Trojan.Rugmi.UA

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Rugmi.UA
Signature status:	Hash Mismatch

Known Samples

MD5: 5f425224f211c66655e2817da974068e

SHA1: a1c85de40b084d434fff61aef39bf7fea5c13e8e

SHA256: 98E3B60E39856405C20794D67707793A97DD145829D92CEAF064EFFADAB343C2

File Size: 4.01 MB, 4009935 bytes

MD5: 21e5b3b29a0614157bcdd274377fb6f5

SHA1: 5a39b5a5f7353f14612c18e5294d1e801931ccb2

SHA256: 94B3764811F8A870EDB37730B8A392AF3064AC53AD3940334F0662716CBB9DEC

File Size: 2.76 MB, 2764302 bytes

MD5: a180a32a12330d90aa4fba01c2dc48f7

SHA1: 6805814f9c61c77fd4b44a3bad526beeb99e5a0c

SHA256: 9B4987C19AC28A39BE371BD1F9885E9D0DFBEAFC67C0DC7AD8E938FB9C778367

File Size: 139.30 KB, 139296 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has exports table
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Microsoft Corporation Oleg N. Scherbakov
File Description	7z Setup SFX (x86) Gpu Capture Analyzer
File Version	17.0.36015.10 (WinBuild.160101.0800) 1.4.0.1795
Internal Name	7ZSfxMod GpuCaptureAnalyzer
Legal Copyright	Copyright © 2005-2010 Oleg N. Scherbakov © Microsoft Corporation. All rights reserved.
Original Filename	7ZSfxMod_x86.exe GpuCaptureAnalyzer
Private Build	June 27, 2010
Product Name	7-Zip SFX Microsoft® Windows® Operating System
Product Version	17.0.36015.10 1.4.0.1795

Digital Signatures

Signer	Root	Status
Microsoft Corporation	Microsoft Code Signing PCA 2011	Hash Mismatch

File Traits

Block Information

Total Blocks:	660
Potentially Malicious Blocks:	5
Whitelisted Blocks:	655
Unknown Blocks:	0

Visual Map

0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 2 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 2 2 0 3 1 1 1 1 1 2 0 0 1 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Rugmi.UA

Files Modified

File	Attributes
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.dll	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.dll	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.ini	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.ini	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.log	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.log	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\cdwizard.log	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\control_v.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\control_v.exe	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\control_v.exe	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\freesclugpliend.lqle	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\freesclugpliend.lqle	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\freesclugpliend.lqle	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\gpucaptureanalyzer.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\gpucaptureanalyzer.dll	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\gpucaptureanalyzer.dll	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\msvcp140.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\msvcp140.dll	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\msvcp140.dll	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\vcruntime140.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\vcruntime140.dll	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\vcruntime140.dll	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\zond.pj	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\zond.pj	Generic Write,Read Attributes,Delete,LEFT 262144
c:\programdata\base_config_analyzer_win6c:\users\user\appdata\roaming\zond.pj	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\programdata\repository\cdwizard.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\cdwizard.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\cdwizard.log	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\control_v.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\freesclugpliend.lqle	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\gpucaptureanalyzer.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\msvcp140.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\vcruntime140.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\repository\zond.pj	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\289acb6.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\8fdded6.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cdwizard.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cdwizard.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\cdwizard.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cdwizard.ini	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\cdwizard.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cdwizard.log	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\control_v.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\control_v.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\freesclugpliend.lqle	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\freesclugpliend.lqle	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\gpucaptureanalyzer.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\gpucaptureanalyzer.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\msvcp140.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\msvcp140.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\vcruntime140.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\vcruntime140.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\zond.pj	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zond.pj	Synchronize,Write Attributes
c:\users\user\appdata\roaming\base_config_analyzer_win6c:\users\user\appdata\roaming\chime.exe	Read Attributes,Synchronize,Write Data
c:\users\user\appdata\roaming\repository\chime.exe	Read Attributes,Synchronize,Write Data

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey

Windows API Usage

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess ShellExecuteEx
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtQueryAttributesFile Show More ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile
Anti Debug	NtQuerySystemInformation

Shell Command Execution


							(NULL) C:\Users\Cvlruubx\AppData\Local\Temp\Control_V.exe


							(NULL) C:\Users\Huknaqtn\AppData\Local\Temp\Control_V.exe


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6805814f9c61c77fd4b44a3bad526beeb99e5a0c_0000139296.,LiQMAxHB

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Rugmi.UA

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Affinity

Trojan.Lamer.BK

Trojan.Agent.anbs

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Is Stuck on Gray Screen

Discord Shows Black Screen when Sharing Screen