legion | fcc5a956c6a26326d2ef51aa71f9996dc7e5003f332f24619464c5187b3008c2 | Triage

Sharing

General

Target

fcc5a956c6a26326d2ef51aa71f9996dc7e5003f332f24619464c5187b3008c2
Size

1.7MB
Sample

220731-fb1rhshgej
MD5

36ed6ebbde3ca54e4a71950518b5572e
SHA1

09cd4ff01620634229d346b94eadcd4fc5510426
SHA256

fcc5a956c6a26326d2ef51aa71f9996dc7e5003f332f24619464c5187b3008c2
SHA512

4dbb819ef9cc5dbd457ccb24842b50a6416f792c20439580dc1d2d8b69cac7ae53d1f0442db2f6b487e95b1a4bd8aef8ae54e2c87649d49d276af5d1ec9a10a6

Score

10^/10

legion downloader evasion

Malware Config

Targets

- Target
  
  fcc5a956c6a26326d2ef51aa71f9996dc7e5003f332f24619464c5187b3008c2
- Size
  
  1.7MB
- MD5
  
  36ed6ebbde3ca54e4a71950518b5572e
- SHA1
  
  09cd4ff01620634229d346b94eadcd4fc5510426
- SHA256
  
  fcc5a956c6a26326d2ef51aa71f9996dc7e5003f332f24619464c5187b3008c2
- SHA512
  
  4dbb819ef9cc5dbd457ccb24842b50a6416f792c20439580dc1d2d8b69cac7ae53d1f0442db2f6b487e95b1a4bd8aef8ae54e2c87649d49d276af5d1ec9a10a6
Score

9^/10

evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Looks for VMWare Tools registry key
  evasion
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

downloaderlegion

behavioral1

behavioral2