Win32[.]SugarGhost[.]Kz[.]7z | Triage

Sharing

Copy URL Twitter E-mail

General

Target

Win32.SugarGhost.Kz.7z
Size

149KB
MD5

8f420e5fc3daa98bb4911c20eb96423b
SHA1

2149a996e124064fbb391c0fdc8d9281679229a8
SHA256

2cdc918e3dccab72605b3312ab65d14e0aca4d64d2be33504a5d3a49a5c5ce82
SHA512

39b9237dea2af1f6dbcb131050f073278e6a0f732370da0349288979d16a02874ae6159d9a9ec484d989df01261f0f7cd4e41f4ca2dc634cf0a5df19b89c5965
SSDEEP

3072:923nKt93v0LHujZP9tZhIPS/KoSusUWffp4me33:w3Kt9ZP9tZhIS/xRsU8q33

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
static1/unpack001/Win32.SugarGhost.Kz/update.dll_DEDF98E7E085CED2D3266AFA9279E4C7	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Win32.SugarGhost.Kz/update.dll_DEDF98E7E085CED2D3266AFA9279E4C7

Files

Win32.SugarGhost.Kz.7z
.7z

Password: infected
Win32.SugarGhost.Kz/authz.lib_C2049C234BF2CA534668F8A10CE244D5
Win32.SugarGhost.Kz/update.dll_DEDF98E7E085CED2D3266AFA9279E4C7
.dll windows:4 windows x86 arch:x86

867530720f9de76faec48cca71f7cbf8

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CloseHandle
LoadLibraryA
VirtualProtect
GetModuleFileNameA
ExitProcess

ole32

CoTaskMemAlloc

user32

MessageBoxA

Sections

.text
Size: - Virtual size: 34KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_WRITE

.vmp2
Size: 84KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32.SugarGhost.Kz/~tmp.vbs_56E231A9DB0F55E333C4F9EC99EEC086
.vbs