2018-12-17: Hancitor -> ISFB v2.17.50

1. h/t https://twitter.com/James_inthe_box/status/1074688667858259968
2. Hancitor
3. -> Gozi ISFB v2
4.  
5. Hancitor Payload Domains:
6.  
7. // l -> Download and execute .EXE in separate thread (arg=1)
8. {l:http://mail.porterranchpetnanny.com/wp-includes/1|http://rescuereinvented.org/wp-content/plugins/woocommerce/1|http://synergify.com/wp-content/themes/ward/1}
9.  
10. // b -> Download and inject code into svchost.exe
11. {b:http://mail.porterranchpetnanny.com/wp-includes/2|http://rescuereinvented.org/wp-content/plugins/woocommerce/2|http://synergify.com/wp-content/themes/ward/2}
12.  
13. // r -> Download and execute .DLL or .EXE
14. {r:http://mail.porterranchpetnanny.com/wp-includes/3|http://rescuereinvented.org/wp-content/plugins/woocommerce/3|http://synergify.com/wp-content/themes/ward/3}
15.  
16. MD5 (2018-12-18.isfbv217.loader.packed.vk.exe) = b1b342d6b895840e5118e5a346333e5f
17.  
18. Bot ['2.17']
19. Build ['050']
20. Botnet/Group ID ['2000']
21. DGA TLDs ['com', 'ru', 'org']
22. Server [’550’]
23. Encryption key ['Gwe9HMygngWe8kPK']
24. DGA CRC ['0x4eb7d2ca']
25. DGA Base URL ['constitution.org/usdeclar.txt']
26. Domains: ['api2.doter.at/webstore', 'beetfeetlife.bit/webstore', 'in.extermas.at/webstore', 'sx.zaronif.at/webstore', 'g2.ex100p.at/webstore', 'gif.doter.at/webstore', 'extra.avareg.cn/webstore', 'foo.avaregio.at/webstore', 'op.iovbased.at/webstore', 'ws.doter.at/webstore', 'f1.cnboal.at/webstore', 'xxx.doolap.at/webstore', '51.255.48.78', '192.71.245.208', '178.17.170.179', '193.183.98.66', '207.148.83.241', '111.67.20.8', '103.236.162.119', '142.4.205.47', '213.136.85.253', '159.89.249.249', '82.196.9.45']
27. Path: ['/images/']