Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Gozi Ursnif IoCs for 12/5/18:
- *From Trusted Source and not 100% my direct work*
- MD5 (2018-12-05.isfbv215.loader.decoded.vk.exe) = 271bfe3c03e0a31db8efd0adf1f99505
- Bot ['2.15']
- Build ['165']
- Botnet/Group ID ['3140', '3141']
- DGA TLDs ['com', 'ru', 'org']
- Server [’12’]
- Encryption key ['10291029JSJUYNHG']
- DGA CRC ['0x4eb7d2ca']
- DGA Base URL ['constitution.org/usdeclar.txt']
- Domains ['isatawatag.com', 'bosototsuy.com', 'atamekihok.com']
- Path: ['/images/']
- C2s:
- 213.183.63.153
- 91.201.65.52
- Payload Domain:
- hayaushiru.com/KHZ/diuyz.php?l=boon[1-14].tkn
- tazukasash.com/KHZ/diuyz.php?l=gymk[1-14].tkn
- dewirasute.com/KHZ/diuyz.php?l=pryc[1-14].tkn
- Document Hashes Seen:
- For hayaushiru.com:
- 8aab8d790fa9bc277cb9352c518ac6fbf462e6de508327c3ef76782d85af03ea
- 33937d2b9934c0aae5ee82084baaafede430caf89bb6e6058e05217fdfd71a03
- For tazukasash.com:
- 3b4a5f1cc9a219254f7719ccfa582ffa1b56b2988fade21167242d74527e6554
- 0e91dc19009a073131c12e992f52651e16122d09051c26ef191528938c0c32c1
- e0618388021577b6d483a202b1309ce4ac35c8d850a5a5b57c099daac63aede3
- 2fd01b47c714f24a6b595de6af0730c67160dbdb5e41b3b3f19afcd951de4889
- e4c4b1f1fcdbad0a5bdda27a4124efd52b01327a845b73f526de070ee3599bf1
- For dewirasute.com:
- 556102033fddd244609e5bf91e5999a7a162c81333d8089ce1b27d7e0c58dffd
- d5459190f99abe7eba7287e8e177061fbffcb71aa962cc2b622fc1d722b5705f
- 0ddb09a8701652b9a58009551534417e0abce2df875d9e3e29c496c4f979b718
- a20f4009e792468235da242e66ebe6ce8d601f176ed7e84d9a5296b439c5a2cc
- 99b3b504f3c4ddf1da82be5f32dcb6cc6c18aa9e7063539096e22600977239f4
- d1b45104a76ed8352b45b1473e54fcd923a9a742a41d4934c83b53b1464eed48
- 9c980a5e98e3ce42c6138f545cb72f5062c58476e7a27755b308ec0ae3f77c85
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement