Trojan.Rugmi.DB
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Rugmi.DB |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
912f0680c26a147dddde13fefe0bd213
SHA1:
812b46837c500271ad0a9ccb6f5206c4c2dc5bcd
SHA256:
495C68ACBCDA745A7716B87B40F0985598CE5B58B919A85A1609BCEFD59C8DDE
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
e1ec6174ce756027023947b9968cd1ab
SHA1:
4087f93b953d5f9be7ed9f52dd6596e7b1ccfc33
SHA256:
2569214DE4E1C87645F2A7ABBF4E83756A35BE571C06B87CF02F9B9CBD28AACF
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
9b21dffc85d6bd8704652fefd00b808a
SHA1:
4a43cf84c8478770d26dab269ec718ef7035dc77
SHA256:
95E1085EDC3D38A989352D00C7725468488E8A9FE4F32E49038E5F23C5AB0527
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
66fbd73fdee1030ebc09199c109c5789
SHA1:
a80b681b5d4f7bf5a33af5da44913bc532813ecb
SHA256:
F5879CBC6F3CE5A145775C8D8F5ECD4CE83F1CE38F02171A030443C501FA794A
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
c948882aa494c03b6d37617e1a84a8b5
SHA1:
5072f25df2e8068678769c47b7b8e33abfe80c61
SHA256:
BE533AE86F30632ECBFA1EB56F3812BA309365CC744D1419A3CACE17BD4C4B22
File Size:
855.82 KB, 855824 bytes
|
Show More
|
MD5:
f69b9bffa533ce9e92dd75ecd6ba1b4b
SHA1:
38e70d9da920ac0030ad738822e83508167d350d
SHA256:
73860F84DB2BDA6F517B17F63528C3B5BD9FD68D824CBC8D87CC0B9DF99CDD8C
File Size:
855.82 KB, 855816 bytes
|
|
MD5:
943293d432eba6c00330b56ff8cda5a7
SHA1:
5ca9e13a06b89bb4e84720c76990fa109cc62b80
SHA256:
8A59A8491140F55C36555589ED4B7182206E1AB756094B018B71F0BD8B870C3A
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
200f4cfd829b351b3e159019b5080be7
SHA1:
7b8108dd681c98083cf8d43eea66654b2bbff4ee
SHA256:
46D42C075E39F3DFB7414273F4297CE0607D1EBD8AA556AD7D3D44EB42A111C9
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
dd7490a4fa58af0a2bd5c5c04520ee37
SHA1:
57ef28812f0f9023cb48ade29977692f8ec1a395
SHA256:
99FC85886DFF03968E01846FC7545DE47C25861983502DD48F2E14BD2FAAFD14
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
ea013c879b2ff0045de99fab3fa01904
SHA1:
a898d73802efaf0db0ed64b5f3ebe21e31bedd86
SHA256:
D2753784E0B81E235C6A584C2D2D158D99DB2B37052EE1B6EAC4685540255605
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
7524406b7c48daa4f55fa0d3868a65f6
SHA1:
e0dc760160221bfb7c8ba36403d089eb740718c5
SHA256:
E94A627F9B102245352108B320762E7F65FE68F9653F3AC00CD55E56D31A23E7
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
5e367efeedb6ad214cc857340b627060
SHA1:
fddd052a8feff8b20be199557195ef80fc8f05ce
SHA256:
4F8D0AD326C2292F23373B458B60C4F1754C02B5923D5C583B56FDEA85797AE3
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
49e2d217b3092bf77e5ff09168a2ed2e
SHA1:
360c9a30a78fed56ba46bfb418f4f3ef8e1a8a26
SHA256:
A43064A015FD60FEFF0A80EEB883783D405FE146782DEAEC29B259AAB4B1C4E6
File Size:
855.82 KB, 855816 bytes
|
|
MD5:
737697f1fabfb135620ae815dac277fc
SHA1:
8d355e267565462aaa7af69e8f36e728735270d4
SHA256:
572CC02403CB2B772A6F91E9F1EF95297E9CE1C7546605E00A4CFD1084099DC4
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
7922243c3c0ca209d44e14221651fe80
SHA1:
aca3b207116659d313e3ac17fcec689515cecdd3
SHA256:
B3764FDE11DAF898322493863D1C0ABD6576B09973C3B95AC6F2EB04FC3F9A82
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
662a0d1e21d0d02db6527a52ba9a9fb9
SHA1:
15327f5a927a19fde10c8543b4212bbcdf7c091f
SHA256:
58CB067883013487AEB18115D174E41699DB2EF84343F3478A75F6D2A5C99B0C
File Size:
855.82 KB, 855816 bytes
|
|
MD5:
caa7878f9f916c0858d276c7f6222df7
SHA1:
43fca33f6d58f8bf9bccbba4e447e7d0a3f5cd75
SHA256:
2AD472B077DF26F5FC8B1F0C75BC982DEC735C5C7AE908B758AB47FAB0363768
File Size:
855.82 KB, 855816 bytes
|
|
MD5:
09ce7653fd496c23a1791ee1ca8377af
SHA1:
23057d2fd2e921e28c0b68e5373ea75e73324664
SHA256:
DC2EAE8F4AD756C881DAE7EC9FD90CFB4525F3C949BA3BDE9B47647ED69342C7
File Size:
855.82 KB, 855824 bytes
|
|
MD5:
544ccfa16ce48ece1ebbc239faa4641e
SHA1:
609de55e6d8e9cdfe888bb522027008662101857
SHA256:
1562D7A39D9A8AF236D2490EF4C7468FB2BC302375F86D57A5CDCD3BA40B11FD
File Size:
855.82 KB, 855824 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | TODO: <Company name> |
| File Description | TODO: <File description> |
| File Version | 2, 1, 0, 21-d-5e94740 |
| Internal Name | TSLogSDK.dll |
| Legal Copyright | Copyright (C) 2020 |
| Original Filename | TSLogSDK.dll |
| Product Name | TSLogSDK |
| Product Version | 2, 1, 0, 21-d-5e94740 |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Tenorshare Co., Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
| Tenorshare Co., Ltd. | DigiCert Trusted Root G4 | Root Not Trusted |
| Tenorshare Co., Ltd. | DigiCert Trusted Root G4 | Hash Mismatch |
File Traits
- Default Version Info
- dll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,824 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 2,824 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Rugmi.DB
- Rugmi.DBA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
