legion | 483e4420eafdf7c0e234ef5e9dbee200417ca08c031f1eb897c7f5ee56f34836 | Triage

Sharing

General

Target

$REJOPP1.dll
Size

443KB
Sample

241011-rvb32sxcjf
MD5

ec004dc03be6ebc78f5c1d7f22609155
SHA1

54fa9d62fbe8e562b3657907b7b69c95420f95c5
SHA256

483e4420eafdf7c0e234ef5e9dbee200417ca08c031f1eb897c7f5ee56f34836
SHA512

a411ba656dbbbe04a97c8341fede3e525df432c5603ad16ddec40e75c7fdbc261af4d8baf8d5c6e05ca04bd9a73bf961d2491b6368b4ee55cbf3fb2e7249cea2
SSDEEP

6144:u22607OpiESnemEcwc2Tn1Tlkdjgxz2rN9c9k+eb2hY9lSeB47ELAOH:f2607OpijjkkdgxqrQu+mrSe6+

Score

10^/10

legion discovery downloader loader stealer

Malware Config

Extracted

Family

legion

C2

dns-beast.com

Attributes

url_paths
hittest.php
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko

Targets

- Target
  
  $REJOPP1.dll
- Size
  
  443KB
- MD5
  
  ec004dc03be6ebc78f5c1d7f22609155
- SHA1
  
  54fa9d62fbe8e562b3657907b7b69c95420f95c5
- SHA256
  
  483e4420eafdf7c0e234ef5e9dbee200417ca08c031f1eb897c7f5ee56f34836
- SHA512
  
  a411ba656dbbbe04a97c8341fede3e525df432c5603ad16ddec40e75c7fdbc261af4d8baf8d5c6e05ca04bd9a73bf961d2491b6368b4ee55cbf3fb2e7249cea2
- SSDEEP
  
  6144:u22607OpiESnemEcwc2Tn1Tlkdjgxz2rN9c9k+eb2hY9lSeB47ELAOH:f2607OpijjkkdgxqrQu+mrSe6+
Score

10^/10

legion discovery downloader loader stealer
- Legion, RobotDropper, Satacom
  Legion aka 'RobotDropper' or 'Satacom' is a malware downloader written in C++ and Legion stealer is written C#.
  downloader stealer legion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

legiondiscoverydownloaderloaderstealer

behavioral2

legiondiscoverydownloaderloaderstealer