autoruns.exe file.

extract autoruns.zip and run autoruns.exe

manual malware removal step 4In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by Autoruns application and locate the malware file that you want to eliminate.

You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"

locate the malware file you want to remove

After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global virus and spyware activity level today:

Medium threat activity
Medium

Increased attack rate of infections detected within the last 24 hours.

QR Code
Qulab data stealer QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Qulab data stealer on your mobile device.
We Recommend:

Get rid of Qulab data stealer today:

▼ REMOVE IT NOW with Spyhunter

Platform: Windows

Editors' Rating for Spyhunter:
Editors ratingOutstanding!

[Back to Top]

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.