← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Technical analysis of LegionLoader
WHITE cti-tehtris 2025-02-04 Modified: 2025-02-04
134
IOCs
HIGH VOLUME
LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader that has been operating in the shadows, gained significant traction in recent months, quietly amassing over 2,000 samples in just a matter of weeks. VirusTotal (VT) retro-hunting and live-hunting have allowed us to uncovered an ongoing campaign using LegionLoader that appears to have kicked off on December 19, 2024.
pe32msi installerrotq applegionloaderinstallertemplatesatacomvirustotalcodeshellcodectiunpackedsignatureyaraextractor
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LegionLoader Satacom Trojan:Win32/Satacom
Indicators of Compromise (15 / 134 total)
All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 14080e23ff278eae8e1c16ac0bdc54ec3db86e36 SHA1 of 17be6c8a4cf914056e5cb5d6a1d087069bd4c8d5a3ed104fefeace42c4fc6083 2025-02-04
FileHash-SHA1 1f473c1f0392ba1aa323a4fa6cc296c5ff1eceb1 SHA1 of 4c2c0de6474c17486e5abe2323da0abe4af395a89d0cc46994265ca7719e4ccc 2025-02-04
FileHash-SHA1 1f9c66553b079f34990d691a2d3c54ff1cc4decd SHA1 of 1a43da62d09a56f50e2797cffb77001027461a6b5ef0713c63d96c60bf8ecadd 2025-02-04
FileHash-SHA1 20437caaa4517ed1bbfe07b47aa72fd249d4caa9 SHA1 of 82eda9820fc42229b2f75d075ef34d11d1b4feb598983640226770c5e2cf8475 2025-02-04
FileHash-SHA1 40ea26cbe3313f8651b19e5bd97e332296ea22d7 SHA1 of e69a7a881daca7637220d0407454e678ef3a9cf373406b363179f002acd8144d 2025-02-04
FileHash-SHA1 67f930207515ef5ec6550e2d63fc9e4c98e81333 SHA1 of eaaec1cc3ee9a3d590d17c73ab7b174354c1c7be13d26026891424289d0c57fe 2025-02-04
FileHash-SHA1 77a5fbef515fcb2baae879a3dedd757fcc3412a8 SHA1 of 23f064df01ee9eedf9e1341185505b86148873ccc0a922c64bb085ceb5b091fc 2025-02-04
FileHash-SHA1 77ac7e4b25df732c8333b7332d5590b9a893f514 SHA1 of 66241b0c08194263eeb62bae9c4e8ef7e38bb447e671638c9c340d305e23af16 2025-02-04
FileHash-SHA1 8077203aa10604e5cbaf48f30e091ee52d9082ef SHA1 of 23d0db70ba7848789fa117d25f2e94936cf06e58a03fc36647defdd91bf6f1ca 2025-02-04
FileHash-SHA1 815c64177cb79c0fe9a2c48c5d2002275c97b19c SHA1 of a6b5759a273fd6df4dcb0f5c82935b4b60a6f28bfb4d69b6c7c503c8614c39d0 2025-02-04
FileHash-SHA1 8d2b4373e55eee815b0479004a304d7f54e2d8ae SHA1 of cd72eaba97bb94947529a1e652e2d1cc7197b6224e00bf39e55ad634b7e82047 2025-02-04
FileHash-SHA1 a31767b17b928b77075499a516a792c51b9b424f SHA1 of cd0a77c945f9eb2a8e0cc7b16f00b8426b737618da06df7e65c1913eefbcc18b 2025-02-04
FileHash-SHA1 ed6e109b22693158f77d0ec55f5c1345aaeb4e3b SHA1 of d43590b090ac1ece44ded29b03301323958e344394e94c439999f6a2d0648c53 2025-02-04
FileHash-SHA1 f74e6b2283d72771b2917981ea4537b4f244dda8 SHA1 of f1064a9546766a69b2df901a0d9df31d31b01c6507cf614ef3ab73f5869af524 2025-02-04
FileHash-SHA1 f82bd3fcaa544b51d41a4ab5f54f7229c09383e5 SHA1 of 038cbe87c4ddb39e7c7accc95d221950d96f2adb0649acaaea60258255c203a6 2025-02-04
References (1)
↗ https://tehtris.com/en/blog/legionloader-exposed/