Tag: KINS
Update on GoodMan
I discovered the GoodMan campaign on January 20th, 2017. You can read a detailed report on GoodMan HERE. Since March, 2017, I’ve seen more domains being registered by “goodmandilaltain@gmail.com” and I’ve recorded GoodMan delivering Sage 2.2 ransomware, ZeusVM, something with a file description of “Neighbur Readiness Ransomware,” and now what looks like LatentBot. Below is a list of some recent domains being ...
Good Man Gate Leads to RIG EK, Drops ZeusVM (KINS)
IOCs Network: 188.215.92.104 – hurtmehard.net – Good Man gate 86.106.131.120 – bestdoosales.club – RIG exploit kit 185.100.87.161 – badlywantyou.top – GET /smk/config.jpg – ZeusVM config URL 185.100.87.161 – badlywantyou.top – POST /smk/gate.php – ZeusVM dropzone URL 77.88.55.88 – yandex.ru – Connectivity check File System: o32.tmp is dropped and executed in %TEMP% (self-deletes) The payload q2tlgu9t.exe is dropped ...
Malware breakdown 