#rurat_020224

#IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #bitbucket #GDrive

https://pastebin.com/GNKhyVNq

previous_contact:
22/01/24    https://pastebin.com/KdtLzhQF
11/01/24    https://pastebin.com/j8h6XpV7
28/01/22    https://pastebin.com/7ndYBz5Q

FAQ:
https://www.remoteutilities.com/download/

attack_vector
--------------
email body URL > bitbucket _org / Gdrive > GET .7z > .rar (PWD) > .exe > UAC > install > rutserv.exe > 185_70_104_90

# # # # # # # #
email_headers
# # # # # # # #
Date: Fri, 2 Feb 2024 06:00:33 +0300
Subject: вихідна вимога № 103793 /2024
From: Жирко Чеслава Азарівна <progetti@ internetdays_it>
Reply-To: Одеський апеляційний господарський суд <inbox @ oda_arbitr_gov_ua>
Received: from smtp.mmm.it ([213_140_4_220])
Received: from DESKTOP-TCRDU4C ([109_107_182_205]) by smtp_mmm_it id 202402020400331496

# # # # # # # #
files
# # # # # # # #
SHA-256		    4dfb87c005fac26c0b4c999c66d7760bc02774eacf82f7f5d37d1cb7656ef8a6
File name	    docs.pdf.7z                     [7-zip archive data, version 0.4]
File size	    19.76 MB (20721376 bytes)

SHA-256		    76e52326c3beab02d2ae15a1bd7083dc95006ad3368d5db5f78de3cc5b3957e5
File name	    Рахунок.rar                     [RAR archive data, v5]              !PWD
File size	    19.76 MB (20719710 bytes)

SHA-256		    92192af947017c20ad861faf4459fb705e63f7083b34c77c1727891b88091573
File name	    Рахунок.pdf.exe                 [PE32+ executable, RAR, msi]        !UAC
File size	    19.98 MB (20949417 bytes)

SHA-256		    e495d63914ad7f23cb14c9d09a7af8d94106d7eed7a6b7c8f5e9aa593d30db25
File name	    Рахунок.7z                      [7-zip archive data, version 0.4]
File size	    19.76 MB (20721612 bytes)

SHA-256		    906d5be9ac30eabcdfaa83dd22bc12ef5c3213617f3894c80d6ebbd50f7b6b5d
File name	    Рахунок-фактура Medoc.pdf.rar
File size	    19.76 MB (20719918 bytes)       [RAR archive data, v5]              !PWD

SHA-256		    5c8d64d3278816980498d063560f2ad04b4a823b577f7979f43c8e3bf33e5b3c
File name	    Рахунок-фактура Medoc.pdf.exe   [PE32+ executable, RAR, msi]        !UAC
File size	    19.98 MB (20949417 bytes)

SHA-256		    0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a
File name	    rfusclient.exe                  [PE32 executable]                   !RuRAT
File size	    10.42 MB (10931000 bytes)

SHA-256		    760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d
File name	    rutserv.exe                     [PE32 executable , BobSoft Mini]    !RuRAT
File size	    20.17 MB (21148984 bytes)

# # # # # # # #
activity
# # # # # # # #

PL_SCR          drive_google_com /file / d / 14AtQ3u1GbjbJx5jz_3yuujOdjPhR8l4J
                bitbucket_org / obmen-medoc / medoc / downloads / docs.pdf.7z       !downloaded more than 2938 times for ~9 hours

C2              185_70_104_90

netwrk
--------------
64_20_61_146			5655	TCP	49262 → 5655 [SYN]
77_105_132_70			5651	TCP	49275 → 5651 [SYN]
101_99_94_54			80	    TCP	49276 → 80   [SYN]
101_99_94_54			5651	TCP	49277 → 5651 [SYN]
77_105_132_70			80	    TCP	49278 → 80   [SYN]
185_70_104_90			5651	TCP	49280 → 5651 [SYN]

comp
--------------
rutserv.exe	3392	TCP	64_20_61_146	5655	ESTABLISHED
rutserv.exe	3392	TCP	101_99_94_54	80  	ESTABLISHED
rutserv.exe	3392	TCP	101_99_94_54	5651	ESTABLISHED
rutserv.exe	3392	TCP	101_99_94_54	465	    ESTABLISHED
rutserv.exe	3392	TCP	77_105_132_70	5651	ESTABLISHED
rutserv.exe	3392	TCP	185_70_104_90	5651	ESTABLISHED
rutserv.exe	3392	TCP	77_105_132_70	80	    ESTABLISHED
rutserv.exe	3392	TCP	101_99_94_54	5651	ESTABLISHED

proc
--------------
C:\Users\operator\Desktop\files0202\1_docs_pdf\3_Рахунок.pdf.exe		[user]
	C:\Users\operator\Desktop\files0202\1_docs_pdf\3_Рахунок.pdf.exe	[admin]
		C:\Windows\System32\msiexec.exe /i Exel.msi /qn

[another_context_admin_SYSTEM]

C:\Windows\system32\msiexec.exe /V
	C:\Windows\syswow64\MsiExec.exe -Embedding A071272EA45F17245E5A31A8AAD07DB6
	"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\Exel.msi"
	"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
	"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
	"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
	C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
		"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
	"C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray

persist
--------------
RManService	Allows Remote Utilities users to connect to this machine.
Remote Utilities Pty (Cy) Ltd.	c:\program files (x86)\remote utilities - host\rutserv.exe	25.10.2023 14:51


drop
--------------
C:\Users\%admin%\AppData\Local\Temp\Exel.msi
C:\Program Files (x86)\Remote Utilities - Host\*
C:\ProgramData\Remote Utilities\*

# # # # # # # #
additional info
# # # # # # # #
n/a

# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/4dfb87c005fac26c0b4c999c66d7760bc02774eacf82f7f5d37d1cb7656ef8a6/details
https://www.virustotal.com/gui/file/76e52326c3beab02d2ae15a1bd7083dc95006ad3368d5db5f78de3cc5b3957e5/details
https://www.virustotal.com/gui/file/92192af947017c20ad861faf4459fb705e63f7083b34c77c1727891b88091573/details
https://www.virustotal.com/gui/file/e495d63914ad7f23cb14c9d09a7af8d94106d7eed7a6b7c8f5e9aa593d30db25/details
https://www.virustotal.com/gui/file/906d5be9ac30eabcdfaa83dd22bc12ef5c3213617f3894c80d6ebbd50f7b6b5d/details
https://www.virustotal.com/gui/file/5c8d64d3278816980498d063560f2ad04b4a823b577f7979f43c8e3bf33e5b3c/details
https://www.virustotal.com/gui/file/0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a/details
https://www.virustotal.com/gui/file/760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d/details

VR