2018-11-15: Gozi ISFB v2.17

MD5 (2018-11-15.isfbv217.loader.decoded.vk.exe) = 3eada298cbfe1398de64a3d2516c8e31

Bot                     ['2.17']
Build                   ['39']
Botnet/Group ID         ['3114’, '3115']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['cjwefomatt.com', 'ticrerfgiff.com', 'dubbergergbb.com']
Path:                   ['/images/']

2nd Stage Payload:

zatewitsuk.com/YER/pelim.php?l=ulof[1-10].wos
ninasukash.com/YER/pelim.php?l=ulof[1-10].wos