Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)



  • – – Good Man gate
  • – – RIG exploit kit
  • – – GET /smk/config.jpg – ZeusVM config URL
  • – – POST /smk/gate.php – ZeusVM dropzone URL
  • – – Connectivity check

File System:

  • o32.tmp is dropped and executed in %TEMP% (self-deletes)
  • The payload q2tlgu9t.exe is dropped and executed in %TEMP% (self-deletes)
  • Folder created in %TEMP% using the pattern [a-zA-Z0-9]{6,7}.tmp contains System.dll
  • The payload copies itself to %APPDATA% in randomly named folders


  • Entries created in HKCUSoftwareMicrosoft
  • Each folder has numerous REG_BINARY values


SHA256: 1b9bf35a6662775e538f01738c1f6c94a35481192b63d2229030526d8c3f39f9
File name: Flash Exploit.swf

SHA256: b7e2ac891a8e524668261b149515ccb0105655f1bcb5c8ad72a3fb78de2d02d3
File name: o32.tmp

SHA256: 035a56f1bfa148bf58d48971aa9b71d8cbd78dd5a54055d4caf0a8b4d8c14de6
File name: qwjh89ks.exe
Hybrid-Analysis Report

SHA256: ec93953304bda318b4f6e2f0fae9d619bcb60679a874d977721d033ec3649398
File name: Archimedes.dll

SHA256: 2b57b0cfa09d86f2e7da17998c4890e5ab8069178211fddf304b53c7f1e6cb1e
File name: uloxg.exe
Hybrid-Analysis Report

Infection Chain

The infection chain starts off with visiting a Good Man gate. In this infection chain I used the Good Man gate hurtmehard[.]net. For those of you that don’t know I discovered gates being used to redirect users to various exploit kits on January 20th, 2017. I called them Good Man gates because the registrant name and email had “good man” in them.

They have added 3 more domains since my last post on Good Man:

Good Man Domains Registrant Email Registered Expires 3/31/2017 3/31/2018 3/29/2017 3/29/2018 3/24/2017 3/24/2018

There is already evidence that these domains are being used for malicious purposes. You can read more about the Good Man gates HERE.

Below is the infection chain captured by Wireshark:


Hurtmehard[.]net auto refreshed 3 times. That is why you’re seeing 3 different infection chains. This is also why you’ll see multiple files created by the three same payloads later on in this post.

Injected in hurtmehard[.]net is the following script:

Goodman iframe

Inside the script is an iframe containing the URL for the RIG exploit kit landing page.

The host is then redirected to the landing page and is eventually sent the malware payload. The payload is dropped into %TEMP% and executed:


You’ll notice that the only one payload in %TEMP% is q2tlgu9t.exe; however, I only kept one sample out of the many that I got. The multiple malware payloads caused the numerous .tmp folders to be created in %TEMP%.

The malware copies itself to %APPDATA%:


Again, there are multiple files created in %APPDATA% because of the multiple payloads I received as a result of the gate refreshing numerous times. Here are some of the files:

And here are some entries found in HKCUSoftwareMicrosoft:

Registry 1Reigstry 2Registry 3

We then see a connectivity check using, followed by the ZeusVM C&C activity:

ZeuS C&C:
Malware: VMZeuS
IP address:
Host status: online
Uptime: 01:24:05
Hostname: n/a
SBL: SBL338948
AS number: 200651
Country: - Romania (RO)
Level: 4 (Unknown / not categorized)
Sponsoring registrar: n/a
Nameserver(s): n/a
Date added: 2017-04-03
Last checked: 2017-04-03
Last updated: never
BL status: This host is being published on the ZeuS Blocklist!

ZeuS ConfigURLs on this C&C:

Date added ConfigURL Status V Filesize MD5 hash HTTP Status File download
2017-04-03 online 2 179’337 31ac27b2e7cc24f506953febcb6e4098 200 - ZeuS_config

ZeuS DropURLs (Dropzones) on this C&C:

Date added DropURL Status HTTP Status
2017-04-03 online 200

ZeusVM uses steganography (the practice of concealing a file, message, image, or video within another file, message, image, or video) to hide the configuration code which is embedded in the JPG file:


We then see POST requests to /smk/gate.php. The C&C domain is being hosted at Here is the login panel for the C&C domain:

ZuesVM login

The Whois information for is shown below:

WHOIS Server www[.]eranet[.]com
Registrar Eranet International Limited
Name john alex
Organization NA
Phone 00380662963886

I found only 2 domains using that registrant email:

Domain Registrant Email Registered Expires 3/26/2017 3/26/2018 3/26/2017 3/26/2018

Download the Artifacts (password is infected):


Until next time!

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: