Malware Analysis Report

2025-08-05 23:33

Sample ID 250119-x96tvsslhv
Target project ligma and stigma builder.bat
SHA256 8a4bffce8c62437df3f629c3f460cbf3022bd7e99b62b1ca850b94c220fbe3c7
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8a4bffce8c62437df3f629c3f460cbf3022bd7e99b62b1ca850b94c220fbe3c7

Threat Level: Likely malicious

The file project ligma and stigma builder.bat was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:34

Reported

2025-01-19 19:37

Platform

win11-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A
N/A N/A C:\Windows\system32\mshta.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 5520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 872 wrote to memory of 5520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 872 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 5644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3212 wrote to memory of 5644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"

C:\Windows\system32\mode.com

mode con:cols=50 lines=2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"

C:\Windows\system32\mshta.exe

mshta.exe "C:\Users\Admin\AppData\Local\Temp\project ligma and stigma builder.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i.imgur.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 199.232.196.193:443 i.imgur.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp

Files

N/A