Trojan.Rugmi.FG

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Rugmi.FG
Signature status:	Hash Mismatch

Known Samples

MD5: 1ca5b44e758dafe50eeb5825d62b6384

SHA1: 177ef92773d5da400922c02bfed2a1a15a044615

SHA256: 014E65CC2E8BC22BEFA55E494FA20BDE0534ED0289D6733E943D786DB9648369

File Size: 369.92 KB, 369920 bytes

MD5: a24e0aec1ef1675ab9f96abc29bcdc03

SHA1: 92c3d561676279b737d176cab7297a0fb7d5f45c

SHA256: 32F09955043984E7B5A65DEAF268D1962CEB41113174499B6AE4277AFDC54136

File Size: 508.75 KB, 508752 bytes

MD5: 1da97cb9a3aa35287e57f1b2ba76e5a7

SHA1: e7bc78fae8861158e0a949e0b6e7efc2cdf9a746

SHA256: 05A0C0D947EEE9B3F9A7607EC71C12022F33C63682B8EBEB8B583C1579922960

File Size: 127.49 KB, 127488 bytes

MD5: 9d5a6433ed626214a18aef90bef1c8a8

SHA1: 9131b20ce1def36dcf3643ac43b9e0be44ff4555

SHA256: 8774D3988B01DBE91ED175B56B1777B5A0F153D5DCD8AD83541589E57BC1FA5B

File Size: 399.93 KB, 399928 bytes

MD5: 6d382aeb76bb51c6178c5cd9a072f8c3

SHA1: cf463168cca28917e16100e0e126b3819fc0e12e

SHA256: D17CF6A044E19C475543A2FE57E101D82EFB383EE695EC2AEA0ED6992F8792DF

File Size: 598.39 KB, 598392 bytes

MD5: 883f50efc98f9c79f2fbe16aa1a048b8

SHA1: 7736370bd5b7f5c5fe3039eb1c2fac2d6f684a28

SHA256: 13E81581D8FC2C31BD41A88327F30FA3A84FA5E2D15799A10078631BA4B850CD

File Size: 470.02 KB, 470016 bytes

MD5: ee8fea5ee764bce8151f07340ad183c6

SHA1: 3e46da926c761c4c384dc5385b3292f26766ff74

SHA256: F17FF97AAA3CC2F7565BAB99376D29BD896E0BCAF66041A5D750CA281AC399BE

File Size: 104.89 KB, 104888 bytes

MD5: 87b1f2cc8c5eee83390604afebbf957d

SHA1: f1444694ba3cbdaaa4a077cc32f5a22f7633819f

SHA256: AB15439EC29D9A13F098F57AB0E05B674A0ED42D30C7664367D43A52748AE192

File Size: 1.12 MB, 1115256 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have security information
File has exports table
File has TLS information
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
Comments	MusicCenter Custom Module
Company Name	Microsoft Corporation Sony Corporation The curl library, https://curl.se/ The Qt Company Ltd.
File Description	C++ Application Development Framework libcurl Shared Library NLETrans 动态链接库 SsCustom(V) Test Authoring and Execution Framework: TE.Loaders [v10.88]
File Version	10.88.2411.08001 8.4.0-DEV 5.14.2.0 5.0.04.01100 1, 0, 0, 1
Internal Name	libcurl NLETrans SsCustom TE.Loaders
Legal Copyright	Copyright (C) 2010 Copyright (C) 2020 The Qt Company Ltd. Copyright (C) Daniel Stenberg, <daniel@haxx.se>. ©2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 Sony Corporation ©Microsoft Corporation. All rights reserved.
License	https://curl.se/docs/copyright.html
Original Filename	libcurl.dll NLETrans.dll Qt5Network.dll SsCustom.dll TE.Loaders.dll
Product Name	NLETrans 动态链接库 Qt5 SsCustom Test Authoring and Execution Framework The curl library
Product Version	10.88.2411.08001 8.4.0-DEV 5.14.2.0 5.0.04.01100 1, 0, 0, 1

Digital Signatures

Signer	Root	Status
CHENGDU YIWO Tech Development Co., Ltd.	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1	Hash Mismatch
Plex, Inc.	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1	Hash Mismatch
Sony Corporation	DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1	Hash Mismatch
Apowersoft Ltd	DigiCert Trusted Root G4	Hash Mismatch
Sony Corporation	DigiCert Trusted Root G4	Hash Mismatch

Microsoft Corporation	Microsoft Code Signing PCA 2011	Hash Mismatch
The Qt Company Oy	thawte SHA256 Code Signing CA	Hash Mismatch

File Traits

dll
HighEntropy
x86

Block Information

Total Blocks:	3,381
Potentially Malicious Blocks:	9
Whitelisted Blocks:	3,372
Unknown Blocks:	0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

... Data truncated

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

PSW.Agent.Z
Rugmi.FC
Rugmi.FE
Rugmi.FG
Rugmi.FH

Rugmi.HB
Rugmi.ODA
Rugmi.PG
Rugmi.TD
Trojan.Agent.Gen.ANT
Trojan.Downloader.Gen.BA
Trojan.Downloader.Gen.BU
Trojan.Downloader.Gen.JY
Trojan.Downloader.Gen.LV

Files Modified

File	Attributes
c:\users\user\downloads\aliyunconfig.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtProtectVirtualMemory Show More ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\177ef92773d5da400922c02bfed2a1a15a044615_0000369920.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\92c3d561676279b737d176cab7297a0fb7d5f45c_0000508752.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e7bc78fae8861158e0a949e0b6e7efc2cdf9a746_0000127488.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9131b20ce1def36dcf3643ac43b9e0be44ff4555_0000399928.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\cf463168cca28917e16100e0e126b3819fc0e12e_0000598392.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7736370bd5b7f5c5fe3039eb1c2fac2d6f684a28_0000470016.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3e46da926c761c4c384dc5385b3292f26766ff74_0000104888.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f1444694ba3cbdaaa4a077cc32f5a22f7633819f_0001115256.,LiQMAxHB

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Rugmi.FG

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.Injector.KSB

Forestrievic.com

Pencetbnb.xyz

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Pornktube.porn

Discord Shows Black Screen when Sharing Screen