From VT: A new key of Murofet V2?

Question

From VT: A new key of Murofet V2?

suqitian opened this issue 8 years ago · comments

MD5
6d0f3196e91f8ae640791d5bb0d466b7
Some domains generated on Sep 09, 2016
enlwmlrnnrwghtzo.info
fjshqslnctjjih.com
fjshqslnctjjih.net
fnqpwtpnqjrelr.com
fnqpwtpnqjrelr.info
fokilqnsjounrky.net
fokilqnsjounrky.org
fwiwunhysiobknow.com
fwiwunhysiobknow.org
gbrykvuhjyswps.com
gbrykvuhjyswps.org
gdsyglrssgouivot.com
gdsyglrssgouivot.info
ggmvhppkztszqus.biz
ggmvhppkztszqus.info
gresqpvwthsrcoho.biz
gresqpvwthsrcoho.com
gwkokphtoqkpphnt.com
gwkokphtoqkpphnt.net
gxnxtrdljnhvpb.com
gxnxtrdljnhvpb.org
hlmgmsjpckypfto.net
hlmgmsjpckypfto.org
hnrkreqknieipzs.com
hnrkreqknieipzs.info
hoqunoctsxlirmt.info
hoqunoctsxlirmt.org
hpgyloqmkfgieltk.info
hpgyloqmkfgieltk.org
htuntitiwlxjtn.biz
htuntitiwlxjtn.com
hvekvijjuprlscl.net
hvekvijjuprlscl.org
jolgbxtlovrtmnrq.biz
jolgbxtlovrtmnrq.info
jpxhnfzphfqvpooj.com

suqitian · Answer 1 · Mon Sep 26 2016 15:14:07 GMT+0800 (China Standard Time)

Domains which generated on Sep 26, 2016.
fdovspiopzsit.com
fdovspiopzsit.info
fwkqjnztmuqnk.com
fwkqjnztmuqnk.info
gmiuslcetzrtoi.com
gmiuslcetzrtoi.net
mphyzqfqgxftiq.biz
mphyzqfqgxftiq.org
nujwkktgxnhkskfi.biz
nujwkktgxnhkskfi.net
qxvksgicitkrnpp.biz
qxvksgicitkrnpp.com
uvslklkqqzuoppre.com
uvslklkqqzuoppre.org

suqitian · Answer 2 · Tue Oct 11 2016 17:49:21 GMT+0800 (China Standard Time)

Seed:
0x8811eea2

Test:

$ python dga.py -d 2016-09-26 -k 0x8811eea2
mduqmsnykuhinnnw.biz
mduqmsnykuhinnnw.com
qmvyspsgtrxypqon.net
...
fdovspiopzsit.info
fdovspiopzsit.com
uvslklkqqzuoppre.org
...
fwkqjnztmuqnk.info
fwkqjnztmuqnk.com
nujwkktgxnhkskfi.net
...

dga.py is here

suqitian · Answer 3 · Tue Oct 11 2016 18:13:59 GMT+0800 (China Standard Time)

In fact, the malware sample only generated 800 domains per day.
But for covering all possibilities, 1020 domains per day was needed.