Trojan.Rugmi.ODA
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Rugmi.ODA |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
0a5c807cb24af810ad53dfb8881b12f7
SHA1:
6b4b72036d0a49014982235182c7efa36d62814c
SHA256:
95A3F8CB32109AD65CCA12CBC23E3419B30D1272D3A73D109DEBB0C9BE8EB908
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
ad076d3573488b34bcba52617790dae2
SHA1:
50e30d72aaff814a8c8ff4b606fd592cb25f6788
SHA256:
96DF0047DE8DA60B95E4FC0C5A947866AE75FB43BB2560FB3D9A0E76212E695B
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
64a5a928ae8db5fe64a64e0f8661ef01
SHA1:
4e58a72fc08057bfcb063e810257f858548d749b
SHA256:
D911F5BD424AEE33D4D78394ECD3EFE68D01F523A8869A37154522BC923293F4
File Size:
756.64 KB, 756640 bytes
|
|
MD5:
90d0f4892530936439ce3dfd80a5bfad
SHA1:
96d8c3ec0890d194296a0eb575baf9892c4a1e30
SHA256:
1733D1CFCDA0EF9D56C157FAC9E48DAB8CBB03C9C90AB3BAA08E6A3560B1B08F
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
fb90d6b81ceaae07d277a22f9abc4b04
SHA1:
f186ca4c0c8bde6cd4116ccbed7b587467746281
SHA256:
CC460BE6447EB189DC679BFC2F13134554F4FD1655AEC6D3D62D432F8473DEF0
File Size:
396.19 KB, 396192 bytes
|
Show More
|
MD5:
bec74631f62c566aeb68384bb6b04225
SHA1:
91e42cce4bb8462c647278fe607c7525a417ab97
SHA256:
7252E4279CAEE4C9DB221D9B07EF4CC4C4662477A1A7445F31DEE7C7D121D1D6
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
37c279beb3aaee5a25baa4132a6ec8d7
SHA1:
dc48d316c38b570d927012d1cee93816ae7c8fcc
SHA256:
F9A3E94B66CEA8BFEAAAA5C9F6D295B7B3A06348E5EFCFF27019451A3CBF1F10
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
88cc097881671afeb22f3bd75e0291be
SHA1:
0de412d6a286479c78e98d2c24c3f7ad03d03c10
SHA256:
EC7BDAD83B292D61AAEF18A170B8526E9866888F0340D2F9FACC71ECD4B5FE95
File Size:
396.19 KB, 396192 bytes
|
|
MD5:
6df157185eb4cb6ea329589123812b79
SHA1:
4f27dcf0c61c6e7a51100588af8674a5ecb69dc4
SHA256:
5CD1C369FA048FF6FF1868D2E34F80F8D14B8AF1ED44525ECA40D68B4E1E03C2
File Size:
396.19 KB, 396192 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Intel(R) Software Products | Equifax Secure Certificate Authority | Hash Mismatch |
File Traits
- 2+ executable sections
- dll
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 233 |
|---|---|
| Potentially Malicious Blocks: | 8 |
| Whitelisted Blocks: | 205 |
| Unknown Blocks: | 20 |
Visual Map
x
x
0
0
0
?
?
?
0
?
?
?
?
?
?
?
0
0
0
?
0
0
?
0
0
x
?
0
x
?
0
0
?
?
?
x
?
0
0
x
?
?
x
0
x
2
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
3
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
2
2
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
1
0
0
0
1
0
0
2
1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Anti Debug |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6b4b72036d0a49014982235182c7efa36d62814c_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\50e30d72aaff814a8c8ff4b606fd592cb25f6788_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4e58a72fc08057bfcb063e810257f858548d749b_0000756640.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\96d8c3ec0890d194296a0eb575baf9892c4a1e30_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f186ca4c0c8bde6cd4116ccbed7b587467746281_0000396192.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\91e42cce4bb8462c647278fe607c7525a417ab97_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\dc48d316c38b570d927012d1cee93816ae7c8fcc_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0de412d6a286479c78e98d2c24c3f7ad03d03c10_0000396192.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4f27dcf0c61c6e7a51100588af8674a5ecb69dc4_0000396192.,LiQMAxHB
|
