Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
- https://pastebin.com/j8h6XpV7
- previous_contact:
- 28/01/22 https://pastebin.com/7ndYBz5Q
- 09/08/21 https://pastebin.com/rh0bNZpN
- 22/03/21 https://pastebin.com/Dn4w1h8K
- 09/03/21 https://pastebin.com/70CvpLRE
- 03/03/21 https://pastebin.com/vBf6Wyr5
- 03/03/21 https://pastebin.com/br4Cayaz
- FAQ:
- https://cert.gov.ua/article/18163
- https://www.remoteutilities.com/download/
- attack_vector
- --------------
- email attach .rar1 > .rar2 (multi) PWD > .exe > UAC > msi > install > service > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Thu, 11 Jan 2024 08:23:35 +0300
- Subject: Запит від компанії Медок
- From: Субботин Ираклий Васильевич <transport@edytrans.ro>
- Received: from mail.edytrans.ro ([193.33.25.31])
- Received: from pathetic-fuel.aeza.network (unknown [176.124.198.222])
- by mail.itfusion.ro (Postfix) with ESMTPA id E915230C07B0
- Reply-To: Сирко Чеслав Валериевич <secretariat@moldexpo.md>
- Message-Id: <20240111052334.E915230C07B0@mail.itfusion.ro>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 5a03f51625adb3bc44429dffd6d4808ef4c57d79efd50032eb4cb2c4c6333364
- File name Запит.rar [RAR archive data, v5]
- File size 16.90 MB (17723321 bytes)
- SHA-256 c2ace97deed180300407035e9c6cfc9536df5d660be9ff46c26a9ca86f5c47b2
- File name Запит документів.part1.rar [RAR archive data, v5] Multi, PWD
- File size 5.00 MB (5242880 bytes)
- SHA-256 48b65d2d67eb92eeb330ad37e0b29eaaad5c81549807c6c7dccb5f6e2f90a647
- File name Запит документів.part2.rar [RAR archive data, v5] Multi, PWD
- File size 5.00 MB (5242880 bytes)
- SHA-256 42a7eb275e343f838095582afd641629fafea581c27624707c4f0d9aa04d61be
- File name Запит документів.part3.rar [RAR archive data, v5] Multi, PWD
- File size 5.00 MB (5242880 bytes)
- SHA-256 4cd6fa9df98b6b0246dd40ec64d0088a7f589e13038dc76dd71abc077bd91596
- File name Запит документів.part4.rar [RAR archive data, v5] Multi, PWD
- File size 1.90 MB (1993646 bytes)
- SHA-256 5f983f2d494f11050a85dcf38b74da937eb67ea13d0d445e8a89ef4753824499
- File name reportservlet.pdf [PDF document, version 1.7, 1 pages] CLEAN
- File size 36.44 KB (37311 bytes)
- SHA-256 1c0b5baceb177598bafee74d48d91567428e3033521caec287021164db19b96e
- File name Електронний запит Medoc.exe [PE32, UPX 2.90 [LZMA]] Installer
- File size 17.33 MB (18167808 bytes)
- SHA-256 322ef7eee9de6bcda974e9e1509b1f1e96e3538078ab4874a106dbe34064b52c
- File name rutserv.exe [PE32, BobSoft Mini Delphi] Server
- File size 12.56 MB (13174240 bytes)
- SHA-256 d1ec641ce4e2883c19a21863c3b21bf45bbf08040f19c4af99be640b43f99d80
- File name rfusclient.exe [PE32] Client
- File size 6.33 MB (6636512 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 77_105_132_124 : 465
- 77_105_132_124 : 5651
- 77_105_132_70 : 465
- 77_105_132_70 : 5651
- netwrk
- --------------
- 64_20_61_146 5655 TCP
- 77_105_132_124 465 TCP
- 77_105_132_124 5651 TCP
- 77_105_132_70 465 TCP
- 77_105_132_70 5651 TCP
- comp
- --------------
- rutserv.exe 3128 TCP 64_20_61_146 5655 ESTABLISHED
- rutserv.exe 3128 TCP 188_127_224_64 5651 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\4_Електронний запит Medoc.exe [user]
- C:\Users\operator\Desktop\4_Електронний запит Medoc.exe [UAC_admin]
- C:\Windows\SysWOW64\msiexec.exe /i "C:\Users\support\AppData\Local\Temp\RUT_{C2D52927-DA4D-4AA8-9C60-79FA2FDACCBF}\STAB_unsigned.msi" /qn
- [another context]
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding DDE9BB63CF51031705D7E971FC89DC24
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{C2D52927-DA4D-4AA8-9C60-79FA2FDACCBF}\STAB_unsigned.m
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- [another context]
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
- persist
- --------------
- RManService Allows Remote Utilities users to connect to this machine.
- Remote Utilities LLC
- c:\program files (x86)\remote utilities - host\rutserv.exe
- 02.07.2019 15:44
- drop
- --------------
- C:\Windows\Installer\40021b.msi
- C:\Windows\Installer\MSI438A.tmp
- C:\Windows\Installer\40021b.msi
- C:\Windows\Installer\40021f.msi
- C:\Windows\Installer\{E5803A4B-5A4B-44F6-A759-882FB6AD7982}\*.exe
- C:\Program Files (x86)\Remote Utilities - Host\*
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/5a03f51625adb3bc44429dffd6d4808ef4c57d79efd50032eb4cb2c4c6333364/details
- https://www.virustotal.com/gui/file/c2ace97deed180300407035e9c6cfc9536df5d660be9ff46c26a9ca86f5c47b2/details
- https://www.virustotal.com/gui/file/48b65d2d67eb92eeb330ad37e0b29eaaad5c81549807c6c7dccb5f6e2f90a647/details
- https://www.virustotal.com/gui/file/42a7eb275e343f838095582afd641629fafea581c27624707c4f0d9aa04d61be/details
- https://www.virustotal.com/gui/file/4cd6fa9df98b6b0246dd40ec64d0088a7f589e13038dc76dd71abc077bd91596/details
- https://www.virustotal.com/gui/file/5f983f2d494f11050a85dcf38b74da937eb67ea13d0d445e8a89ef4753824499/details
- https://www.virustotal.com/gui/file/1c0b5baceb177598bafee74d48d91567428e3033521caec287021164db19b96e/details
- https://www.virustotal.com/gui/file/322ef7eee9de6bcda974e9e1509b1f1e96e3538078ab4874a106dbe34064b52c/details
- https://www.virustotal.com/gui/file/d1ec641ce4e2883c19a21863c3b21bf45bbf08040f19c4af99be640b43f99d80/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement