legion

General

Sample

191216-jdlb4kw3n6

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://legion17.top/legion17/welcome

Extracted

Credentials

Protocol: ftp
Host:
45.81.235.3
Port:
21
Username:
unser_server.118273
Password:
PHST6112002002

Targets

Score

10^/10

downloader legion spyware persistence discovery stealer vidar
- Legion
  Legion is a malware downloader written in C++.
  downloader legion
- Legion downloader
  Detected Legion downloader HTTP request code and PowerShell execution.
  downloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- JavaScript code in executable
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Modifies service
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
task1