API tools faq
paste
VRad

#rurat_090321

VRad
Mar 9th, 2021 (edited)
543
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.97 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
  2.  
  3. https://pastebin.com/70CvpLRE
  4.  
  5. previous_contact:
  6.  
  7. 03/03/21 https://pastebin.com/vBf6Wyr5
  8. 03/03/21 https://pastebin.com/br4Cayaz
  9.  
  10. FAQ:
  11. https://www.remoteutilities.com/download/#
  12.  
  13. attack_vector
  14. --------------
  15. email > attach .zip > .rar > .exe1 (UPX) > exe2 > install > service > 195.24.68.15 / 194.156.99.64
  16.  
  17. email_headers
  18. --------------
  19. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  20. Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
  21. with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
  22. From: Чорнуцький Сергій Петрович <[email protected]> [spoofed]
  23. Subject: Судовий запит № 72137269
  24.  
  25. previous contact:
  26. **************
  27. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  28. (envelope-from [email protected])
  29. Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
  30. with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
  31. From: Кравець Олександр Олександрович <[email protected]>
  32. Subject: Електронний запит (довіданий) Терміново!
  33.  
  34. files
  35. --------------
  36. SHA-256 d9ae788efeaf1a9d8d9a4208e6f8f61585f9e1cd1585a4c31bd86f026b11e5e1
  37. File name Електронний запит.zip [Zip archive data, at least v1.0 to extract]
  38. File size 19.92 MB (20891981 bytes)
  39.  
  40. SHA-256 c1481929963b670912aa4c1ac3fa03a9f90a7d2f45605344c5f31a5bb2c020e6
  41. File name Електронний запит.rar [RAR archive data, v9a, flags: Locked, Solid,]
  42. File size 19.92 MB (20891525 bytes)
  43.  
  44. SHA-256 e7c63f751c086428cef790142154b1c2bfffecac4d9e8ad00f1fe70dd8aaf069
  45. File name Електронний запит.exe [PE32 executable, UPX 2.90 [LZMA]] ! Signed file, valid signature
  46. File size 20.41 MB (21401712 bytes)
  47.  
  48. SHA-256 2d4ef054f2ff2d64271b34f057943cf2b0f2c21ceb32df23e86f964cc1bb1a4b
  49. File name unpack.exe [PE32 executable, BobSoft Mini Delphi]
  50. File size 22.81 MB (23913072 bytes)
  51.  
  52. installed [the same as previous, just other config for C2]
  53. --------------
  54. SHA-256 3ac6a07500a732e7c61ebb0f67a1ac6552201d3b6a94c8b28ebfbc86119fb279
  55. File name host.msi [Microsoft Windows Installer] ! Signed file, valid signature
  56. File size 20.50 MB (21492224 bytes)
  57.  
  58. SHA-256 85b67377703bb2b9509d2fb895bb96d2afd42fe2e69f3d6c265f3a5e5c239598
  59. File name rutserv.exe [PE32 executable, BobSoft Mini Delphi] ! Signed file, valid signature
  60. File size 17.39 MB (18236152 bytes)
  61.  
  62. SHA-256 1f54cb5415178dcb7d43c158898aed122e443a2edd15c85f525fce9cad01ae41
  63. File name rfusclient.exe [ PE32 executable ] ! Signed file, valid signature
  64. File size 10.71 MB (11235064 bytes)
  65.  
  66. original_utility (signed, not modified)
  67. --------------
  68. SHA-256 d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5
  69. File name host7.0.0.1.exe [PE32 executable, UPX 2.90 [LZMA]]
  70. File size 20.41 MB (21397752 bytes)
  71.  
  72. activity
  73. **************
  74. PL_SCR attached exe
  75.  
  76. C2 195.24.68.15 [Moscow, Russian Federation]
  77. 194.156.99.64 [Republic of Moldova, Chisinau]
  78.  
  79. previous contact:
  80. **************
  81. 139.28.38.254
  82.  
  83. netwrk
  84. --------------
  85. tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
  86.  
  87. 194.156.99.64 51208 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  88. 195.24.68.15 51213 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  89.  
  90. !previous contact:
  91. **************
  92. tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
  93. tcp.port == 82 || tcp.port == 5652 || tcp.port == 465
  94.  
  95. comp
  96. --------------
  97. rutserv.exe 3768 TCP 195.24.68.15 80 ESTABLISHED
  98. rutserv.exe 3768 TCP 195.24.68.15 8080 ESTABLISHED
  99. rutserv.exe 3768 TCP 195.24.68.15 5651 ESTABLISHED
  100.  
  101. rutserv.exe 3768 TCP 194.156.99.64 80 ESTABLISHED
  102. rutserv.exe 3768 TCP 194.156.99.64 8080 ESTABLISHED
  103. rutserv.exe 3768 TCP 194.156.99.64 5651 ESTABLISHED
  104.  
  105. proc
  106. --------------
  107. C:\Users\operator\Desktop\Електронний запит.exe
  108. C:\Users\operator\Desktop\Електронний запит.exe
  109. "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{49DBFD43-8B37-4CA0-8BA1-72BE6F901143}\host.msi" /qn
  110.  
  111. {another context}
  112.  
  113. C:\Windows\system32\msiexec.exe /V
  114. C:\Windows\syswow64\MsiExec.exe -Embedding 20D9D0B218A5A1E1FE855C1C00173276
  115. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{49DBFD43-8B37-4CA0-8BA1-72BE6F901143}\host.msi"
  116. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  117. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  118. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  119.  
  120. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  121. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
  122. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  123. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  124. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
  125.  
  126. persist
  127. --------------
  128. HKLM\System\CurrentControlSet\Services 09.03.2021 17:07
  129. RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC
  130. c:\program files (x86)\remote utilities - host\rutserv.exe 28.02.2021 14:25
  131. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  132.  
  133. drop
  134. --------------
  135. C:\ProgramData\Remote Utilities\msi\70001_{CE1C66C6-55D6-4DAE-98B7-B8C7FE87342D}\host.msi
  136. C:\Users\support\AppData\Local\Temp\RUT_{49DBFD43-8B37-4CA0-8BA1-72BE6F901143}\host.msi
  137. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  138. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  139. C:\Program Files (x86)\Remote Utilities - Host\*
  140.  
  141. # # #
  142. https://www.virustotal.com/gui/file/d9ae788efeaf1a9d8d9a4208e6f8f61585f9e1cd1585a4c31bd86f026b11e5e1/details
  143. https://www.virustotal.com/gui/file/c1481929963b670912aa4c1ac3fa03a9f90a7d2f45605344c5f31a5bb2c020e6/details
  144. https://www.virustotal.com/gui/file/e7c63f751c086428cef790142154b1c2bfffecac4d9e8ad00f1fe70dd8aaf069/details
  145. https://www.virustotal.com/gui/file/2d4ef054f2ff2d64271b34f057943cf2b0f2c21ceb32df23e86f964cc1bb1a4b/details
  146.  
  147. IP
  148. **************
  149. https://www.virustotal.com/gui/ip-address/195.24.68.15/details
  150. https://www.virustotal.com/gui/ip-address/194.156.99.64/details
  151.  
  152. installed
  153. **************
  154. https://www.virustotal.com/gui/file/3ac6a07500a732e7c61ebb0f67a1ac6552201d3b6a94c8b28ebfbc86119fb279/details
  155. https://www.virustotal.com/gui/file/85b67377703bb2b9509d2fb895bb96d2afd42fe2e69f3d6c265f3a5e5c239598/details
  156. https://www.virustotal.com/gui/file/1f54cb5415178dcb7d43c158898aed122e443a2edd15c85f525fce9cad01ae41/details
  157.  
  158. original_utility
  159. **************
  160. https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/details
  161.  
  162. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!