Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
- https://pastebin.com/br4Cayaz
- previous_contact: n/a
- FAQ:
- https://www.remoteutilities.com/download/#
- attack_vector
- --------------
- email > attach .zip > .rar > .exe1 (UPX) > exe2 > MSI > install > run as service
- email_headers
- --------------
- Return-Path: <administracija@gargzduspc.lt>
- Received: from mail3.kompro.lt (mail3.kompro.lt [88.119.178.11])
- Received: from mail3.kompro.lt (localhost [127.0.0.1])
- by mail3.kompro.lt (Postfix) with ESMTPS id 2C62720FD4
- Received: from gmail.com (unknown [176.100.167.8])
- (Authenticated sender: administracija@gargzduspc.lt)
- by mail3.kompro.lt (Postfix) with ESMTPA id 7235320FE9
- From: Київська міська прокуратура <administracija@gargzduspc.lt>
- Subject: Київська міська прокуратура
- Reply-To: <zapros@kyiv.gp.gov.ua>
- Date: Wed, 3 Mar 2021 08:08:21 +0200
- Message-Id: <20210303060914.2C62720FD4@mail3.kompro.lt>
- Old-X-EsetId: 23BAF433C7B978693CBCF464C4ED3E33
- X-EsetId: 23BAF433C7B978693CBCF464C4ED3E33
- X-EsetScannerBuild: 48633
- files
- --------------
- SHA-256 dcbd90e2d64b3ec37fc548598d9a4c8c34e25fa520a8f64143df1f128f7cdaca
- File name Електронний запит документів.zip [Zip archive data, at least v1.0 to extract]
- File size 19.92 MB (20890277 bytes)
- SHA-256 c3f8a7c0927ff421d195d22c2a136b2067fb66d67a005ea7225cd31d68e552d6
- File name Електронний запит документів.rar [RAR archive data, v8a,]
- File size 19.92 MB (20889695 bytes)
- SHA-256 7a986db7a9d76e881ade9ffa143ba36a84808c7e29dfc3ead49241b00a61637e
- File name Електронний запит документів.exe [PE32 executable, UPX 2.90 [LZMA]]
- File size 20.41 MB (21399664 bytes)
- SHA-256 8c8d24125a330aa8e7510bacf2d7c7d644d0f0caf0d56878d529d0628b067639
- File name unpacked.exe [PE32 executable, BobSoft Mini Delphi]
- File size 22.80 MB (23911024 bytes)
- original_utility (signed, not modified)
- --------------
- SHA-256 d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5
- File name host7.0.0.1.exe [PE32 executable, UPX 2.90 [LZMA]]
- File size 20.41 MB (21397752 bytes)
- activity
- **************
- PL_SCR attached exe
- C2 139.28.38.254
- netwrk
- --------------
- tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
- 139.28.38.254 51143 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 139.28.38.254 51141 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 139.28.38.254 51141 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
- comp
- --------------
- rutserv.exe 520 TCP 139.28.38.254 8080 FIN_WAIT
- rutserv.exe 520 TCP 139.28.38.254 5651 FIN_WAIT
- rutserv.exe 520 TCP 139.28.38.254 80 FIN_WAIT
- proc
- --------------
- C:\Users\operator\Desktop\Електронний запит документів.exe [upx]
- C:\Users\operator\Desktop\Електронний запит документів.exe [unpack]
- "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{7D2750A6-5C02-4E78-9C14-6CBF5FDD3D50}\host.msi" /qn
- [another context]
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding F1C1DC81815FA852DC12DB1CCFB6DBAA
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{7D2750A6-5C02-4E78-9C14-6CBF5FDD3D50}\host.msi"
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
- persist
- --------------
- HKLM\System\CurrentControlSet\Services 03.03.2021 11:37
- RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC
- c:\program files (x86)\remote utilities - host\rutserv.exe 28.02.2021 14:25
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- drop
- --------------
- C:\Program Files (x86)\Remote Utilities - Host\*
- # # #
- https://www.virustotal.com/gui/file/dcbd90e2d64b3ec37fc548598d9a4c8c34e25fa520a8f64143df1f128f7cdaca/details
- https://www.virustotal.com/gui/file/c3f8a7c0927ff421d195d22c2a136b2067fb66d67a005ea7225cd31d68e552d6/details
- https://www.virustotal.com/gui/file/7a986db7a9d76e881ade9ffa143ba36a84808c7e29dfc3ead49241b00a61637e/details
- https://www.virustotal.com/gui/file/8c8d24125a330aa8e7510bacf2d7c7d644d0f0caf0d56878d529d0628b067639/details
- original_utility
- https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement