Ursnif/Gozi IoCs 12/5/18

1. Gozi Ursnif IoCs for 12/5/18:
2. *From Trusted Source and not 100% my direct work*
3.  
4. MD5 (2018-12-05.isfbv215.loader.decoded.vk.exe) = 271bfe3c03e0a31db8efd0adf1f99505
5.  
6. Bot ['2.15']
7. Build ['165']
8. Botnet/Group ID ['3140', '3141']
9. DGA TLDs ['com', 'ru', 'org']
10. Server [’12’]
11. Encryption key ['10291029JSJUYNHG']
12. DGA CRC ['0x4eb7d2ca']
13. DGA Base URL ['constitution.org/usdeclar.txt']
14. Domains ['isatawatag.com', 'bosototsuy.com', 'atamekihok.com']
15. Path: ['/images/']
16.  
17. C2s:
18. 213.183.63.153
19. 91.201.65.52
20.  
21. Payload Domain:
22.  
23. hayaushiru.com/KHZ/diuyz.php?l=boon[1-14].tkn
24. tazukasash.com/KHZ/diuyz.php?l=gymk[1-14].tkn
25. dewirasute.com/KHZ/diuyz.php?l=pryc[1-14].tkn
26.  
27. Document Hashes Seen:
28. For hayaushiru.com:
29. 8aab8d790fa9bc277cb9352c518ac6fbf462e6de508327c3ef76782d85af03ea
30. 33937d2b9934c0aae5ee82084baaafede430caf89bb6e6058e05217fdfd71a03
31.  
32. For tazukasash.com:
33. 3b4a5f1cc9a219254f7719ccfa582ffa1b56b2988fade21167242d74527e6554
34. 0e91dc19009a073131c12e992f52651e16122d09051c26ef191528938c0c32c1
35. e0618388021577b6d483a202b1309ce4ac35c8d850a5a5b57c099daac63aede3
36. 2fd01b47c714f24a6b595de6af0730c67160dbdb5e41b3b3f19afcd951de4889
37. e4c4b1f1fcdbad0a5bdda27a4124efd52b01327a845b73f526de070ee3599bf1
38.  
39. For dewirasute.com:
40. 556102033fddd244609e5bf91e5999a7a162c81333d8089ce1b27d7e0c58dffd
41. d5459190f99abe7eba7287e8e177061fbffcb71aa962cc2b622fc1d722b5705f
42. 0ddb09a8701652b9a58009551534417e0abce2df875d9e3e29c496c4f979b718
43. a20f4009e792468235da242e66ebe6ce8d601f176ed7e84d9a5296b439c5a2cc
44. 99b3b504f3c4ddf1da82be5f32dcb6cc6c18aa9e7063539096e22600977239f4
45. d1b45104a76ed8352b45b1473e54fcd923a9a742a41d4934c83b53b1464eed48
46. 9c980a5e98e3ce42c6138f545cb72f5062c58476e7a27755b308ec0ae3f77c85