API tools faq
paste
VRad

#rurat_220321

VRad
Mar 22nd, 2021 (edited)
715
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.02 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
  2.  
  3. https://pastebin.com/Dn4w1h8K
  4.  
  5. previous_contact:
  6.  
  7. 09/03/21 https://pastebin.com/70CvpLRE
  8. 03/03/21 https://pastebin.com/vBf6Wyr5
  9. 03/03/21 https://pastebin.com/br4Cayaz
  10.  
  11. FAQ:
  12. https://www.remoteutilities.com/download/#
  13.  
  14. attack_vector
  15. --------------
  16. email > attach .zip > .rar > .exe1 (UPX) > exe2 > install > service > 145.239.23.207, 178.210.76.171, 195.24.68.15, 194.156.99.64
  17.  
  18. email_headers
  19. --------------
  20. Return-Path: <[email protected]>
  21. Received: from mailgw1.court.gov.ua (mailgw1.court.gov.ua. [212.90.190.159])
  22. by mx.google.com with ESMTPS id z7si9162796lfh.121.2021.03.21.16.38.11
  23. Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 212.90.190.159 as permitted sender) client-ip=212.90.190.159;
  24. Message-Id: <[email protected]>
  25. From: Бузовський Віталій Володимирович <[email protected]>
  26. Subject: Судовий запит № 765251150
  27. Reply-To: Бузовський Віталій Володимирович <[email protected]>
  28. Date: Mon, 22 Mar 2021 01:37:39 +0200
  29.  
  30.  
  31. previous contact:
  32. **************
  33.  
  34. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  35. Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
  36. with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
  37. From: Чорнуцький Сергій Петрович <[email protected]> [spoofed]
  38. Subject: Судовий запит № 72137269
  39.  
  40.  
  41. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  42. (envelope-from [email protected])
  43. Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
  44. with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
  45. From: Кравець Олександр Олександрович <[email protected]>
  46. Subject: Електронний запит (довіданий) Терміново!
  47.  
  48.  
  49. files
  50. --------------
  51. SHA-256 f65b5ba993f70b092df734bd504a63090cc621343e614c25f1e78643e46741e4
  52. File name Електронний судовий запит.zip [Zip archive data, at least v1.0 to extract]
  53. File size 19.94 MB (20907569 bytes)
  54.  
  55. SHA-256 d88aeb0e0d5b88735950db9eb679414d5eb2d365d4d4238469c5ffd92497ceba
  56. File name Електронний судовий запит № 0990092883737373.rar [RAR archive data, v1d, flags: Solid, os: Win32]
  57. File size 19.94 MB (20904797 bytes)
  58.  
  59. SHA-256 89bbc2f17098224b315c84003ee828959cd1e2155b3415cff861dd0c8a43d875
  60. File name Електронний судовий запит № 0990092883737373.docx.exe [PE32 executable, UPX 2.90 [LZMA]] ! Signed file, valid signature
  61. File size 20.41 MB (21402224 bytes) Date signed 08:35 PM 03/21/2021
  62.  
  63. SHA-256 f5967507c1d320ff9388859419bebbc4caa3a07a298c4f666d3def053cded561
  64. File name unpack.exe [PE32 executable, BobSoft Mini Delphi]
  65. File size 22.81 MB (23913072 bytes) Creation Time 2021-02-28 12:26:30
  66.  
  67.  
  68. installed
  69. --------------
  70. SHA-256 24b9025944524d14721a9d4ac4fcc40285410a1753c973cd96c526adfa679bab
  71. File name host.msi [Microsoft Windows Installer] ! Signed file, valid signature
  72. File size 20.50 MB (21494784 bytes) Date signed 08:35 PM 03/21/2021
  73.  
  74. SHA-256 85b67377703bb2b9509d2fb895bb96d2afd42fe2e69f3d6c265f3a5e5c239598
  75. File name rutserv.exe [PE32 executable, BobSoft Mini Delphi] ! Signed file, valid signature
  76. File size 17.39 MB (18236152 bytes) Date signed 12:28 PM 02/28/2021
  77.  
  78. SHA-256 1f54cb5415178dcb7d43c158898aed122e443a2edd15c85f525fce9cad01ae41
  79. File name rfusclient.exe [ PE32 executable ] ! Signed file, valid signature
  80. File size 10.71 MB (11235064 bytes) Date signed 12:28 PM 02/28/2021
  81.  
  82.  
  83. original_utility (signed, not modified)
  84. --------------
  85. SHA-256 d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5
  86. File name host7.0.0.1.exe [PE32 executable, UPX 2.90 [LZMA]]
  87. File size 20.41 MB (21397752 bytes)
  88.  
  89.  
  90. activity
  91. **************
  92. PL_SCR attached exe
  93.  
  94. C2 145.239.23.207 WORLDBTCNEWS.COM [FR]
  95. 178.210.76.171 RU-CENTER-HOSTING [123308, Moscow, Russian Federation]
  96. 194.156.99.64 EXAMPLE.COM [Hong Kong]
  97. 195.24.68.15 NIC.RU [Moscow, Russian Federation]
  98.  
  99. previous contact:
  100. **************
  101. 139.28.38.254
  102. 195.24.68.15 [Moscow, Russian Federation]
  103. 194.156.99.64 [Republic of Moldova, Chisinau]
  104.  
  105.  
  106. netwrk
  107. --------------
  108. tcp.port == 80 || tcp.port == 465 || tcp.port == 8080 || tcp.port == 5651
  109.  
  110. 145.239.23.207 51264 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  111. 194.156.99.64 51266 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  112. 178.210.76.171 51262 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  113. 195.24.68.15 51261 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  114.  
  115.  
  116. !previous contact:
  117. **************
  118. tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
  119. tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
  120. tcp.port == 82 || tcp.port == 5652 || tcp.port == 465
  121.  
  122.  
  123. comp
  124. --------------
  125. rutserv.exe 2848 TCP 195.24.68.15 8080 SYN_SENT
  126. rutserv.exe 2848 TCP 178.210.76.171 8080 SYN_SENT
  127. rutserv.exe 2848 TCP 145.239.23.207 8080 ESTABLISHED
  128. rutserv.exe 2848 TCP 145.239.23.207 80 ESTABLISHED
  129. rutserv.exe 2848 TCP 145.239.23.207 5651 ESTABLISHED
  130. rutserv.exe 2848 TCP 194.156.99.64 8080 ESTABLISHED
  131. rutserv.exe 2848 TCP 194.156.99.64 465 SYN_SENT
  132. rutserv.exe 2848 TCP 195.24.68.15 5651 SYN_SENT
  133. rutserv.exe 2848 TCP 145.239.23.207 465 SYN_SENT
  134. rutserv.exe 2848 TCP 194.156.99.64 5651 ESTABLISHED
  135. [System] 0 TCP 178.210.76.171 8080 TIME_WAIT
  136. [System] 0 TCP 178.210.76.171 8080 TIME_WAIT
  137.  
  138.  
  139. proc
  140. --------------
  141. C:\Users\operator\Desktop\Електронний судовий запит № 0990092883737373.docx.exe
  142. C:\Users\operator\Desktop\Електронний судовий запит № 0990092883737373.docx.exe
  143. "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{AAA8EB55-ADCE-43C6-95B0-CECF340AB2AD}\host.msi" /qn
  144.  
  145. {another}
  146.  
  147. C:\Windows\system32\msiexec.exe /V
  148. C:\Windows\syswow64\MsiExec.exe -Embedding C2D03485DC43F359294299D1A1278EF5
  149. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{AAA8EB55-ADCE-43C6-95B0-CECF340AB2AD}\host.msi"
  150. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  151. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  152. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  153. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  154. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  155. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  156. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  157.  
  158.  
  159. persist
  160. --------------
  161. HKLM\System\CurrentControlSet\Services 22.03.2021 11:40
  162. RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC
  163. c:\program files (x86)\remote utilities - host\rutserv.exe 28.02.2021 14:25
  164. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  165.  
  166.  
  167. drop
  168. --------------
  169. C:\ProgramData\Remote Utilities\msi\70001_{CE1C66C6-55D6-4DAE-98B7-B8C7FE87342D}\host.msi
  170. C:\Users\support\AppData\Local\Temp\RUT_{AAA8EB55-ADCE-43C6-95B0-CECF340AB2AD}\host.msi
  171. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  172. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  173. C:\Program Files (x86)\Remote Utilities - Host\*.*
  174.  
  175. # # #
  176. VT details
  177.  
  178. Dropped files
  179. **************
  180. https://www.virustotal.com/gui/file/f65b5ba993f70b092df734bd504a63090cc621343e614c25f1e78643e46741e4/details
  181. https://www.virustotal.com/gui/file/d88aeb0e0d5b88735950db9eb679414d5eb2d365d4d4238469c5ffd92497ceba/details
  182. https://www.virustotal.com/gui/file/89bbc2f17098224b315c84003ee828959cd1e2155b3415cff861dd0c8a43d875/details
  183. https://www.virustotal.com/gui/file/f5967507c1d320ff9388859419bebbc4caa3a07a298c4f666d3def053cded561/details
  184.  
  185. installed
  186. **************
  187. https://www.virustotal.com/gui/file/24b9025944524d14721a9d4ac4fcc40285410a1753c973cd96c526adfa679bab/details
  188. https://www.virustotal.com/gui/file/85b67377703bb2b9509d2fb895bb96d2afd42fe2e69f3d6c265f3a5e5c239598/details
  189. https://www.virustotal.com/gui/file/1f54cb5415178dcb7d43c158898aed122e443a2edd15c85f525fce9cad01ae41/details
  190.  
  191. original_utility
  192. **************
  193. https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/details
  194.  
  195. IP
  196. **************
  197. https://www.virustotal.com/gui/ip-address/145.239.23.207/details
  198. https://www.virustotal.com/gui/ip-address/178.210.76.171/details
  199. https://www.virustotal.com/gui/ip-address/194.156.99.64/details
  200. https://www.virustotal.com/gui/ip-address/195.24.68.15/details
  201.  
  202.  
  203. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!