10-25-2018: Gozi ISFB & Dridex ID "3101"

MD5 (2018-10-24.isfb.loader.decoded.vk.exe) = 4854c062bd319303e7da1c5eb0e3461c
MD5 (2018-10-24.isfb.client.decoded.vk.dll) = e982180971db1e60b34b084a87f877af


Bot                     ['2.17']
Build                   ['39']
Botnet/Group ID         ['3090’, '3091']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['eyedosprot.com ', 'dhsiwyqdlskwsqo.com', 'hq92lmdlcdnandwuq.com']
Path:                   ['/images/']

ISFB 2nd Stage Domains:

dealadynou.com/RUI/levond.php?l=pory[1-7].xap
fageingles.com/RUI/levond.php?l=pory[1-7].xap


Dridex Botnet ID "3101" Fist-Stage Config:

213.252.244.233:443
192.48.88.118:443
176.10.118.150:443