Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #bitbucket
- https://pastebin.com/KdtLzhQF
- previous _contact:
- 11/01/24 https://pastebin.com/j8h6XpV7
- 28/01/22 https://pastebin.com/7ndYBz5Q
- 09/08/21 https://pastebin.com/rh0bNZpN
- 22/03/21 https://pastebin.com/Dn4w1h8K
- 09/03/21 https://pastebin.com/70CvpLRE
- 03/03/21 https://pastebin.com/vBf6Wyr5
- 03/03/21 https://pastebin.com/br4Cayaz
- FAQ:
- https://www.remoteutilities.com/download/
- attack _vector
- --------------
- email body URL > bitbucket _org > GET .zip or .rar > .exe > UAC > install > rutserv.exe > 185 _70 _104 _90 : 5655
- # # # # # # # #
- email _headers
- # # # # # # # #
- _1
- Date: Mon, 22 Jan 2024 02:26:19 +0300
- Subject: Державна служба України з надзвичайних ситуацій
- From: Петрівська Ярослава Русланівна <aryo.frandika@remala _id>
- Received: from smtp _client _5d0 _tachyon _net _id ([101 _255 _0 _45])
- Received: from mtan1 _remala _id (mtan1 _remala _id [202 _182 _48 _61])
- Received: from WIN _PDDC81NCU8C (unknown [77 _105 _147 _100])
- Reply-To: "public@cip _gov _ua" <public@cip.gov.ua>
- Message-Id: <20240121232619 _48C025C07CC@mtan1 _remala _id>
- ----------------------------------------------------------------
- _2
- Date: Mon, 22 Jan 2024 02:47:46 +0300
- Subject: Інформація від Держспецзв'язку України
- From: Шкабар Щастислав Захарович <woranittha@alyssawedding _com>
- Received: from camel _birch _relay _mailchannels _net ([23 _83 _209 _29])
- Received: from nl-srv-smtpout1 _hostinger _io (nl-srv-smtpout1 _hostinger _io [145 _14 _150 _87])
- Reply-To: "public@cip _gov _ua" <public@cip.gov.ua>
- Message-ID: <1705880868935 _57f9dab2589224e3@alyssawedding _com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2
- File name plan _dsns _gov _ua.rar [ RAR archive data, v5 ]
- File size 19.83 MB (20789108 bytes)
- SHA-256 5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da
- File name Електронний план евакуації.exe [ PE32 , sfx: WinRAR ]
- File size 20.11 MB (21082556 bytes)
- SHA-256 44cb295694f3332b31500c7d8408e6f93bb34a56617ae6850a205ed16c2a42a8
- File name CCleaner.zip [ Zip archive data, at least v2.0 to extract ]
- File size 69.55 MB (72929920 bytes)
- SHA-256 23eda7958cd22e11d5daa39d5a82e5740512c9435a138214b98d1925520bf8e8
- File name CCleaner.exe [ PE32 , sfx: WinRAR ]
- File size 69.81 MB (73199534 bytes)
- SHA-256 0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a
- File name rfusclient.exe [ PE32 executable ]
- File size 10.42 MB (10931000 bytes)
- SHA-256 760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d
- File name rutserv.exe [ PE32 executable , BobSoft Mini Delphi ]
- File size 20.17 MB (21148984 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL _SCR bitbucket _org / dsnsgovua / dsns / downloads / plan _dsns _gov _ua.rar
- bitbucket _org / ccleaners / ccleaner/ downloads / CCleaner.zip
- C2 185 _70 _104 _90 : 5655
- netwrk
- --------------
- 185 _70 _104 _90 5655 TCP 49257 → 5655 [SYN]
- 109 _107 _182 _205 5651 TCP 49274 → 5651 [SYN]
- 109 _107 _182 _207 5651 TCP 49275 → 5651 [SYN]
- 77 _105 _132 _124 5651 TCP 49277 → 5651 [SYN]
- 109 _107 _182 _232 5651 TCP 49276 → 5651 [SYN]
- 185 _70 _104 _90 5651 TCP 49281 → 5651 [SYN]
- 109 _107 _182 _200 5651 TCP 49278 → 5651 [SYN]
- 185 _70 _104 _99 5651 TCP 49280 → 5651 [SYN]
- 185 _70 _104 _112 5651 TCP 49284 → 5651 [SYN]
- 185 _70 _104 _90 8080 TCP 49288 → 8080 [SYN]
- 77 _105 _132 _70 5651 TCP 49285 → 5651 [SYN]
- 109 _107 _182 _212 5651 TCP 49289 → 5651 [SYN]
- 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
- 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
- 5 _42 _92 _44 5651 TCP 49286 → 5651 [SYN]
- 5 _42 _92 _32 5651 TCP 49287 → 5651 [SYN]
- 5 _42 _92 _31 5651 TCP 49290 → 5651 [SYN]
- ----------------------------------------------------------------
- 2nd sample
- 95 _100 _146 _48 ncc _avast _com 80 HTTP GET /ncc.txt HTTP/1.1 Avast Antivirus
- 34 _117 _223 _223 analytics _avcdn _net 443 TLSv1.1 Client Hello
- 2 _19 _217 _211 443 TCP 49245 → 443 [SYN]
- 34 _111 _24 _1 ipm _provider _ff _avast _com 443 TLSv1.2 Client Hello
- 2 _19 _217 _211 www _ccleaner _com 443 TLSv1.2 Client Hello
- 2 _19 _217 _211 license _api _ccleaner _com 443 TLSv1.2 Client Hello
- 34 _111 _24 _1 ipm-provider _ff _avast _com 443 TLSv1.2 Client Hello
- 34 _117 _223 _223 analytics _ff _avast _com 443 TLSv1.1 Client Hello
- 185 _70 _104 _90 5655 TCP 49257 → 5655 [SYN]
- 109 _107 _182 _205 5651 TCP 49274 → 5651 [SYN]
- 109 _107 _182 _207 5651 TCP 49275 → 5651 [SYN]
- 77 _105 _132 _124 5651 TCP 49277 → 5651 [SYN]
- 109 _107 _182 _232 5651 TCP 49276 → 5651 [SYN]
- 185 _70 _104 _90 5651 TCP 49281 → 5651 [SYN]
- 109 _107 _182 _200 5651 TCP 49278 → 5651 [SYN]
- 185 _70 _104 _99 5651 TCP 49280 → 5651 [SYN]
- 185 _70 _104 _112 5651 TCP 49284 → 5651 [SYN]
- 185 _70 _104 _90 8080 TCP 49288 → 8080 [SYN]
- 77 _105 _132 _70 5651 TCP 49285 → 5651 [SYN]
- 109 _107 _182 _212 5651 TCP 49289 → 5651 [SYN]
- 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
- 5 _42 _92 _37 5651 TCP 49279 → 5651 [SYN]
- 5 _42 _92 _44 5651 TCP 49286 → 5651 [SYN]
- 5 _42 _92 _32 5651 TCP 49287 → 5651 [SYN]
- 5 _42 _92 _31 5651 TCP 49290 → 5651 [SYN]
- comp
- --------------
- rutserv.exe 3596 TCP 185 _70 _104 _90 5655 ESTABLISHED
- rutserv.exe 3596 TCP 185 _70 _104 _90 5655 ESTABLISHED
- rutserv.exe 3596 TCP 109 _107 _182 _205 5651 ESTABLISHED
- rutserv.exe 3596 TCP 109 _107 _182 _232 5651 ESTABLISHED
- rutserv.exe 3596 TCP 77 _105 _132 _124 5651 ESTABLISHED
- rutserv.exe 3596 TCP 109 _107 _182 _200 5651 ESTABLISHED
- rutserv.exe 3596 TCP 5 _42 _92 _37 5651 ESTABLISHED
- rutserv.exe 3596 TCP 185 _70 _104 _99 5651 ESTABLISHED
- rutserv.exe 3596 TCP 185 _70 _104 _90 5651 ESTABLISHED
- rutserv.exe 3596 TCP 188 _114 _96 _9 5651 ESTABLISHED
- rutserv.exe 3596 TCP 185 _70 _104 _112 5651 ESTABLISHED
- rutserv.exe 3596 TCP 5 _42 _92 _44 5651 ESTABLISHED
- rutserv.exe 3596 TCP 5 _42 _92 _32 5651 ESTABLISHED
- rutserv.exe 3596 TCP 185 _70 _104 _90 8080 ESTABLISHED
- rutserv.exe 3596 TCP 5 _42 _92 _31 5651 ESTABLISHED
- ----------------------------------------------------------------
- 2nd sample
- CCleaner64.exe 2856 TCP 95 _100 _146 _48 80 ESTABLISHED
- CCleaner64.exe 2856 TCP 34 _117 _223 _223 443 ESTABLISHED
- CCleaner64.exe 2856 TCP 34 _111 _24 _1 443 ESTABLISHED
- CCleaner64.exe 2856 TCP 2 _19 _217 _211 443 ESTABLISHED
- rutserv.exe 2180 TCP 5 _42 _92 _32 5651 ESTABLISHED
- rutserv.exe 2180 TCP 109 _107 _182 _232 5651 ESTABLISHED
- rutserv.exe 2180 TCP 109 _107 _182 _205 5651 ESTABLISHED
- rutserv.exe 2180 TCP 5 _42 _92 _31 5651 ESTABLISHED
- rutserv.exe 2180 TCP 5 _42 _92 _44 5651 ESTABLISHED
- rutserv.exe 2180 TCP 185 _70 _104 _90 8080 ESTABLISHED
- rutserv.exe 2180 TCP 185 _70 _104 _112 5651 ESTABLISHED
- rutserv.exe 2180 TCP 185 _70 _104 _90 5651 ESTABLISHED
- rutserv.exe 2180 TCP 109 _107 _182 _200 5651 ESTABLISHED
- rutserv.exe 2180 TCP 77 _105 _132 _124 5651 ESTABLISHED
- rutserv.exe 2180 TCP 185 _70 _104 _99 5651 ESTABLISHED
- rutserv.exe 2180 TCP 5 _42 _92 _37 5651 ESTABLISHED
- rutserv.exe 2180 TCP 188 _114 _96 _9 5651 ESTABLISHED
- rutserv.exe 2180 TCP 185 _70 _104 _90 5655 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\Електронний план евакуації.exe
- C:\Users\operator\Desktop\Електронний план евакуації.exe
- "C:\Windows\System32\msiexec.exe" /i install.msi /qn [UAC]
- [another context]
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding A000AD5915FC7D85A382DFFCDC63CEF4
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi _copy "C:\Users\support\AppData\Local\Temp\install.msi"
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
- C:\Windows\system32\taskhost.exe
- C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate
- C:\Windows\system32\aitagent.EXE
- C:\Windows\system32\defrag.exe -c
- C:\Windows\system32\svchost.exe -k defragsvc
- C:\Windows\system32\taskhost.exe
- C:\Windows\System32\powercfg.exe -energy -auto
- C:\Windows\system32\taskhost.exe
- C:\Windows\system32\taskhost.exe $(Arg0)
- ----------------------------------------------------------------
- 2nd sample
- C:\Users\operator\Desktop\CCleaner.exe
- C:\Users\operator\Desktop\CCleaner.exe
- C:\Windows\System32\msiexec.exe
- C:\Users\support\AppData\Local\Temp\CCleaner64.exe
- [another context]
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding 0E86A042BB96C18556F3D70EC1DFB647
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi _copy "C:\Users\support\AppData\Local\Temp\install.msi"
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
- persist
- --------------
- RManService Allows Remote Utilities users to connect to this machine. Remote Utilities Pty (Cy) Ltd.
- c:\program files (x86)\remote utilities - host\rutserv.exe 25.10.2023 14:51
- drop
- --------------
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- C:\ProgramData\Remote Utilities\Logs\rut _log _2024-01.html
- C:\Windows\Installer\MSI6E23.tmp
- C:\Windows\Installer\472c27.msi
- C:\Windows\Installer\472c2b.msi
- ----------------------------------------------------------------
- 2nd sample
- %admin _temp%\CCleaner64.exe
- %admin _temp%\CCleaner.exe
- %admin _temp%\x64\CCleanerBugReport.exe
- %admin _temp%\x86\CCleanerBugReport.exe
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- C:\ProgramData\Remote Utilities\Logs\rut _log _2024-01.html
- C:\Windows\Installer\46b13a.msi
- C:\Windows\Installer\46b13e.msi
- # # # # # # # #
- additional info
- # # # # # # # #
- C2 185 _70 _104 _90 : 5655 the same was #remcos _180124 https://pastebin.com/FL2fX362
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/url/1205cd4f82d574de28c538d72c0791b6d5a84bf56ef7581e2d42bd2baf32856b/details
- https://www.virustotal.com/gui/file/20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2/details
- https://www.virustotal.com/gui/file/5158482849c818c270f302c1dfa06d770ed2b5056cf393d60fd56817636866da/details
- https://www.virustotal.com/gui/url/0f8a9a8e4832700467095ee4f0b86f8a37248404b93631599eecc9856f8d1e34/details
- https://www.virustotal.com/gui/file/44cb295694f3332b31500c7d8408e6f93bb34a56617ae6850a205ed16c2a42a8/details
- https://www.virustotal.com/gui/file/23eda7958cd22e11d5daa39d5a82e5740512c9435a138214b98d1925520bf8e8/details
- https://www.virustotal.com/gui/file/0c89262a283c80121ba1176345b230d0ade61cfcf682b92e555a48206fb4074a/details
- https://www.virustotal.com/gui/file/760e2fd3e57186b597d40b996811768e6c4a28ca54685e029104fcf82f68238d/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement