#rurat_280122

1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
2.  
3. https://pastebin.com/7ndYBz5Q
4.  
5. previous_contact:
6.  
7. 09/08/21 https://pastebin.com/rh0bNZpN
8. 22/03/21 https://pastebin.com/Dn4w1h8K
9. 09/03/21 https://pastebin.com/70CvpLRE
10. 03/03/21 https://pastebin.com/vBf6Wyr5
11. 03/03/21 https://pastebin.com/br4Cayaz
12.  
13. FAQ:
14. https://www.remoteutilities.com/download/#
15. https://cert.gov.ua/article/18163
16.  
17.  
18. attack_vector
19. --------------
20. email > URL > .rar #1 > .rar #2 (passwd) > pdf.exe > msi > install > service > 101.99.93.49
21.  
22.  
23. email_headers
24. --------------
25. Subject: Судовий запит: 472343451 от: 28.01.2022
26. Received: from mailgw1.court.gov.ua ([212.90.190.159])
27. From: "СЛОВ’ЯНСЬКИЙ МІСЬКРАЙОННИЙ СУД ДОНЕЦЬКОЇ ОБЛАСТІ" <inbox@trm.lv.court.gov.ua>
28. Date: 28.01.2022 07:30:10
29.  
30.  
31. previous contact:
32. **************
33.  
34. Subject: до судового запиту № 61099 от: 08.08.2021
35. Received: from mail.iogu.gov.ua ([176.37.254.156])
36. From: Гладнєва Олена Михайлівна <mail@iogu.gov.ua>
37. x-sender="postmaster@mail.iogu.gov.ua"
38. Date: Mon, 9 Aug 2021 00:34:03 +0300
39.  
40. #
41.  
42. Return-Path: <ab-court@sv.od.court.gov.ua>
43. Received: from mailgw1.court.gov.ua (mailgw1.court.gov.ua. [212.90.190.159])
44. by mx.google.com with ESMTPS id z7si9162796lfh.121.2021.03.21.16.38.11
45. Received-SPF: pass (google.com: best guess record for domain of ab-court@sv.od.court.gov.ua designates 212.90.190.159 as permitted sender) client-ip=212.90.190.159;
46. Message-Id: <202103212338.12LNc9Qk006331-12LNc9Ql006331@mailgw1.court.gov.ua>
47. From: Бузовський Віталій Володимирович <ab-court@sv.od.court.gov.ua>
48. Subject: Судовий запит № 765251150
49. Reply-To: Бузовський Віталій Володимирович <parom@sv.od.court.gov.ua>
50. Date: Mon, 22 Mar 2021 01:37:39 +0200
51.  
52. #
53.  
54. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
55. Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
56. with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
57. From: Чорнуцький Сергій Петрович <zapros@court.gov.ua> [spoofed]
58. Subject: Судовий запит № 72137269
59.  
60. #
61.  
62. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
63. (envelope-from doc@kyiv.gp.gov.ua)
64. Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
65. with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
66. From: Кравець Олександр Олександрович <doc@kyiv.gp.gov.ua>
67. Subject: Електронний запит (довіданий) Терміново!
68.  
69.  
70. # # # # # # # #
71. files
72. # # # # # # # #
73.  
74. SHA-256 49e9fed1bd6c63823f713cc7d1e3cc398d7024cec191c7b46c864cfbd2d9c8b9
75. File name Судовий запит №9978364774635676778282.rar [ RAR archive data, v80 ]
76. File size 20.11 MB (21089280 bytes)
77.  
78. SHA-256 9f54fdfd1ee8dda9dd9a55519eab6f725b70dc3fd00ff3a10b9645c4529e66cf
79. File name Судовий запит №99783647746356767782828.pdf.rar [ RAR archive data, v5a, flags: Commented, Locked ]
80. File size 20.11 MB (21088910 bytes)
81.  
82. SHA-256 1abe583a7aae9f942dec8991efcea3a95296db197374aff625e591ba137d1754
83. File name Судовий запит №99783647746356767782828.pdf.exe [ PE32 executable for MS Windows (GUI) , UPX 2.90 [LZMA] ]
84. File size 20.59 MB (21592576 bytes)
85.  
86.  
87. installed
88. --------------
89. SHA-256 f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b
90. File name rfusclient.exe [ PE32 executable for MS Windows (GUI) ]
91. File size 11.06 MB (11597560 bytes)
92.  
93. SHA-256 35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7
94. File name rutserv.exe [ PE32 executable for MS Windows (GUI) , BobSoft Mini Delphi -> BoB / BobSoft ]
95. File size 17.78 MB (18647800 bytes)
96.  
97.  
98. # # # # # # # #
99. activity
100. # # # # # # # #
101.  
102. PL_SCR https://dropmefiles.com/nIVc4
103. https://drive.google.com/file/d/1hXzj2nmtFLZRZCGujoriya9C7xjQ51V0/view?usp=sharing
104.  
105.  
106. C2 101.99.93.49 [Kuala Lumpur, piradius.net]
107.  
108. previous contact:
109. **************
110. 77.83.173.247 domain: had.wf CN=bankcardshop.ru [NL]
111. 45.82.71.172 domain: had.wf [NL]
112.  
113. 145.239.23.207 WORLDBTCNEWS.COM [FR]
114. 178.210.76.171 RU-CENTER-HOSTING [123308, Moscow, Russian Federation]
115. 194.156.99.64 EXAMPLE.COM [Hong Kong]
116. 195.24.68.15 NIC.RU [Moscow, Russian Federation]
117.  
118.  
119. 139.28.38.254
120. 195.24.68.15 [Moscow, Russian Federation]
121. 194.156.99.64 [Republic of Moldova, Chisinau]
122.  
123.  
124. netwrk
125. --------------
126. tcp.port == 8080 || tcp.port == 5651 || tcp.port == 4899
127.  
128. 101.99.93.49 49827 → 4899 [SYN]
129. 101.99.93.49 49828 → 5651 [SYN]
130. 101.99.93.49 49831 → 8080 [SYN]
131.  
132.  
133. comp
134. --------------
135. rutserv.exe 2600 TCP 101.99.93.49 4899 ESTABLISHED
136. rutserv.exe 2600 TCP 101.99.93.49 5651 ESTABLISHED
137. rutserv.exe 2600 TCP 101.99.93.49 8080 ESTABLISHED
138.  
139.  
140. proc
141. --------------
142. C:\Users\operator\Desktop\sample.exe
143. C:\Users\operator\Desktop\sample.exe
144. "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi" /qn
145.  
146. {another context}
147.  
148. C:\Windows\system32\msiexec.exe /V
149. C:\Windows\syswow64\MsiExec.exe -Embedding D0298E6E34CF24B749A8DE99F842D554
150. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi"
151. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
152. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
153.  
154. {another context}
155.  
156. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
157. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
158. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
159. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
160.  
161.  
162. persist
163. --------------
164. by service
165.  
166. RManService Allows Remote Utilities users to connect to this machine.
167. Remote Utilities LLC Version 7.0.0.3
168. c:\program files (x86)\remote utilities - host\rutserv.exe 26.03.2021 21:24
169.  
170.  
171. drop
172. --------------
173. C:\Windows\Installer\MSI30AB.tmp
174. C:\Windows\Installer\3771dde.msi
175. C:\Config.Msi\3771de1.rbs
176. C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi
177. C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi
178. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
179. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
180. C:\Program Files (x86)\Remote Utilities - Host\*
181.  
182. # # # # # # # #
183. additional info
184. # # # # # # # #
185. none
186.  
187. # # # # # # # #
188. VT & Intezer
189. # # # # # # # #
190.  
191. Dropped files
192. **************
193. https://www.virustotal.com/gui/file/49e9fed1bd6c63823f713cc7d1e3cc398d7024cec191c7b46c864cfbd2d9c8b9/details
194. https://www.virustotal.com/gui/file/9f54fdfd1ee8dda9dd9a55519eab6f725b70dc3fd00ff3a10b9645c4529e66cf/details
195. https://www.virustotal.com/gui/file/1abe583a7aae9f942dec8991efcea3a95296db197374aff625e591ba137d1754/details
196.  
197. installed
198. **************
199. https://www.virustotal.com/gui/file/f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b/details
200. https://www.virustotal.com/gui/file/35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7/details
201.  
202. IP
203. **************
204. https://www.virustotal.com/gui/ip-address/101.99.93.49/relations
205.  
206. VR
207.