API tools faq
paste
VRad

#rurat_090821

VRad
Aug 9th, 2021 (edited)
952
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.22 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
  2.  
  3. https://pastebin.com/rh0bNZpN
  4.  
  5. previous_contact:
  6.  
  7. 22/03/21 https://pastebin.com/Dn4w1h8K
  8. 09/03/21 https://pastebin.com/70CvpLRE
  9. 03/03/21 https://pastebin.com/vBf6Wyr5
  10. 03/03/21 https://pastebin.com/br4Cayaz
  11.  
  12. FAQ:
  13. https://www.remoteutilities.com/download/#
  14.  
  15. attack_vector
  16. --------------
  17. email > attach .RAR > 1.rar + 2.rar > .exe > msi > install > service > 77.83.173.247 + 45.82.71.172
  18.  
  19. email_headers
  20. --------------
  21. Subject: до судового запиту № 61099 от: 08.08.2021
  22. Received: from mail.iogu.gov.ua ([176.37.254.156])
  23. From: Гладнєва Олена Михайлівна <mail@iogu.gov.ua>
  24. x-sender="postmaster@mail.iogu.gov.ua"
  25. Date: Mon, 9 Aug 2021 00:34:03 +0300
  26.  
  27.  
  28. previous contact:
  29. **************
  30.  
  31. Return-Path: <ab-court@sv.od.court.gov.ua>
  32. Received: from mailgw1.court.gov.ua (mailgw1.court.gov.ua. [212.90.190.159])
  33. by mx.google.com with ESMTPS id z7si9162796lfh.121.2021.03.21.16.38.11
  34. Received-SPF: pass (google.com: best guess record for domain of ab-court@sv.od.court.gov.ua designates 212.90.190.159 as permitted sender) client-ip=212.90.190.159;
  35. Message-Id: <202103212338.12LNc9Qk006331-12LNc9Ql006331@mailgw1.court.gov.ua>
  36. From: Бузовський Віталій Володимирович <ab-court@sv.od.court.gov.ua>
  37. Subject: Судовий запит № 765251150
  38. Reply-To: Бузовський Віталій Володимирович <parom@sv.od.court.gov.ua>
  39. Date: Mon, 22 Mar 2021 01:37:39 +0200
  40.  
  41.  
  42. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  43. Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
  44. with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
  45. From: Чорнуцький Сергій Петрович <zapros@court.gov.ua> [spoofed]
  46. Subject: Судовий запит № 72137269
  47.  
  48.  
  49. Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
  50. (envelope-from doc@kyiv.gp.gov.ua)
  51. Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
  52. with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
  53. From: Кравець Олександр Олександрович <doc@kyiv.gp.gov.ua>
  54. Subject: Електронний запит (довіданий) Терміново!
  55.  
  56.  
  57. files
  58. --------------
  59. SHA-256 71a305af6348521f0a51449169e83afaf8981afb319a170b3181386c186bdafe
  60. File name до судового запиту.rar [ RAR archive data, v86, flags: Locked, Solid, Authenticated, ]
  61. File size 20.32 MB (21303020 bytes)
  62.  
  63. SHA-256 b94a14c10df71ca5e2afd8a116975c766d11ccd9263fc9c531e72eeecea6073e
  64. File name до судового запиту.docx.part1.rar [ RAR archive data, v8a, flags: Archive volume, Commented, Locked, ]
  65. File size 13.00 MB (13631488 bytes)
  66.  
  67. SHA-256 1977305bb7fade9cdb0607a8a6f24d67938b7d1123083e0afa80dbd21ff8ccad
  68. File name до судового запиту.docx.part2.rar [ RAR archive data, va3, flags: Commented, Solid, Authenticated, ]
  69. File size 7.32 MB (7670894 bytes)
  70.  
  71. SHA-256 e780d9132b814b9ee7514918da9badd98afc454a01bb5233e13e0db8f192e888
  72. File name до судового запиту.docx.exe [ PE32 executable for MS Windows ]
  73. File size 20.56 MB (21555898 bytes)
  74.  
  75.  
  76. SHA-256 1f8c7b8dfcbb46bfdf4d102320951a3f3ecbdcef1a57a05e491c319387edc8cf
  77. File name 2.exe [ UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser ]
  78. File size 20.59 MB (21592064 bytes)
  79.  
  80. installed
  81. --------------
  82. SHA-256 35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7
  83. File name rutserv.exe [ BobSoft Mini Delphi -> BoB / BobSoft ]
  84. File size 17.78 MB (18647800 bytes)
  85.  
  86. SHA-256 f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b
  87. File name rfusclient.exe [ PE32 executable for MS Windows ]
  88. File size 11.06 MB (11597560 bytes)
  89.  
  90.  
  91. activity
  92. **************
  93. PL_SCR attached exe
  94.  
  95. C2 77.83.173.247 domain: had.wf CN=bankcardshop.ru [NL]
  96. 45.82.71.172 domain: had.wf [NL]
  97.  
  98. previous contact:
  99. **************
  100. 145.239.23.207 WORLDBTCNEWS.COM [FR]
  101. 178.210.76.171 RU-CENTER-HOSTING [123308, Moscow, Russian Federation]
  102. 194.156.99.64 EXAMPLE.COM [Hong Kong]
  103. 195.24.68.15 NIC.RU [Moscow, Russian Federation]
  104.  
  105.  
  106. 139.28.38.254
  107. 195.24.68.15 [Moscow, Russian Federation]
  108. 194.156.99.64 [Republic of Moldova, Chisinau]
  109.  
  110.  
  111. netwrk
  112. --------------
  113. tcp.port == 80 || tcp.port == 465 || tcp.port == 8080 || tcp.port == 5651 || tcp.port == 8888
  114.  
  115. 77.83.173.247 51536 → 8080 [SYN]
  116. 77.83.173.247 51538 → 5651 [SYN]
  117. 45.82.71.172 51537 → 8888 [SYN]
  118. 45.82.71.172 51535 → 5651 [SYN]
  119.  
  120.  
  121. !previous contact:
  122. **************
  123. 145.239.23.207 51264 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  124. 194.156.99.64 51266 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  125. 178.210.76.171 51262 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  126. 195.24.68.15 51261 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  127.  
  128.  
  129. comp
  130. --------------
  131. rutserv.exe 2516 TCP 77.83.173.247 8080 ESTABLISHED
  132. rutserv.exe 2516 TCP 77.83.173.247 5651 ESTABLISHED
  133. rutserv.exe 2516 TCP 45.82.71.172 8888 ESTABLISHED
  134. rutserv.exe 2516 TCP 45.82.71.172 5651 ESTABLISHED
  135.  
  136. proc
  137. --------------
  138. C:\Users\operator\Desktop\до судового запиту.docx.exe
  139. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  140. C:\tmp\2.exe
  141. C:\Windows\SysWOW64\msiexec.exe /i "C:\Users\support\AppData\Local\Temp\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi" /qn
  142.  
  143. {another}
  144.  
  145. C:\Windows\system32\msiexec.exe /V
  146. C:\Windows\syswow64\MsiExec.exe -Embedding 7163F3A85638474281713315BBA7A1F5
  147. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi"
  148. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
  149. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
  150. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
  151.  
  152. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
  153. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  154. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  155. "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
  156. "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
  157.  
  158.  
  159. persist
  160. --------------
  161. RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC c:\program files (x86)\remote utilities - host\rutserv.exe 26.03.2021 22:24
  162.  
  163.  
  164. drop
  165. --------------
  166. %user_temp%\2.exe
  167. %user_temp%\1.docx
  168.  
  169. UAC
  170. %admin_temp%\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi
  171. C:\Windows\Installer\3067a7e.msi
  172. C:\Windows\Installer\{74041CF2-BE4F-411B-87D8-1C0FAA76D1F1}
  173.  
  174. C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
  175. C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
  176.  
  177. # # #
  178. VT details
  179.  
  180. Dropped files
  181. **************
  182. https://www.virustotal.com/gui/file/71a305af6348521f0a51449169e83afaf8981afb319a170b3181386c186bdafe/details
  183. https://www.virustotal.com/gui/file/b94a14c10df71ca5e2afd8a116975c766d11ccd9263fc9c531e72eeecea6073e/details
  184. https://www.virustotal.com/gui/file/1977305bb7fade9cdb0607a8a6f24d67938b7d1123083e0afa80dbd21ff8ccad/details
  185. https://www.virustotal.com/gui/file/e780d9132b814b9ee7514918da9badd98afc454a01bb5233e13e0db8f192e888/details
  186. https://www.virustotal.com/gui/file/1f8c7b8dfcbb46bfdf4d102320951a3f3ecbdcef1a57a05e491c319387edc8cf/details
  187.  
  188. installed
  189. **************
  190. https://www.virustotal.com/gui/file/35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7/details
  191. https://www.virustotal.com/gui/file/f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b/details
  192.  
  193. IP
  194. **************
  195. https://www.virustotal.com/gui/ip-address/77.83.173.247/details
  196. https://www.virustotal.com/gui/ip-address/45.82.71.172/details
  197.  
  198. VR
  199.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!