legion | 119f71276feb0064a7382ae036cc9a7ef9a2cdef69f8b4ca65a0e0ce4643245a | Triage

Sharing

General

Target

winmm.dll
Size

841KB
Sample

241011-wb3twazcrp
MD5

d6a8c7fd490cd1149c0b51d961eab9f3
SHA1

73bb1220ead897fcc36df8d8622104ae82a9ad12
SHA256

119f71276feb0064a7382ae036cc9a7ef9a2cdef69f8b4ca65a0e0ce4643245a
SHA512

0273f74c072f48a3aaac1c6e808fcdcab465513651c5a7815fc75e767af85cd1654073f776a5f41ad2d9606264302333d4524cbe838dacfeae1e1d7ff413befc
SSDEEP

6144:oUCLuxLYxYooT5WjKkwxPQm9msflBOkV4ELEko/q+EIZtCn6Kyn3KzhJTTcAcYGR:TCv/o9rk8597u/PHvLKkAS84RQ8MoJ

Score

10^/10

legion discovery downloader loader stealer

Malware Config

Extracted

Family

legion

C2

dns-beast.com

Attributes

url_paths
hittest.php
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko

Targets

- Target
  
  winmm.dll
- Size
  
  841KB
- MD5
  
  d6a8c7fd490cd1149c0b51d961eab9f3
- SHA1
  
  73bb1220ead897fcc36df8d8622104ae82a9ad12
- SHA256
  
  119f71276feb0064a7382ae036cc9a7ef9a2cdef69f8b4ca65a0e0ce4643245a
- SHA512
  
  0273f74c072f48a3aaac1c6e808fcdcab465513651c5a7815fc75e767af85cd1654073f776a5f41ad2d9606264302333d4524cbe838dacfeae1e1d7ff413befc
- SSDEEP
  
  6144:oUCLuxLYxYooT5WjKkwxPQm9msflBOkV4ELEko/q+EIZtCn6Kyn3KzhJTTcAcYGR:TCv/o9rk8597u/PHvLKkAS84RQ8MoJ
Score

10^/10

legion discovery downloader loader stealer
- Legion, RobotDropper, Satacom
  Legion aka 'RobotDropper' or 'Satacom' is a malware downloader written in C++ and Legion stealer is written C#.
  downloader stealer legion
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

legiondiscoverydownloaderloaderstealer

behavioral2

legiondiscoverydownloaderloaderstealer