Overview

overview

10

Static

static

3

Setup.exe

windows10-2004-x64

10

Setup.exe

windows11-21h2-x64

10

plugins/Ne...ls.dll

windows10-2004-x64

10

plugins/Ne...ls.dll

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6E537A7A10084948A7B7CE43195693E285425986

  • Size

    1.0MB

  • Sample

    241011-whxanszfpr

  • MD5

    1021d19d566516038226b11df94bd678

  • SHA1

    cd13a0d0593f39dda87b4f98f49811a28d076908

  • SHA256

    f25b0322ec826b79bb2c088a3c017e00f6d5afe724acba9807a5c3bd6bc4f694

  • SHA512

    ccf3c3a349acf6dfa544ae0dbc4176730d1e30a61080eea55aa183373ef50273f65d7d1b367c6fd6ebdccd1d9b18a7442c1f912daec4c252bad3286e2041a3e3

  • SSDEEP

    24576:RvfK9izZ2EpV4NKp/9St21TXZqJuT/t8NODg0QY/c+oPTQcRY:RnK0cEplStsZwX0DqYziy

Score
10/10
legiondiscoverydownloaderloaderstealer

Malware Config

Extracted

Family

legion

C2

dns-beast.com

Attributes
  • url_paths

    hittest.php

  • user_agent

    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko

Targets

    • Target

      Setup.exe

    • Size

      1.4MB

    • MD5

      68f9b52895f4d34e74112f3129b3b00d

    • SHA1

      c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e

    • SHA256

      d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f

    • SHA512

      1cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede

    • SSDEEP

      24576:fsmjNvgp+pxECAucO9iWFT0z7rLuUhFP3MGX:PFgpAiIiWdzUz35X

    Score
    10/10
    legiondiscoverydownloaderloaderstealer

    • Legion, RobotDropper, Satacom

      Legion aka 'RobotDropper' or 'Satacom' is a malware downloader written in C++ and Legion stealer is written C#.

      downloaderstealerlegion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      plugins/NetworkTools.dll

    • Size

      844KB

    • MD5

      9142efa8e5b6fa9c95229d8c217b9211

    • SHA1

      9ad24a90b73d274731b44724816d461c9f36a202

    • SHA256

      6f0a1df27838aaedfd8ceb6eb670b01a3a8ca398960fad661451bf605a23f5a7

    • SHA512

      6936f09fff7e2c89c46d7561f6acc6de0a3781e18c2b98313b0eb82b777ceeb12123ad2b7e54a9a40ab4149d6f5011b172e8046d61f69a416acd33482710f3b0

    • SSDEEP

      12288:nWGTBYmTAvj6JJ9vuCGgDiBLIG78Kkz82azvCtyAvsEUE5XVNPvOZFn6T8XTWJ/Y:WGTB1TrjD/SeGVqqClScz

    Score
    10/10
    legiondiscoverydownloaderloaderstealer

    • Legion, RobotDropper, Satacom

      Legion aka 'RobotDropper' or 'Satacom' is a malware downloader written in C++ and Legion stealer is written C#.

      downloaderstealerlegion

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks