API tools faq
paste
Advertisement
VRad

#rurat_220124

VRad
Jan 22nd, 2024 (edited)
720
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.10 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #bitbucket
  2.  
  3. https://pastebin.com/KdtLzhQF
  4.  
  5. previous _contact:
  6. 11/01/24 https://pastebin.com/j8h6XpV7
  7. 28/01/22 https://pastebin.com/7ndYBz5Q
  8. 09/08/21 https://pastebin.com/rh0bNZpN
  9. 22/03/21 https://pastebin.com/Dn4w1h8K
  10. 09/03/21 https://pastebin.com/70CvpLRE
  11. 03/03/21 https://pastebin.com/vBf6Wyr5
  12. 03/03/21 https://pastebin.com/br4Cayaz
  13.  
  14. FAQ:
  15. https://www.remoteutilities.com/download/
  16.  
  17. attack _vector
  18. --------------
  19. email body URL > bitbucket _org > GET .zip or .rar > .exe > UAC > install > rutserv.exe > 185 _70 _104 _90 : 5655
  20.  
  21. # # # # # # # #
  22. email _headers
  23. # # # # # # # #
  24. _1
  25. Date: Mon, 22 Jan 2024 02:26:19 +0300
  26. Subject: Державна служба України з надзвичайних ситуацій
  27. From: Петрівська Ярослава Русланівна <aryo.frandika@remala _id>
  28. Received: from smtp _client _5d0 _tachyon _net _id ([101 _255 _0 _45])
  29. Received: from mtan1 _remala _id (mtan1 _remala _id [202 _182 _48 _61])
  30. Received: from WIN _PDDC81NCU8C (unknown [77 _105 _147 _100])
  31. Reply-To: "public@cip _gov _ua" <public@cip.gov.ua>
  32. Message-Id: <20240121232619 _48C025C07CC@mtan1 _remala _id>
  33. ----------------------------------------------------------------
  34.  
  35. _2
  36. Date: Mon, 22 Jan 2024 02:47:46 +0300
  37. Subject: Інформація від Держспецзв'язку України
  38. From: Шкабар Щастислав Захарович <woranittha@alyssawedding _com>
  39. Received: from camel _birch _relay _mailchannels _net ([23 _83 _209 _29])
  40. Received: from nl-srv-smtpout1 _hostinger _io (nl-srv-smtpout1 _hostinger _io [145 _14 _150 _87])
  41. Reply-To: "public@cip _gov _ua" <public@cip.gov.ua>
  42. Message-ID: <1705880868935 _57f9dab2589224e3@alyssawedding _com>
  43.  
  44. # # # # # # # #
  45. files
  46. # # # # # # # #
  47. SHA-256 20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2
  48. File name plan _dsns _gov _ua.rar [ RAR archive data, v5 ]
  49. File size 19.83 MB (20789108 bytes)
  50.  
  51. SHA-256 5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da
  52. File name Електронний план евакуації.exe [ PE32 , sfx: WinRAR ]
  53. File size 20.11 MB (21082556 bytes)
  54.  
  55. SHA-256 44cb295694f3332b31500c7d8408e6f93bb34a56617ae6850a205ed16c2a42a8
  56. File name CCleaner.zip [ Zip archive data, at least v2.0 to extract ]
  57. File size 69.55 MB (72929920 bytes)
  58.  
  59. SHA-256 23eda7958cd22e11d5daa39d5a82e5740512c9435a138214b98d1925520bf8e8
  60. File name CCleaner.exe [ PE32 , sfx: WinRAR ]
  61. File size 69.81 MB (73199534 bytes)
  62.  
  63. SHA-256 0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a
  64. File name rfusclient.exe [ PE32 executable ]
  65. File size 10.42 MB (10931000 bytes)
  66.  
  67. SHA-256 760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d
  68. File name rutserv.exe [ PE32 executable , BobSoft Mini Delphi ]
  69. File size 20.17 MB (21148984 bytes)
  70.  
  71. # # # # # # # #
  72. activity
  73. # # # # # # # #
  74.  
  75. PL _SCR bitbucket _org / dsnsgovua / dsns / downloads / plan _dsns _gov _ua.rar
  76. bitbucket _org / ccleaners / ccleaner/ downloads / CCleaner.zip
  77.  
  78. C2 185 _70 _104 _90 : 5655
  79.  
  80. netwrk
  81. --------------
  82. 185 _70 _104 _90 5655 TCP 49257 → 5655 [SYN]
  83. 109 _107 _182 _205 5651 TCP 49274 → 5651 [SYN]
  84. 109 _107 _182 _207 5651 TCP 49275 → 5651 [SYN]
  85. 77 _105 _132 _124 5651 TCP 49277 → 5651 [SYN]
  86. 109 _107 _182 _232 5651 TCP 49276 → 5651 [SYN]
  87. 185 _70 _104 _90 5651 TCP 49281 → 5651 [SYN]
  88. 109 _107 _182 _200 5651 TCP 49278 → 5651 [SYN]
  89. 185 _70 _104 _99 5651 TCP 49280 → 5651 [SYN]
  90. 185 _70 _104 _112 5651 TCP 49284 → 5651 [SYN]
  91. 185 _70 _104 _90 8080 TCP 49288 → 8080 [SYN]
  92. 77 _105 _132 _70 5651 TCP 49285 → 5651 [SYN]
  93. 109 _107 _182 _212 5651 TCP 49289 → 5651 [SYN]
  94. 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
  95. 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
  96. 5 _42 _92 _44 5651 TCP 49286 → 5651 [SYN]
  97. 5 _42 _92 _32 5651 TCP 49287 → 5651 [SYN]
  98. 5 _42 _92 _31 5651 TCP 49290 → 5651 [SYN]
  99.  
  100. ----------------------------------------------------------------
  101. 2nd sample
  102. 95 _100 _146 _48 ncc _avast _com 80 HTTP GET /ncc.txt HTTP/1.1 Avast Antivirus
  103. 34 _117 _223 _223 analytics _avcdn _net 443 TLSv1.1 Client Hello
  104. 2 _19 _217 _211 443 TCP 49245 → 443 [SYN]
  105. 34 _111 _24 _1 ipm _provider _ff _avast _com 443 TLSv1.2 Client Hello
  106. 2 _19 _217 _211 www _ccleaner _com 443 TLSv1.2 Client Hello
  107. 2 _19 _217 _211 license _api _ccleaner _com 443 TLSv1.2 Client Hello
  108. 34 _111 _24 _1 ipm-provider _ff _avast _com 443 TLSv1.2 Client Hello
  109. 34 _117 _223 _223 analytics _ff _avast _com 443 TLSv1.1 Client Hello
  110.  
  111. 185 _70 _104 _90 5655 TCP 49257 → 5655 [SYN]
  112. 109 _107 _182 _205 5651 TCP 49274 → 5651 [SYN]
  113. 109 _107 _182 _207 5651 TCP 49275 → 5651 [SYN]
  114. 77 _105 _132 _124 5651 TCP 49277 → 5651 [SYN]
  115. 109 _107 _182 _232 5651 TCP 49276 → 5651 [SYN]
  116. 185 _70 _104 _90 5651 TCP 49281 → 5651 [SYN]
  117. 109 _107 _182 _200 5651 TCP 49278 → 5651 [SYN]
  118. 185 _70 _104 _99 5651 TCP 49280 → 5651 [SYN]
  119. 185 _70 _104 _112 5651 TCP 49284 → 5651 [SYN]
  120. 185 _70 _104 _90 8080 TCP 49288 → 8080 [SYN]
  121. 77 _105 _132 _70 5651 TCP 49285 → 5651 [SYN]
  122. 109 _107 _182 _212 5651 TCP 49289 → 5651 [SYN]
  123. 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
  124. 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
  125. 5 _42 _92 _44 5651 TCP 49286 → 5651 [SYN]
  126. 5 _42 _92 _32 5651 TCP 49287 → 5651 [SYN]
  127. 5 _42 _92 _31 5651 TCP 49290 → 5651 [SYN]
  128.  
  129. comp
  130. --------------
  131. rutserv.exe 3596 TCP 185 _70 _104 _90 5655 ESTABLISHED
  132. rutserv.exe 3596 TCP 185 _70 _104 _90 5655 ESTABLISHED
  133. rutserv.exe 3596 TCP 109 _107 _182 _205 5651 ESTABLISHED
  134. rutserv.exe 3596 TCP 109 _107 _182 _232 5651 ESTABLISHED
  135. rutserv.exe 3596 TCP 77 _105 _132 _124 5651 ESTABLISHED
  136. rutserv.exe 3596 TCP 109 _107 _182 _200 5651 ESTABLISHED
  137. rutserv.exe 3596 TCP 5 _42 _92 _37 5651 ESTABLISHED
  138. rutserv.exe 3596 TCP 185 _70 _104 _99 5651 ESTABLISHED
  139. rutserv.exe 3596 TCP 185 _70 _104 _90 5651 ESTABLISHED
  140. rutserv.exe 3596 TCP 188 _114 _96 _9 5651 ESTABLISHED
  141. rutserv.exe 3596 TCP 185 _70 _104 _112 5651 ESTABLISHED
  142. rutserv.exe 3596 TCP 5 _42 _92 _44 5651 ESTABLISHED
  143. rutserv.exe 3596 TCP 5 _42 _92 _32 5651 ESTABLISHED
  144. rutserv.exe 3596 TCP 185 _70 _104 _90 8080 ESTABLISHED
  145. rutserv.exe 3596 TCP 5 _42 _92 _31 5651 ESTABLISHED
  146.  
  147. ----------------------------------------------------------------
  148. 2nd sample
  149. CCleaner64.exe 2856 TCP 95 _100 _146 _48 80 ESTABLISHED
  150. CCleaner64.exe 2856 TCP 34 _117 _223 _223 443 ESTABLISHED
  151. CCleaner64.exe 2856 TCP 34 _111 _24 _1 443 ESTABLISHED
  152. CCleaner64.exe 2856 TCP 2 _19 _217 _211 443 ESTABLISHED
  153.  
  154. rutserv.exe 2180 TCP 5 _42 _92 _32 5651 ESTABLISHED
  155. rutserv.exe 2180 TCP 109 _107 _182 _232 5651 ESTABLISHED
  156. rutserv.exe 2180 TCP 109 _107 _182 _205 5651 ESTABLISHED
  157. rutserv.exe 2180 TCP 5 _42 _92 _31 5651 ESTABLISHED
  158. rutserv.exe 2180 TCP 5 _42 _92 _44 5651 ESTABLISHED
  159. rutserv.exe 2180 TCP 185 _70 _104 _90 8080 ESTABLISHED
  160. rutserv.exe 2180 TCP 185 _70 _104 _112 5651 ESTABLISHED
  161. rutserv.exe 2180 TCP 185 _70 _104 _90 5651 ESTABLISHED
  162. rutserv.exe 2180 TCP 109 _107 _182 _200 5651 ESTABLISHED
  163. rutserv.exe 2180 TCP 77 _105 _132 _124 5651 ESTABLISHED
  164. rutserv.exe 2180 TCP 185 _70 _104 _99 5651 ESTABLISHED
  165. rutserv.exe 2180 TCP 5 _42 _92 _37 5651 ESTABLISHED
  166. rutserv.exe 2180 TCP 188 _114 _96 _9 5651 ESTABLISHED
  167. rutserv.exe 2180 TCP 185 _70 _104 _90 5655 ESTABLISHED
  168.  
  169. proc
  170. --------------
  171. C:\Users\operator\Desktop\Електронний план евакуації.exe
  172. C:\Users\operator\Desktop\Електронний план евакуації.exe
  173. "C:\Windows\System32\msiexec.exe" /i install.msi /qn [UAC]
  174.  
  175. [another context]
  176.  
  177. C:\Windows\system32\msiexec.exe /V
  178. C:\Windows\syswow64\MsiExec.exe -Embedding A000AD5915FC7D85A382DFFCDC63CEF4
  179. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi _copy "C:\Users\support\AppData\Local\Temp\install.msi"
  180. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  181. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  182. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  183. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  184. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  185. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  186. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  187. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
  188. C:\Windows\system32\taskhost.exe
  189. C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate
  190. C:\Windows\system32\aitagent.EXE
  191. C:\Windows\system32\defrag.exe -c
  192. C:\Windows\system32\svchost.exe -k defragsvc
  193. C:\Windows\system32\taskhost.exe
  194. C:\Windows\System32\powercfg.exe -energy -auto
  195. C:\Windows\system32\taskhost.exe
  196. C:\Windows\system32\taskhost.exe $(Arg0)
  197.  
  198. ----------------------------------------------------------------
  199. 2nd sample
  200.  
  201. C:\Users\operator\Desktop\CCleaner.exe
  202. C:\Users\operator\Desktop\CCleaner.exe
  203. C:\Windows\System32\msiexec.exe
  204. C:\Users\support\AppData\Local\Temp\CCleaner64.exe
  205.  
  206. [another context]
  207.  
  208. C:\Windows\system32\msiexec.exe /V
  209. C:\Windows\syswow64\MsiExec.exe -Embedding 0E86A042BB96C18556F3D70EC1DFB647
  210. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi _copy "C:\Users\support\AppData\Local\Temp\install.msi"
  211. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  212. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  213. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  214. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  215. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
  216. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  217. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  218. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
  219.  
  220. persist
  221. --------------
  222. RManService Allows Remote Utilities users to connect to this machine. Remote Utilities Pty (Cy) Ltd.
  223. c:\program files (x86)\remote utilities - host\rutserv.exe 25.10.2023 14:51
  224.  
  225. drop
  226. --------------
  227. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  228. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  229. C:\ProgramData\Remote Utilities\Logs\rut _log _2024-01.html
  230. C:\Windows\Installer\MSI6E23.tmp
  231. C:\Windows\Installer\472c27.msi
  232. C:\Windows\Installer\472c2b.msi
  233.  
  234. ----------------------------------------------------------------
  235. 2nd sample
  236. %admin _temp%\CCleaner64.exe
  237. %admin _temp%\CCleaner.exe
  238. %admin _temp%\x64\CCleanerBugReport.exe
  239. %admin _temp%\x86\CCleanerBugReport.exe
  240.  
  241. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  242. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  243. C:\ProgramData\Remote Utilities\Logs\rut _log _2024-01.html
  244. C:\Windows\Installer\46b13a.msi
  245. C:\Windows\Installer\46b13e.msi
  246.  
  247. # # # # # # # #
  248. additional info
  249. # # # # # # # #
  250. C2 185 _70 _104 _90 : 5655 the same was #remcos _180124 https://pastebin.com/FL2fX362
  251.  
  252. # # # # # # # #
  253. VT & Intezer
  254. # # # # # # # #
  255. https://www.virustotal.com/gui/url/1205cd4f82d574de28c538d72c0791b6d5a84bf56ef7581e2d42bd2baf32856b/details
  256. https://www.virustotal.com/gui/file/20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2/details
  257. https://www.virustotal.com/gui/file/5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da/details
  258.  
  259. https://www.virustotal.com/gui/url/0f8a9a8e4832700467095ee4f0b86f8a37248404b93631599eecc9856f8d1e34/details
  260. https://www.virustotal.com/gui/file/44cb295694f3332b31500c7d8408e6f93bb34a56617ae6850a205ed16c2a42a8/details
  261. https://www.virustotal.com/gui/file/23eda7958cd22e11d5daa39d5a82e5740512c9435a138214b98d1925520bf8e8/details
  262.  
  263. https://www.virustotal.com/gui/file/0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a/details
  264. https://www.virustotal.com/gui/file/760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d/details
  265.  
  266. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!