Trojan.Rugmi.HB
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Rugmi.HB |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
f142ceceb8fa5d51b167d09a27d199be
SHA1:
04c077dc1d95c316ce820d1b0b624aa36257e1e4
SHA256:
E2899AC504201322EE8F57B87A04C8A5CA737BAAD20C1F11A81C4515964D3218
File Size:
2.74 MB, 2744320 bytes
|
|
MD5:
d3281d6700d0cdd0212fa62003c82df2
SHA1:
173359fc023e0c7a3e2e0b36bd46368a2d2533cf
SHA256:
23B4F0EEFA8EF061EF3448E5C75A8CB23619BAAE670F71B093A7AFB8B5050BED
File Size:
115.63 KB, 115632 bytes
|
|
MD5:
87810c9316fa37154f5a75ea06ac4742
SHA1:
e5e68a054c564d8cf4e69c2f91b4409eb484cd8d
SHA256:
BEEF9D676FC6CC9C7DD229D27264C8A3057FB0446DDEB87AF33D05F44B3357D6
File Size:
1.49 MB, 1492232 bytes
|
|
MD5:
e854f222bed785a57657012e18b2c86f
SHA1:
494e58f297e6b07b811b3c0e2b29373e778990e1
SHA256:
8586A05D92D934451233323AE2A26EA6EC3945E2E2847438D563FB2247934B80
File Size:
2.74 MB, 2744320 bytes
|
|
MD5:
e7c4234b1150939df5ec3f1893099f42
SHA1:
502f4fc18bd6186c45d4574123a814f9f17c06d3
SHA256:
0750DB848790636BEDEACBC968E4FB8A3B796944875ED6E8C3D545E7A351D8C7
File Size:
1.18 MB, 1184256 bytes
|
Show More
|
MD5:
2edc6494a6315e9fe5912bd8019d3bd7
SHA1:
74cb9f4a0b88d7d4810b354d9e758de345c3373b
SHA256:
77840452C2EC8D158E6E5374D913561CA540B40568CC761D08BF44C58B97FFD7
File Size:
2.74 MB, 2744320 bytes
|
|
MD5:
ae4a60edf2bc72e829f9b2cc45854ae0
SHA1:
7a113bbc0069cb0425a75e8a51bd934c78edafd6
SHA256:
76777B07F22C3805FDBA0C03CD76568918DBA0B6C21D03D4C2D3D25EA21AF82B
File Size:
361.47 KB, 361472 bytes
|
|
MD5:
20ebae0e02f279336b3e7ff4fcf74572
SHA1:
a81240887c53323c0afe7d1150d4780eccb1a8ab
SHA256:
2F493A47E6C6CD6270B443CDF6529552F9314628FFA22F0FC01EF04DA803751A
File Size:
1.67 MB, 1668848 bytes
|
|
MD5:
5e7ad30ee06454cafbac1d817063aab9
SHA1:
18eb46c47af0cf794c8cbf7315c4bd46e999d0e3
SHA256:
1132B7F88E0278A10A3FD9481AE88FDF6A2E9A548F89B7266AB824F778B23EE5
File Size:
171.01 KB, 171008 bytes
|
|
MD5:
b90e0615d8037e0bfe2d8a75b19684ad
SHA1:
8fed55866e3c0a1cec4abd500d9ca0f2d2f5390f
SHA256:
4253952B2FEEA6C646242F406A17559834FCAD3811D0017E776A549574DDA283
File Size:
470.02 KB, 470016 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| Company Short Name | Microsoft |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Last Change | 70d3bcefea71de913f3be6ae4409066cb83e1911 |
| Legal Copyright |
|
| License | http://curl.haxx.se/docs/copyright.html |
| Official Build | 1 |
| Original Filename |
|
| Product Name |
|
| Product Short Name | Microsoft Edge Embedded Browser WebView Loader |
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| ORANGE VIEW LIMITED | DigiCert High Assurance EV Root CA | Hash Mismatch |
| HITPAW CO., LIMITED | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| HITPAW CO., LIMITED | DigiCert Trusted Root G4 | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| AOMEI International Network Limited | Sectigo Public Code Signing Root R46 | Hash Mismatch |
File Traits
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,155 |
|---|---|
| Potentially Malicious Blocks: | 131 |
| Whitelisted Blocks: | 1,021 |
| Unknown Blocks: | 3 |
Visual Map
0
0
0
0
0
x
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
0
0
0
0
0
x
x
x
0
0
0
0
x
0
0
0
x
0
0
0
x
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
x
0
0
x
x
0
x
x
x
0
0
0
0
0
0
0
0
1
0
0
0
0
x
0
x
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
0
x
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
x
0
0
0
x
x
x
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
x
x
0
0
x
x
0
x
x
0
0
x
0
0
x
x
0
x
x
0
0
x
x
0
0
0
x
0
0
x
0
x
x
x
x
0
0
0
0
0
x
x
x
x
x
x
x
0
x
x
0
x
0
x
x
x
x
x
x
x
x
0
x
x
0
x
0
x
x
x
x
0
0
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
x
0
x
0
?
?
x
?
x
0
0
0
x
0
x
0
x
0
0
0
x
x
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
2
0
0
0
0
0
2
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
2
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
3
1
1
0
1
0
1
0
0
1
1
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.TJZ
- Gamehack.JUA
- Rugmi.HB
- Rugmi.PG
- Rugmi.TB
Show More
- Trojan.Downloader.Gen.CX
- Trojan.Downloader.Gen.DM
- Trojan.Downloader.Gen.JO
- Trojan.Downloader.Gen.QD
- Trojan.Kryptik.Gen.DGK
- Trojan.ShellcodeRunner.Gen.LN
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\04c077dc1d95c316ce820d1b0b624aa36257e1e4_0002744320.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\173359fc023e0c7a3e2e0b36bd46368a2d2533cf_0000115632.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e5e68a054c564d8cf4e69c2f91b4409eb484cd8d_0001492232.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\494e58f297e6b07b811b3c0e2b29373e778990e1_0002744320.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\502f4fc18bd6186c45d4574123a814f9f17c06d3_0001184256.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\74cb9f4a0b88d7d4810b354d9e758de345c3373b_0002744320.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7a113bbc0069cb0425a75e8a51bd934c78edafd6_0000361472.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a81240887c53323c0afe7d1150d4780eccb1a8ab_0001668848.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\18eb46c47af0cf794c8cbf7315c4bd46e999d0e3_0000171008.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8fed55866e3c0a1cec4abd500d9ca0f2d2f5390f_0000470016.,LiQMAxHB
|
