MD5 (2018-11-18.isfbv217.loader.decoded.vk.exe) = 7acfefd07ff16cdff9537b1d2c1de4f0
MD5 (2018-11-19.isfbv217.loader.decoded.vk.exe) = 8b21ce26ec246356da1b784421e8056f

Bot                     ['2.17']
Build                   ['39']
Botnet/Group ID         ['3116’, '3117']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['azzoodijdhgdr.com', 'methodalapaisdd.com', 'fertikalossf.com']
Path:                   ['/images/']
 
Bot                     ['2.17']
Build                   ['39']
Botnet/Group ID         ['3118’, '3119']
DGA TLDs                ['com', 'ru', 'org']
Server                  [’12’]
Encryption key          ['10291029JSJUYNHG']
DGA CRC                 ['0x4eb7d2ca']
DGA Base URL            ['constitution.org/usdeclar.txt']
Domains                 ['ogdotighth.com', 'objecopoly.com', 'eastiggeno.com']
Path:                   ['/images/']
 
2nd Stage Payload:
 
kyllborena.com/LYW/quines.php?l=cion[1-10].bod	
arsivollog.com/LYW/quines.php?l=cion[1-10].bod		
 
2nd Stage Payload:
 
wassedfast.com/LYW/quines.php?l=klyc[1-14].bod	
ptyptossen.com/LYW/quines.php?l=klyc[1-14].bod