Threat Database Trojans Trojan.Rugmi.LDA

Trojan.Rugmi.LDA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Rugmi.LDA
Signature status: No Signature

Known Samples

MD5: 3a0b7004c0e7e62fb506b848d6f6651d
SHA1: b5516d227208181bf95080a77b79378c7a92aa45
SHA256: 613F423C04AB3CC254CF77ABE197EC32FA0BD328709F9E25B5B21509DEF33774
File Size: 224.26 KB, 224256 bytes
MD5: bcbcb46c2b724586410e152c8fd623f7
SHA1: 8c6100c7b2adf9433e9918bfcb100d290a651ef7
SHA256: 61741F791B5BC3308F57363B415350F5AA1D4B5912C9CCF132F3BF8FD1228096
File Size: 805.41 KB, 805408 bytes
MD5: e5fdf583b73f5b864b22f9a38b410a37
SHA1: b5857de5710befcba1d6c550ec6c829113b3f30d
SHA256: 61C07D0DC96F30436A479E09F15615AB96014D3C3159861995F19846E05F284B
File Size: 537.76 KB, 537760 bytes
MD5: b2bd618ecd93b3d079e925b40996a6ec
SHA1: 8bca8685c317d23a520ae0cd9f79cf08d2651e26
SHA256: 919BC08A36F97C1DE97E36BDE2A421A529F9EA7B3C4D5B3EF20CAAC888521F3D
File Size: 536.14 KB, 536136 bytes
MD5: 84b5f8acd199601b67970b0ed01c9c0a
SHA1: d2228b3abee64989c225634dea8a07b0d14bc298
SHA256: 2B7E4A2B198FD0B4B516726CD200102FF61C686380495B7EA62E329F376E7AC0
File Size: 171.01 KB, 171008 bytes
Show More
MD5: cc97aec4d65c6dc7b265d51ba59b659c
SHA1: 78219cd9dfd535dd2f58b4c86017d83ba7604634
SHA256: 9DBD4B1C99ABF50933CBCC6289A2273283FFE80AEE59AF74280BFB32EDDCAD2A
File Size: 1.07 MB, 1065984 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Comments af83a40e
Company Name
  • Cryptlex, LLC.
  • Microsoft Corporation
  • RapidSolution Software AG
Division Name Natural Language Group
File Description
  • CDWizard Library Module
  • LexActivator
  • Microsoft.WITDataStore32.dll
  • Natural Language Spelling Service
  • NLEResou 动态链接库
  • WS_Log Dynamic Link Library
File Version
  • 16.200.35917.1 built by: releases/dev17.11vs (4d27e5749f)
  • 15.0.4420.1017
  • 4, 2, 5, 7
  • 3.19.1
  • 1.2.3306.0
  • 1, 3, 1, 5
Internal Name
  • CDWizard
  • LexActivator.dll
  • Microsoft.WITDataStore32.dll
  • msspell7
  • NLEResou
  • WS_Log
Legal Copyright
  • Copyright (C) 2008
  • Copyright (C) 2010
  • Copyright (C) 2020 Cryptlex, LLC.
  • Copyright 2006,2007
  • © Microsoft Corporation. All rights reserved.
Legal Trademarks1 Microsoft® is a registered trademark of Microsoft Corporation.
Legal Trademarks2 Windows® is a registered trademark of Microsoft Corporation.
Original Filename
  • CDWizard.dll
  • LexActivator.dll
  • Microsoft.WITDataStore32.dll
  • msspell7.dll
  • NLEResou.dll
  • WS_Log.dll
Product Name
  • CDWizard Library Module
  • LexActivator
  • Microsoft® Azure® DevOps Server®
  • Natural Language Components
  • NLEResou 动态链接库
  • WS_Log Dynamic Link Library
Product Version
  • 16.200.35917.1
  • 15.0.4420.1017
  • 4, 2, 5, 7
  • 3.19.1
  • 1.2.3306.0
  • 1, 3, 1, 5

Digital Signatures

Signer Root Status
Audials AG DigiCert Trusted G4 Code Signing RSA4096 SHA256 2021 CA1 Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch

File Traits

  • dll
  • HighEntropy
  • x86

Block Information

Total Blocks: 2,145
Potentially Malicious Blocks: 419
Whitelisted Blocks: 1,725
Unknown Blocks: 1

Visual Map

0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 x ? 0 0 x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 x 0 x 0 x 0 0 0 x 0 x 0 0 x 0 x 0 x 0 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 x x x 0 x x x x x x x 0 0 0 0 0 0 x x 0 x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x x x x 0 0 0 0 0 0 0 0 x x x x x x x x x x x 0 x x x 0 x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x 0 x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x 0 x x 0 x 0 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x 0 0 x x 0 x 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 1 1 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 x x x x x 0 0 0 x x 0 0 x 0 x 0 0 0 0 0 0 x x 0 0 0 0 x x 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 1 x x x 0 0 0 0 x x 0 0 x 0 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 x x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 1 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 x 0 x 0 0 x 0 x 0 x x x x x x x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 x x 0 x x x 0 x x 0 x x x 0 x x 0 0 0 x x x x x x x x x x x x x x x x x x 0 x 0 x x x x x 0 x x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 3 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Kryptik.YB
  • Rugmi.FC
  • Rugmi.LDB

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b5516d227208181bf95080a77b79378c7a92aa45_0000224256.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8c6100c7b2adf9433e9918bfcb100d290a651ef7_0000805408.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b5857de5710befcba1d6c550ec6c829113b3f30d_0000537760.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8bca8685c317d23a520ae0cd9f79cf08d2651e26_0000536136.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\d2228b3abee64989c225634dea8a07b0d14bc298_0000171008.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\78219cd9dfd535dd2f58b4c86017d83ba7604634_0001065984.,LiQMAxHB

Trending

Most Viewed

Loading...