10-30-2018: Gozi ISFB

MD5 (10-30-2018.isfb.loader.decoded.vk.exe) = 15305122f52d3347e3c7f459ad063c7b


Bot                     ['2.17']
Build                   ['39']
Botnet/Group ID         ['3096’, '3097']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['qibrandiat.com ', 'dhsiwyqdlskwsqo.com', 'hq92lmdlcdnandwuq.com']
Path:                   ['/images/']

ISFB 2nd Stage Domains:

wolthorifi.com/TYJ/wwnox.php?l=juxe[1-10].xap
yaticaterm.com/TYJ/wwnox.php?l=juxe[1-10].xap