← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Technical analysis of LegionLoader
WHITE cti-tehtris 2025-02-04 Modified: 2025-02-04
134
IOCs
HIGH VOLUME
LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader that has been operating in the shadows, gained significant traction in recent months, quietly amassing over 2,000 samples in just a matter of weeks. VirusTotal (VT) retro-hunting and live-hunting have allowed us to uncovered an ongoing campaign using LegionLoader that appears to have kicked off on December 19, 2024.
pe32msi installerrotq applegionloaderinstallertemplatesatacomvirustotalcodeshellcodectiunpackedsignatureyaraextractor
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LegionLoader Satacom Trojan:Win32/Satacom
Indicators of Compromise (21 / 134 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0137c0f33db7427db32f4f24827a8016 MD5 of 4c2c0de6474c17486e5abe2323da0abe4af395a89d0cc46994265ca7719e4ccc 2025-02-04
FileHash-MD5 0b5d9b80c9bbee71482202720d1bbc3a 2025-02-04
FileHash-MD5 269f7cb81ed6d7e9c1794414d6ebc4e7 MD5 of 82eda9820fc42229b2f75d075ef34d11d1b4feb598983640226770c5e2cf8475 2025-02-04
FileHash-MD5 3f86649d211a7faea0cf75296e3ed3c8 2025-02-04
FileHash-MD5 4756fa2af7d98078f29911d5ffc90ec7 2025-02-04
FileHash-MD5 4f865cc0fc61a8ae23cc59848a1bbda7 MD5 of 038cbe87c4ddb39e7c7accc95d221950d96f2adb0649acaaea60258255c203a6 2025-02-04
FileHash-MD5 503c7360ab382c2c6d3e990bb67b389d MD5 of e69a7a881daca7637220d0407454e678ef3a9cf373406b363179f002acd8144d 2025-02-04
FileHash-MD5 63ae890faf14d8a5c2e43654584c9664 MD5 of 1a43da62d09a56f50e2797cffb77001027461a6b5ef0713c63d96c60bf8ecadd 2025-02-04
FileHash-MD5 70a9a5c89b0bb7b8a61515131e3d49f0 2025-02-04
FileHash-MD5 76dff166148ec7f9d05a1592a9484c01 MD5 of eaaec1cc3ee9a3d590d17c73ab7b174354c1c7be13d26026891424289d0c57fe 2025-02-04
FileHash-MD5 87d5c7bc89c56cbbf79afbd195e1666a MD5 of 23d0db70ba7848789fa117d25f2e94936cf06e58a03fc36647defdd91bf6f1ca 2025-02-04
FileHash-MD5 908431381d588caea53a651679dacee8 2025-02-04
FileHash-MD5 91f3ac3f3849c6b7d97ab5b7562a5627 MD5 of d43590b090ac1ece44ded29b03301323958e344394e94c439999f6a2d0648c53 2025-02-04
FileHash-MD5 964ac63249ff18cb510de0f5fcb19255 MD5 of f1064a9546766a69b2df901a0d9df31d31b01c6507cf614ef3ab73f5869af524 2025-02-04
FileHash-MD5 97a42de72ada85aaa4198559779b58b0 2025-02-04
FileHash-MD5 a7a7c8193e0756a85269c58c8b7fbf2e MD5 of a6b5759a273fd6df4dcb0f5c82935b4b60a6f28bfb4d69b6c7c503c8614c39d0 2025-02-04
FileHash-MD5 be06ce0c5e2e80bbca434c894e3da133 MD5 of cd0a77c945f9eb2a8e0cc7b16f00b8426b737618da06df7e65c1913eefbcc18b 2025-02-04
FileHash-MD5 cc041f6ca77fbb37f083e557ed051055 MD5 of cd72eaba97bb94947529a1e652e2d1cc7197b6224e00bf39e55ad634b7e82047 2025-02-04
FileHash-MD5 e7099e87e04daeb27ea4421c34c49b60 MD5 of 66241b0c08194263eeb62bae9c4e8ef7e38bb447e671638c9c340d305e23af16 2025-02-04
FileHash-MD5 f5d3ec64ca35214424673823c1e535e5 MD5 of 17be6c8a4cf914056e5cb5d6a1d087069bd4c8d5a3ed104fefeace42c4fc6083 2025-02-04
FileHash-MD5 f7e61f06fc606f68b1f8a6270752b832 MD5 of 23f064df01ee9eedf9e1341185505b86148873ccc0a922c64bb085ceb5b091fc 2025-02-04
References (1)
↗ https://tehtris.com/en/blog/legionloader-exposed/