{
	"id": "7604aec5-476a-4a4f-8600-7a48bb278108",
	"created_at": "2026-04-06T00:22:35.390599Z",
	"updated_at": "2026-04-10T03:20:20.344137Z",
	"deleted_at": null,
	"sha1_hash": "8f0c3d078effb18a9e46b2c6c5eaf1b045bfa3ca",
	"title": "Malware-Traffic-Analysis.net - 2017-04-25 - \"Good Man\" campaign Rig EK sends Latentbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2422196,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-04-25 - \"Good Man\"\r\ncampaign Rig EK sends Latentbot\r\nArchived: 2026-04-05 20:11:20 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap.zip   1.1 MB (1,074,308 bytes)\r\n2017-04-25-Good-Man-campaign-Rig-EK-sends-Latentbot.pcap   (1,145,861 bytes)\r\nZ2017-04-25-Good-Man-campaign-Rig-EK-and-Latentbot-malware-and-artifacts.zip   319.6 kB (319,550\r\nbytes)\r\n2017-04-25-Goodma-campaign-Rig-EK-payload-Latentbot.exe   (312,832 bytes)\r\n2017-04-25-Rig-EK-artifact-o32.tmp.txt   (1,141 bytes)\r\n2017-04-25-Rig-EK-flash-exploit.swf   (16,428 bytes)\r\n2017-04-25-Rig-EK-landing-page.txt   (117,853 bytes)\r\n2017-04-25-page-from-hurtmehard_net-with-injected-script-for-Rig-EK-landing-page.txt  \r\n(54,882 bytes)\r\nBACKGROUND ON THE \"GOOD MAN\" CAMPAIGN:\r\n\"Good Man\" domains used as gates in this campaign all have a registrant email of:\r\ngoodmandilaltain@gmail[.]com\r\nHurtmehard[.]net is one of the \"Good Man\" domains.\r\nBackground on this campaign was posted on 2017-03-10 on the Malware Breakdown site in an article\r\ntitled \"Finding A 'Good Man'\" (Internet Archive link).\r\nBACKGROUND ON LATENTBOT:\r\nAlthough post-infection traffic triggers alerts for the GrayBird Trojan on the EmergingThreats ruleset,\r\nmore recent variants have been dubbed \"Latentbot.\"\r\nFireEye published an analysis of Latentbot named \"LATENTBOT: Trace Me If You Can.\"\r\nhttp://malware-traffic-analysis.net/2017/04/25/index.html\r\nPage 1 of 5\n\nShown above:  Flowchart for this infection traffic.\r\nTRAFFIC\r\nShown above:  Injected script in a page from the \"Good Man\" domain.\r\nhttp://malware-traffic-analysis.net/2017/04/25/index.html\r\nPage 2 of 5\n\nShown above:  Pcap of the infection traffic filtered in Wireshark.\r\nASSOCIATED DOMAINS:\r\nhurtmehard[.]net - \"Good Man\" gate\r\n188.225.72[.]88 port 80 - end.chaggama[.]com - Rig EK\r\n37.72.175[.]221 port 80 - 37.72.175[.]221 - Latentbot post-infection traffic\r\nFILE HASHES\r\nFLASH EXPLOIT:\r\nSHA256 hash:  9d56d491f0fca9a16daeb0ce5ef6ba96206fea93b5b12f42c442aa10a0d487ea\r\nFile size:  16,428 bytes\r\nFile description:  Rig EK flash exploit seen on 2017-04-25\r\nPAYLOAD (LATENTBOT):\r\nSHA256 hash:  092fd4caf46ec36e07fdc9c8b156ce05cda0fb2abd7c49ba8dddfe8ac6cdbb67\r\nFile size:  312,832 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\[various alphanumeric characters].exe\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Microsoft\\Windows\\mxcyvqu.exe\r\nIMAGES\r\nhttp://malware-traffic-analysis.net/2017/04/25/index.html\r\nPage 3 of 5\n\nShown above:  Latentbot malware made persistent on the infected Windows host.\r\nShown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security\r\nOnion.\r\nhttp://malware-traffic-analysis.net/2017/04/25/index.html\r\nPage 4 of 5\n\nShown above:  Some alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscription\r\nruleset.\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/04/25/index.html\r\nhttp://malware-traffic-analysis.net/2017/04/25/index.html\r\nPage 5 of 5\n\n  http://malware-traffic-analysis.net/2017/04/25/index.html  \nShown above: Flowchart for this infection traffic. \nTRAFFIC    \nShown above: Injected script in a page from the \"Good Man\" domain.\n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/04/25/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f0c3d078effb18a9e46b2c6c5eaf1b045bfa3ca.pdf",
		"text": "https://archive.orkl.eu/8f0c3d078effb18a9e46b2c6c5eaf1b045bfa3ca.txt",
		"img": "https://archive.orkl.eu/8f0c3d078effb18a9e46b2c6c5eaf1b045bfa3ca.jpg"
	}
}