Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #rurat #RemoteUtilitiesLLC #EXE #UPX
- https://pastebin.com/rh0bNZpN
- previous_contact:
- 22/03/21 https://pastebin.com/Dn4w1h8K
- 09/03/21 https://pastebin.com/70CvpLRE
- 03/03/21 https://pastebin.com/vBf6Wyr5
- 03/03/21 https://pastebin.com/br4Cayaz
- FAQ:
- https://www.remoteutilities.com/download/#
- attack_vector
- --------------
- email > attach .RAR > 1.rar + 2.rar > .exe > msi > install > service > 77.83.173.247 + 45.82.71.172
- email_headers
- --------------
- Subject: до судового запиту № 61099 от: 08.08.2021
- Received: from mail.iogu.gov.ua ([176.37.254.156])
- From: Гладнєва Олена Михайлівна <mail@iogu.gov.ua>
- x-sender="postmaster@mail.iogu.gov.ua"
- Date: Mon, 9 Aug 2021 00:34:03 +0300
- previous contact:
- **************
- Return-Path: <ab-court@sv.od.court.gov.ua>
- Received: from mailgw1.court.gov.ua (mailgw1.court.gov.ua. [212.90.190.159])
- by mx.google.com with ESMTPS id z7si9162796lfh.121.2021.03.21.16.38.11
- Received-SPF: pass (google.com: best guess record for domain of ab-court@sv.od.court.gov.ua designates 212.90.190.159 as permitted sender) client-ip=212.90.190.159;
- Message-Id: <202103212338.12LNc9Qk006331-12LNc9Ql006331@mailgw1.court.gov.ua>
- From: Бузовський Віталій Володимирович <ab-court@sv.od.court.gov.ua>
- Subject: Судовий запит № 765251150
- Reply-To: Бузовський Віталій Володимирович <parom@sv.od.court.gov.ua>
- Date: Mon, 22 Mar 2021 01:37:39 +0200
- Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
- Received: from gmail.com (31.13.19.242) by SERV-MAIL.menr.local (10.11.12.9)
- with Microsoft SMTP Server id 14.3.498.0; Tue, 9 Mar 2021 03:45:16 +0200
- From: Чорнуцький Сергій Петрович <zapros@court.gov.ua> [spoofed]
- Subject: Судовий запит № 72137269
- Received: from mail.mepr.gov.ua (mail.menr.gov.ua [194.183.172.242])
- (envelope-from doc@kyiv.gp.gov.ua)
- Received: from gmail.com (176.100.167.8) by SERV-MAIL.menr.local (10.11.12.9)
- with Microsoft SMTP Server id 14.3.498.0; Wed, 3 Mar 2021 11:05:16 +0200
- From: Кравець Олександр Олександрович <doc@kyiv.gp.gov.ua>
- Subject: Електронний запит (довіданий) Терміново!
- files
- --------------
- SHA-256 71a305af6348521f0a51449169e83afaf8981afb319a170b3181386c186bdafe
- File name до судового запиту.rar [ RAR archive data, v86, flags: Locked, Solid, Authenticated, ]
- File size 20.32 MB (21303020 bytes)
- SHA-256 b94a14c10df71ca5e2afd8a116975c766d11ccd9263fc9c531e72eeecea6073e
- File name до судового запиту.docx.part1.rar [ RAR archive data, v8a, flags: Archive volume, Commented, Locked, ]
- File size 13.00 MB (13631488 bytes)
- SHA-256 1977305bb7fade9cdb0607a8a6f24d67938b7d1123083e0afa80dbd21ff8ccad
- File name до судового запиту.docx.part2.rar [ RAR archive data, va3, flags: Commented, Solid, Authenticated, ]
- File size 7.32 MB (7670894 bytes)
- SHA-256 e780d9132b814b9ee7514918da9badd98afc454a01bb5233e13e0db8f192e888
- File name до судового запиту.docx.exe [ PE32 executable for MS Windows ]
- File size 20.56 MB (21555898 bytes)
- SHA-256 1f8c7b8dfcbb46bfdf4d102320951a3f3ecbdcef1a57a05e491c319387edc8cf
- File name 2.exe [ UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser ]
- File size 20.59 MB (21592064 bytes)
- installed
- --------------
- SHA-256 35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7
- File name rutserv.exe [ BobSoft Mini Delphi -> BoB / BobSoft ]
- File size 17.78 MB (18647800 bytes)
- SHA-256 f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b
- File name rfusclient.exe [ PE32 executable for MS Windows ]
- File size 11.06 MB (11597560 bytes)
- activity
- **************
- PL_SCR attached exe
- C2 77.83.173.247 domain: had.wf CN=bankcardshop.ru [NL]
- 45.82.71.172 domain: had.wf [NL]
- previous contact:
- **************
- 145.239.23.207 WORLDBTCNEWS.COM [FR]
- 178.210.76.171 RU-CENTER-HOSTING [123308, Moscow, Russian Federation]
- 194.156.99.64 EXAMPLE.COM [Hong Kong]
- 195.24.68.15 NIC.RU [Moscow, Russian Federation]
- 139.28.38.254
- 195.24.68.15 [Moscow, Russian Federation]
- 194.156.99.64 [Republic of Moldova, Chisinau]
- netwrk
- --------------
- tcp.port == 80 || tcp.port == 465 || tcp.port == 8080 || tcp.port == 5651 || tcp.port == 8888
- 77.83.173.247 51536 → 8080 [SYN]
- 77.83.173.247 51538 → 5651 [SYN]
- 45.82.71.172 51537 → 8888 [SYN]
- 45.82.71.172 51535 → 5651 [SYN]
- !previous contact:
- **************
- 145.239.23.207 51264 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 194.156.99.64 51266 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 178.210.76.171 51262 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- 195.24.68.15 51261 → 8080 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- comp
- --------------
- rutserv.exe 2516 TCP 77.83.173.247 8080 ESTABLISHED
- rutserv.exe 2516 TCP 77.83.173.247 5651 ESTABLISHED
- rutserv.exe 2516 TCP 45.82.71.172 8888 ESTABLISHED
- rutserv.exe 2516 TCP 45.82.71.172 5651 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\до судового запиту.docx.exe
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\tmp\2.exe
- C:\Windows\SysWOW64\msiexec.exe /i "C:\Users\support\AppData\Local\Temp\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi" /qn
- {another}
- C:\Windows\system32\msiexec.exe /V
- C:\Windows\syswow64\MsiExec.exe -Embedding 7163F3A85638474281713315BBA7A1F5
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" -msi_copy "C:\Users\support\AppData\Local\Temp\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi"
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /silentinstall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /firewall
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" /start
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe" /tray
- "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -firewall
- persist
- --------------
- RManService Allows Remote Utilities users to connect to this machine. Remote Utilities LLC c:\program files (x86)\remote utilities - host\rutserv.exe 26.03.2021 22:24
- drop
- --------------
- %user_temp%\2.exe
- %user_temp%\1.docx
- UAC
- %admin_temp%\RUT_{C335111F-2F20-499D-95C8-0E4BA85E409A}\host7.0.0.3_unsigned.msi
- C:\Windows\Installer\3067a7e.msi
- C:\Windows\Installer\{74041CF2-BE4F-411B-87D8-1C0FAA76D1F1}
- C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe
- C:\Program Files (x86)\Remote Utilities - Host\rfusclient.exe
- # # #
- VT details
- Dropped files
- **************
- https://www.virustotal.com/gui/file/71a305af6348521f0a51449169e83afaf8981afb319a170b3181386c186bdafe/details
- https://www.virustotal.com/gui/file/b94a14c10df71ca5e2afd8a116975c766d11ccd9263fc9c531e72eeecea6073e/details
- https://www.virustotal.com/gui/file/1977305bb7fade9cdb0607a8a6f24d67938b7d1123083e0afa80dbd21ff8ccad/details
- https://www.virustotal.com/gui/file/e780d9132b814b9ee7514918da9badd98afc454a01bb5233e13e0db8f192e888/details
- https://www.virustotal.com/gui/file/1f8c7b8dfcbb46bfdf4d102320951a3f3ecbdcef1a57a05e491c319387edc8cf/details
- installed
- **************
- https://www.virustotal.com/gui/file/35ffc1263005fd0a954deed20a7fb0cd53dbab6bb17ff8bd34559a5a124686c7/details
- https://www.virustotal.com/gui/file/f30bbbe109b9a5965e7328eee1d246ac43dcc5b162c9efd81a29e7d5955b811b/details
- IP
- **************
- https://www.virustotal.com/gui/ip-address/77.83.173.247/details
- https://www.virustotal.com/gui/ip-address/45.82.71.172/details
- VR
Add Comment
Please, Sign In to add comment