From RSA article:
...the word “Prinimalka” appears as a folder name in every URL path given by the gang over the years to its crimeware servers.Looking through Clean-mx, a previous operating bases--(May 2012) may have been serv177.org (98.142.240.30), plus 75.101.151.143, 93.115.241.114, and 213.155.29.152.
Gozi Prinimalka features virtually identical bot-server communication patterns and URL trigger list, but that its deployment on infected PCs is very different. Whereas Gozi writes a single DLL file to its bots upon deployment, Prinimalka creates two files: An EXE file and a DAT file, with the latter reporting to the server the machine’s details and all the software installed on it. In addition, the registry keys and values written by Prinimalka and Gozi are completely different.Known Gozi Prinimalka MD5 Hashes provided by RSA: I searched google for these, but couldn't find anyone with samples. Anyone here have any?
