Pulse Detail — Threat Intelligence

PULSE NAME

Gelsemium new campaign indicators

WHITE Gelsemium AlienVault 2021-06-10 Modified: 2021-07-10

IOCs

HIGH VOLUME

In mid-2020, multiple campaigns attributed to the Gelsemium group were observed targeting organizations in East Asia and Middle East, including governments, religious organizations, electronics manufacturers and universities. Gelsemium is implanted after multiple stages, involving different malware files, and its configuration can change dynamically.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1104 T1564 T1027 T1041 T1055.001 T1036 T1589

MALWARE FAMILIES

Chrommme OwlProxy Gelsemine Gelsemium

Indicators of Compromise (81)

All FileHash-MD5 FileHash-SHA256 FileHash-SHA1 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	1b6868f8c412e1e6efc4d7149173c5a9	MD5 of 055f1e13e0fea44dc42e8cd8c9219ed588360304	2021-06-10
FileHash-MD5	97d46525797ffa7530851481eb96dd47	MD5 of 0cedfb1789ef139b6040cf8d84ba130360c4eb7d MD5 of 0cedfb1789ef139b6040cf8d84ba130360c4eb7d	2021-06-10
FileHash-MD5	3230cb323663710d52dfe18b9f0cb369	MD5 of 4a932622a1a5259e9c97ebfa8dc11fa84dffe039	2021-06-10
FileHash-MD5	bc4d2f84a6ce49f06a6be32ccfaa1630	MD5 of 6f43fe80806a3fe5c866c0b63cc5b105a85d0e75	2021-06-10
FileHash-MD5	c857b9f9b8bd330e160cc3a3c274b068	MD5 of 8ab3acc8a3f89e5b8e7a1929149d273eddadae64 MD5 of 8ab3acc8a3f89e5b8e7a1929149d273eddadae64	2021-06-10
FileHash-MD5	5480f12015b0520b7e33519725bec6ef	MD5 of a20c5bf7a30f597524a74d78dfe7ef6f15edad52 MD5 of a20c5bf7a30f597524a74d78dfe7ef6f15edad52	2021-06-10
FileHash-MD5	35e941f5df1560f0c2191c23e5189ada	MD5 of a80c7010fea9915a0a82108139aec3aa2363f0df MD5 of a80c7010fea9915a0a82108139aec3aa2363f0df	2021-06-10
FileHash-MD5	87eb0975758ecef44e8368914cffe151	MD5 of bca97bf7e93309e49311701b22569395b2baecc7	2021-06-10
FileHash-MD5	4b51d56955a4438481f8452120a36aa0	MD5 of cf4210f762798486cc9d4911d2d9f0f6b2bdf687	2021-06-10
FileHash-MD5	0ff2f7ef56717a032d970ff8b78c85e4	MD5 of f04feb22efaa8f401470fa5808adab9b35e87c4c	2021-06-10
FileHash-SHA256	29e78ca3cb49dd2985a29e74cafb1a0a15515670da0f4881f6095fb2926bfefd	SHA256 of 055f1e13e0fea44dc42e8cd8c9219ed588360304	2021-06-10
FileHash-SHA256	552388d74478a84b8e64e3ee2316331740a0d060f322e92b5c608ea745adba90	SHA256 of 0cedfb1789ef139b6040cf8d84ba130360c4eb7d SHA256 of 0cedfb1789ef139b6040cf8d84ba130360c4eb7d	2021-06-10
FileHash-SHA256	1b6bb9e9612982f9cb55a1c88ae988d362d03fd57748d10b8cbe7acd724055c9	SHA256 of 4a932622a1a5259e9c97ebfa8dc11fa84dffe039	2021-06-10
FileHash-SHA256	00b701e3ef29912c1fcd8c2154c4ae372cfe542cfa54ffcce9fb449883097cec	SHA256 of 6f43fe80806a3fe5c866c0b63cc5b105a85d0e75	2021-06-10
FileHash-SHA256	6005ecce702b84de6d46838839b2271df631ab42325b70e27324e6cabda76e7f	SHA256 of 8ab3acc8a3f89e5b8e7a1929149d273eddadae64 SHA256 of 8ab3acc8a3f89e5b8e7a1929149d273eddadae64	2021-06-10
FileHash-SHA256	5d12c085b600ea2ea42d09e2104ac40d8ba2b6d005db06e12c16016200a92bd8	SHA256 of a20c5bf7a30f597524a74d78dfe7ef6f15edad52 SHA256 of a20c5bf7a30f597524a74d78dfe7ef6f15edad52	2021-06-10
FileHash-SHA256	5299fe79a66b407555cdab68806564ae988b745be589767b004f7bccd7f7ac3b	SHA256 of a80c7010fea9915a0a82108139aec3aa2363f0df SHA256 of a80c7010fea9915a0a82108139aec3aa2363f0df	2021-06-10
FileHash-SHA256	109d4b8878b8c8f3b7015f6b3ae573a6799296becce0f32ca3bd216bee0ab473	SHA256 of bca97bf7e93309e49311701b22569395b2baecc7	2021-06-10
FileHash-SHA256	ec491de0e2247f64b753c4ef0c7227ea3548c2f222b547528dae0cf138eca53a	SHA256 of cf4210f762798486cc9d4911d2d9f0f6b2bdf687	2021-06-10
FileHash-SHA256	93c29bf19e09ea3b1e4ac5d31f47024a544738671488ff7ab2cd8f9a9c302262	SHA256 of f04feb22efaa8f401470fa5808adab9b35e87c4c	2021-06-10
FileHash-SHA1	029407c923c279803c6d7cbc7673936bca2e580c	—	2021-06-10
FileHash-SHA1	0471e1a214f458d4c478677ec9896b0f31207377	—	2021-06-10
FileHash-SHA1	055f1e13e0fea44dc42e8cd8c9219ed588360304	—	2021-06-10
FileHash-SHA1	0cedfb1789ef139b6040cf8d84ba130360c4eb7d	—	2021-06-10
FileHash-SHA1	1042c798d7ff69eb52cbeae684c74fc0ee84aacd	—	2021-06-10
FileHash-SHA1	1dd4e8119efb34beaec6af55b66222d3dc5036eb	—	2021-06-10
FileHash-SHA1	21c9b87a8cf75deba6cff8cf66aa015d6fb46be2	—	2021-06-10
FileHash-SHA1	225fa75d48c7699c3961db1904993e39ae051940	—	2021-06-10
FileHash-SHA1	239db66faa803772f2a8905b1e77377a5bf78351	—	2021-06-10
FileHash-SHA1	2668050fcad373fcd548792d9793375e4d704bef	—	2021-06-10
FileHash-SHA1	2b03ffe35090ce5f9341e046464c9eed8a64441d	—	2021-06-10
FileHash-SHA1	2d6ceaf73ea7f70135d9a82a397625c89c408f05	—	2021-06-10
FileHash-SHA1	2f795d69641312b6653b59c2653d7bf368a4405f	—	2021-06-10
FileHash-SHA1	366a9e646a167fcd2381bc15905f7d7a5e76a100	—	2021-06-10
FileHash-SHA1	36e46ad4a9f31634d32b26bdba618df5ecdca188	—	2021-06-10
FileHash-SHA1	374c38e11c50f5eddd8f3708c557529a62446a4e	—	2021-06-10
FileHash-SHA1	39d7bbf6b95fa8bf37fe434dc6efe380bbf9ab23	—	2021-06-10
FileHash-SHA1	43d27a9c57d252999259aafee9760bda00d1207d	—	2021-06-10
FileHash-SHA1	43eec66f6d68f286357004dc62d6da01991a2eb8	—	2021-06-10
FileHash-SHA1	47e0bc09b9b092bf5de415e663bd848917ea8303	—	2021-06-10
FileHash-SHA1	4a932622a1a5259e9c97ebfa8dc11fa84dffe039	—	2021-06-10
FileHash-SHA1	544717ef96a59135cd0a93886c273e3ffe702c1a	—	2021-06-10
FileHash-SHA1	5eacce21513d29a6f318b338d3ee39cc2752f72b	—	2021-06-10
FileHash-SHA1	625e0d33966e4060d57c1daca5eb6d1a51bba3c3	—	2021-06-10
FileHash-SHA1	6ae33a9df4e7d5d19c67edc1d1b73c1674ff5fc1	—	2021-06-10
FileHash-SHA1	6edbf71680f11681eea34be293f5c580de2e16e0	—	2021-06-10
FileHash-SHA1	6f22c761898a3db9a3788967d90a77331dfa66b3	—	2021-06-10
FileHash-SHA1	6f23354186659cd2a02a5521b39f6246199d83af	—	2021-06-10
FileHash-SHA1	6f43fe80806a3fe5c866c0b63cc5b105a85d0e75	—	2021-06-10
FileHash-SHA1	762f73329ff2ebe2b8f55205f886cb5f1de99483	—	2021-06-10
FileHash-SHA1	78102e569c4f40d011d941bdd8fcaab508edacd6	—	2021-06-10
FileHash-SHA1	796ebb4074dde56fc1edefed0628db68b0857e8a	—	2021-06-10
FileHash-SHA1	7b79c0c0e6d9d1760005416a463beea4518b822c	—	2021-06-10
FileHash-SHA1	7e5bf24946c77a96532da6fd09eaa1ec4e6f1a91	—	2021-06-10
FileHash-SHA1	8090d015d6770e6826f3a9266dd3b0998d30ddc3	—	2021-06-10
FileHash-SHA1	88e4679e9a47a51bd82dc22460b5a69fd7d12acc	—	2021-06-10
FileHash-SHA1	8ab3acc8a3f89e5b8e7a1929149d273eddadae64	—	2021-06-10
FileHash-SHA1	8bf0cab4a700bed3e5d7d38c8868d4f388df9a54	—	2021-06-10
FileHash-SHA1	988a70df8a39034ce817d6b968e48103d824a426	—	2021-06-10
FileHash-SHA1	9a2daf6cf400408f1714ef9ba659f7491bdab612	—	2021-06-10
FileHash-SHA1	9c99eb944db0797682d54a57e2782956223e9bd8	—	2021-06-10
FileHash-SHA1	a20c5bf7a30f597524a74d78dfe7ef6f15edad52	—	2021-06-10
FileHash-SHA1	a80c7010fea9915a0a82108139aec3aa2363f0df	—	2021-06-10
FileHash-SHA1	b663c7381f53c2fa6d4619a5fe7d63d3fd7a3455	—	2021-06-10
FileHash-SHA1	bca97bf7e93309e49311701b22569395b2baecc7	—	2021-06-10
FileHash-SHA1	c64435ccd604e142c6498417d66b4950c7c6b670	—	2021-06-10
FileHash-SHA1	ca25fb923f8a8f0293e52893979b7e429e913d7b	—	2021-06-10
FileHash-SHA1	cf4210f762798486cc9d4911d2d9f0f6b2bdf687	—	2021-06-10
FileHash-SHA1	dcb4d0a47ea40fe4420b14552082e03e0e5fda9d	—	2021-06-10
FileHash-SHA1	eca6363825c079099f3729097c06808ac32d4547	—	2021-06-10
FileHash-SHA1	f04feb22efaa8f401470fa5808adab9b35e87c4c	—	2021-06-10
domain	4vw37z.cn	—	2021-06-10
hostname	acro.ns1.name	—	2021-06-10
hostname	domain.dns04.com	—	2021-06-10
hostname	info.96html.com	—	2021-06-10
hostname	microsoftservice.dns1.us	—	2021-06-10
hostname	pctftp.otzo.com	—	2021-06-10
hostname	sitesafecdn.hopto.org	—	2021-06-10
hostname	traveltime.hopto.org	—	2021-06-10
hostname	www.sitesafecdn.dynamic-dns.net	—	2021-06-10
hostname	www.travel.dns04.com	—	2021-06-10

References (2)

↗ https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/ ↗ https://github.com/eset/malware-ioc/tree/master/gelsemium