10-22-2018: #Gozi #ISFB #Banker: Version "2.18"

MD5 (decoded ISFB client): 2f14a20e5495d8b8df2853c727c93864
MD5 (decoded ISFB loader): 4d10ec332aa4a7001d8b46c1230f74de


Bot                     ['2.18']
Build                   ['01']
Botnet/Group ID         ['3008’, '3009']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['kokeadriab.com ', 'dhsiwyqdlskwsqo.com', 'hq92lmdlcdnandwuq.com']
Path:                   ['/images/']

2nd Stage Domains:

ovellonist.com/RUI/levond.php?l=fewk[1-7].xap
frumiticur.com/RUI/levond.php?l=fewk[1-7].xap