Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
- https://pastebin.com/7ndYBz5Q
- previous_contact:
- 09/08/21 https://pastebin.com/rh0bNZpN
- 22/03/21 https://pastebin.com/Dn4w1h8K
- 09/03/21 https://pastebin.com/70CvpLRE
- 03/03/21 https://pastebin.com/vBf6Wyr5
- 03/03/21 https://pastebin.com/br4Cayaz
- FAQ:
- https://www.remoteutilities.com/download/#
- https://cert.gov.ua/article/18163
- attack_vector
- --------------
- email > URL > .rar #1 > .rar #2 (passwd) > pdf.exe > msi > install > service > 101.99.93.49
- email_headers
- --------------
- Subject: Судовий запит: 472343451 от: 28.01.2022
- Received: from mailgw1.court.gov.ua ([212.90.190.159])
- From: "СЛОВ’ЯНСЬКИЙ МІСЬКРАЙОННИЙ СУД ДОНЕЦЬКОЇ ОБЛАСТІ" <inbox@trm.lv.court.gov.ua>
- Date: 28.01.2022 07:30:10
- previous contact:
- **************
- Subject: до судового запиту № 61099 от: 08.08.2021
- Received: from mail.iogu.gov.ua ([176.37.254.156])
- From: Гладнєва Олена Михайлівна <mail@iogu.gov.ua>
- x-sender="postmaster@mail.iogu.gov.ua"
- Date: Mon, 9 Aug 2021 00:34:03 +0300
- #
- Return-Path: <ab-court@sv.od.court.gov.ua>
- Received: from mailgw1.court.gov.ua (mailgw1.court.gov.ua. [212.90.190.159])
- by mx.google.com with ESMTPS id z7si9162796lfh.121.2021.03.21.16.38.11
- Received-SPF: pass (google.com: best guess record for domain of ab-court@sv.od.court.gov.ua designates 212.90.190.159 as permitted sender) client-ip=212.90.190.159;
- Message-Id: <202103212338.12LNc9Qk006331-12LNc9Ql006331@mailgw1.court.gov.ua>
- From: Бузовський Віталій Володимирович <ab-court@sv.od.court.gov.ua>
- Subject: Судовий запит № 765251150
- Reply-To: Бузовський Віталій Володимирович <parom@sv.od.court.gov.ua>
- Date: Mon, 22 Mar 2021 01:37:39 +0200
- #
- Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
- Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
- with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
- From: Чорнуцький Сергій Петрович <zapros@court.gov.ua> [spoofed]
- Subject: Судовий запит № 72137269
- #
- Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
- (envelope-from doc@kyiv.gp.gov.ua)
- Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
- with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
- From: Кравець Олександр Олександрович <doc@kyiv.gp.gov.ua>
- Subject: Електронний запит (довіданий) Терміново!
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 49e9fed1bd6c63823f713cc7d1e3cc398d7024cec191c7b46c864cfbd2d9c8b9
- File name Судовий запит №9978364774635676778282.rar [ RAR archive data, v80 ]
- File size 20.11 MB (21089280 bytes)
- SHA-256 9f54fdfd1ee8dda9dd9a55519eab6f725b70dc3fd00ff3a10b9645c4529e66cf
- File name Судовий запит №99783647746356767782828.pdf.rar [ RAR archive data, v5a, flags: Commented, Locked ]
- File size 20.11 MB (21088910 bytes)
- SHA-256 1abe583a7aae9f942dec8991efcea3a95296db197374aff625e591ba137d1754
- File name Судовий запит №99783647746356767782828.pdf.exe [ PE32 executable for MS Windows (GUI) , UPX 2.90 [LZMA] ]
- File size 20.59 MB (21592576 bytes)
- installed
- --------------
- SHA-256 f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b
- File name rfusclient.exe [ PE32 executable for MS Windows (GUI) ]
- File size 11.06 MB (11597560 bytes)
- SHA-256 35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7
- File name rutserv.exe [ PE32 executable for MS Windows (GUI) , BobSoft Mini Delphi -> BoB / BobSoft ]
- File size 17.78 MB (18647800 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR https://dropmefiles.com/nIVc4
- https://drive.google.com/file/d/1hXzj2nmtFLZRZCGujoriya9C7xjQ51V0/view?usp=sharing
- C2 101.99.93.49 [Kuala Lumpur, piradius.net]
- previous contact:
- **************
- 77.83.173.247 domain: had.wf CN=bankcardshop.ru [NL]
- 45.82.71.172 domain: had.wf [NL]
- 145.239.23.207 WORLDBTCNEWS.COM [FR]
- 178.210.76.171 RU-CENTER-HOSTING [123308, Moscow, Russian Federation]
- 194.156.99.64 EXAMPLE.COM [Hong Kong]
- 195.24.68.15 NIC.RU [Moscow, Russian Federation]
- 139.28.38.254
- 195.24.68.15 [Moscow, Russian Federation]
- 194.156.99.64 [Republic of Moldova, Chisinau]
- netwrk
- --------------
- tcp.port == 8080 || tcp.port == 5651 || tcp.port == 4899
- 101.99.93.49 49827 → 4899 [SYN]
- 101.99.93.49 49828 → 5651 [SYN]
- 101.99.93.49 49831 → 8080 [SYN]
- comp
- --------------
- rutserv.exe 2600 TCP 101.99.93.49 4899 ESTABLISHED
- rutserv.exe 2600 TCP 101.99.93.49 5651 ESTABLISHED
- rutserv.exe 2600 TCP 101.99.93.49 8080 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\sample.exe
- C:\Users\operator\Desktop\sample.exe
- "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi" /qn
- {another context}
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding D0298E6E34CF24B749A8DE99F842D554
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi"
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- {another context}
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- persist
- --------------
- by service
- RManService Allows Remote Utilities users to connect to this machine.
- Remote Utilities LLC Version 7.0.0.3
- c:\program files (x86)\remote utilities - host\rutserv.exe 26.03.2021 21:24
- drop
- --------------
- C:\Windows\Installer\MSI30AB.tmp
- C:\Windows\Installer\3771dde.msi
- C:\Config.Msi\3771de1.rbs
- C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi
- C:\Users\support\AppData\Local\Temp\RUT_{ED71D686-C8C8-47BC-870D-C89BEE53D739}\host7.0.0.3_unsigned.msi
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
- C:\Program Files (x86)\Remote Utilities - Host\*
- # # # # # # # #
- additional info
- # # # # # # # #
- none
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- Dropped files
- **************
- https://www.virustotal.com/gui/file/49e9fed1bd6c63823f713cc7d1e3cc398d7024cec191c7b46c864cfbd2d9c8b9/details
- https://www.virustotal.com/gui/file/9f54fdfd1ee8dda9dd9a55519eab6f725b70dc3fd00ff3a10b9645c4529e66cf/details
- https://www.virustotal.com/gui/file/1abe583a7aae9f942dec8991efcea3a95296db197374aff625e591ba137d1754/details
- installed
- **************
- https://www.virustotal.com/gui/file/f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b/details
- https://www.virustotal.com/gui/file/35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7/details
- IP
- **************
- https://www.virustotal.com/gui/ip-address/101.99.93.49/relations
- VR
Add Comment
Please, Sign In to add comment