d0x.me(botnet hosted in United States Crystal River Ispsystem At Nac)

Remote Host Port Number
82.146.51.22 1338

PONG :BEBD508C
NICK qvdzl
JOIN #foxes
USER oivWsEmBCEZmpoAn0d2mosEhevNqtbdYEaV7QsQFjlGN8ZB * * :Q5RyK
NICK GUqSpR66
PONG :7B532196
USER pyN4tVLUw705CTxc2BAJuV * * :d3WvenjZK9mrMR1P

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ System = “C:Ppbn.exe”

so that pbn.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
pbn.exe C:Ppbn.exe 1,089,536 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash Alias
1 c:Ppbn.exe
[file and pathname of the sample #1] 336,864 bytes MD5: 0xDD551B963202A88DCE63DADB27618B1E
SHA-1: 0x9B202CDA94D5BB3780603130ACFA91CADA755083 packed with UPX [Kaspersky Lab]

* The following directories were created:
o c:Downloads
o c:P

infos about hosting:
http://whois.domaintools.com/82.146.51.22

Categories: Uncategorized