#rurat_030321

1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
2.  
3. https://pastebin.com/br4Cayaz
4.  
5. previous_contact: n/a
6.  
7. FAQ:
8. https://www.remoteutilities.com/download/#
9.  
10. attack_vector
11. --------------
12. email > attach .zip > .rar > .exe1 (UPX) > exe2 > MSI > install > run as service
13.  
14. email_headers
15. --------------
16. Return-Path: <administracija@gargzduspc.lt>
17. Received: from mail3.kompro.lt (mail3.kompro.lt [88.119.178.11])
18. Received: from mail3.kompro.lt (localhost [127.0.0.1])
19. by mail3.kompro.lt (Postfix) with ESMTPS id 2C62720FD4
20. Received: from gmail.com (unknown [176.100.167.8])
21. (Authenticated sender: administracija@gargzduspc.lt)
22. by mail3.kompro.lt (Postfix) with ESMTPA id 7235320FE9
23. From: Київська міська прокуратура <administracija@gargzduspc.lt>
24. Subject: Київська міська прокуратура
25. Reply-To: <zapros@kyiv.gp.gov.ua>
26. Date: Wed, 3 Mar 2021 08:08:21 +0200
27. Message-Id: <20210303060914.2C62720FD4@mail3.kompro.lt>
28. Old-X-EsetId: 23BAF433C7B978693CBCF464C4ED3E33
29. X-EsetId: 23BAF433C7B978693CBCF464C4ED3E33
30. X-EsetScannerBuild: 48633
31.  
32. files
33. --------------
34. SHA-256 dcbd90e2d64b3ec37fc548598d9a4c8c34e25fa520a8f64143df1f128f7cdaca
35. File name Електронний запит документів.zip [Zip archive data, at least v1.0 to extract]
36. File size 19.92 MB (20890277 bytes)
37.  
38. SHA-256 c3f8a7c0927ff421d195d22c2a136b2067fb66d67a005ea7225cd31d68e552d6
39. File name Електронний запит документів.rar [RAR archive data, v8a,]
40. File size 19.92 MB (20889695 bytes)
41.  
42. SHA-256 7a986db7a9d76e881ade9ffa143ba36a84808c7e29dfc3ead49241b00a61637e
43. File name Електронний запит документів.exe [PE32 executable, UPX 2.90 [LZMA]]
44. File size 20.41 MB (21399664 bytes)
45.  
46. SHA-256 8c8d24125a330aa8e7510bacf2d7c7d644d0f0caf0d56878d529d0628b067639
47. File name unpacked.exe [PE32 executable, BobSoft Mini Delphi]
48. File size 22.80 MB (23911024 bytes)
49.  
50. original_utility (signed, not modified)
51. --------------
52. SHA-256 d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5
53. File name host7.0.0.1.exe [PE32 executable, UPX 2.90 [LZMA]]
54. File size 20.41 MB (21397752 bytes)
55.  
56. activity
57. **************
58. PL_SCR attached exe
59.  
60. C2 139.28.38.254
61.  
62. netwrk
63. --------------
64. tcp.port == 80 || tcp.port == 8080 || tcp.port == 5651
65.  
66. 139.28.38.254 51143 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
67. 139.28.38.254 51141 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
68. 139.28.38.254 51141 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
69.  
70. comp
71. --------------
72. rutserv.exe 520 TCP 139.28.38.254 8080 FIN_WAIT
73. rutserv.exe 520 TCP 139.28.38.254 5651 FIN_WAIT
74. rutserv.exe 520 TCP 139.28.38.254 80 FIN_WAIT
75.  
76. proc
77. --------------
78. C:\Users\operator\Desktop\Електронний запит документів.exe [upx]
79. C:\Users\operator\Desktop\Електронний запит документів.exe [unpack]
80. "C:\Windows\System32\msiexec.exe" /i "C:\Users\support\AppData\Local\Temp\RUT_{7D2750A6-5C02-4E78-9C14-6CBF5FDD3D50}\host.msi" /qn
81.  
82. [another context]
83.  
84. C:\Windows\system32\msiexec.exe /V
85. C:\Windows\syswow64\MsiExec.exe -Embedding F1C1DC81815FA852DC12DB1CCFB6DBAA
86. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{7D2750A6-5C02-4E78-9C14-6CBF5FDD3D50}\host.msi"
87. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
88. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
89. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
90.  
91. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
92. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe"
93. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
94. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
95. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
96.  
97. persist
98. --------------
99. HKLM\System\CurrentControlSet\Services 03.03.2021 11:37
100. RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC
101. c:\program files (x86)\remote utilities - host\rutserv.exe 28.02.2021 14:25
102. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
103.  
104. drop
105. --------------
106. C:\Program Files (x86)\Remote Utilities - Host\*
107.  
108. # # #
109. https://www.virustotal.com/gui/file/dcbd90e2d64b3ec37fc548598d9a4c8c34e25fa520a8f64143df1f128f7cdaca/details
110. https://www.virustotal.com/gui/file/c3f8a7c0927ff421d195d22c2a136b2067fb66d67a005ea7225cd31d68e552d6/details
111. https://www.virustotal.com/gui/file/7a986db7a9d76e881ade9ffa143ba36a84808c7e29dfc3ead49241b00a61637e/details
112. https://www.virustotal.com/gui/file/8c8d24125a330aa8e7510bacf2d7c7d644d0f0caf0d56878d529d0628b067639/details
113.  
114. original_utility
115. https://www.virustotal.com/gui/file/d4d3ef9196b5dac53d1e06d738eb3e529578752bf9e8cfd2900a600d5f10a7e5/details
116.  
117. VR