// MALWARE INTELLIGENCE

Investigation of suspicious samples on VirusTotal revealed multiple malicious files communicating with infrastructure linked to SigmaWare Stealer, a commercial information stealer distributed within underground communities.

Static and behavioral analysis confirms credential theft, screen capture, and surveillance capabilities matching SigmaWare’s advertised features.

VirusTotal Sample Evidence

Basic sample information observed in VirusTotal:

Behavioral execution showing stealer activities:

Advertised Capabilities

The malware dashboard advertises capabilities including:

• Live screen capture
• Remote screenshots
• File theft
• Network credential stealing
• Anti-VM and sandbox bypass

Operator Attribution

The operation appears linked to underground actor hasar0001, active on cybercrime forums and marketplaces.

Telegram infrastructure used for communication:

Panel Country Lock Feature

User of Sigmaware can restrict panel login to selected countries.

Indicators of Compromise

Conclusion

SigmaWare operates as a commercial stealer platform providing credential theft and surveillance functionality. Observed telemetry and OSINT correlations indicate active underground distribution.