ioc[.]one - OSINT Cyber Threat Intelligence Database

The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact

Tags

country:	Armenia Argentina Malaysia China Kuwait Djibouti Equatorial Guinea Eswatini Nigeria Hong Kong Indonesia Pakistan Kenya Saudi Arabia Thailand Laos Poland Russia Vietnam Taiwan United Kingdom
attack-pattern:	Data Ip Addresses - T1590.005 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Web Shell - T1505.003 Tool - T1588.002 Vulnerabilities - T1588.006 Powershell - T1086 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	2f1c4dae-26e6-4651-af2f-0d91fdf9ca06
Fingerprint	e5639dda30b20447
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 30, 2022, 8 a.m.
Added to db	Sept. 11, 2022, 12:37 p.m.
Last updated	Nov. 18, 2024, 1:38 a.m.
Headline	The SessionManager IIS backdoor
Title	The SessionManager IIS backdoor: a possibly overlooked GELSEMIUM artefact
Detected Hints/Tags/Attributes	114/2/43

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/the-sessionmanager-iis-backdoor/106868/

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

Attributes

Details	Type	#Events	Value
Details	File	1	readfile-afile.txt
Details	File	1	afile.txt
Details	File	1	cool.rar
Details	File	2	dll2.dll
Details	File	1	c:\windows\temp\win32.dll
Details	File	3	ssp.exe
Details	File	1	c:\windows\temp\win32.exe
Details	File	1	c:\windows\temp\vmmsi.exe
Details	File	2127	cmd.exe
Details	File	1	winchecksec.exe
Details	File	478	lsass.exe
Details	File	1	seclog.dmp
Details	File	1	%programfiles%\microsoft\exchange server\v15\clientaccess\owa\auth\sessionmanagermodule.dll
Details	File	1	%programfiles%\microsoft\exchange server\v15\frontend\httpproxy\bin\sessionmanagermodule.dll
Details	File	1	%windir%\system32\inetsrv\sessionmanagermodule.dll
Details	File	1	%windir%\system32\inetsrv\sessionmanager.dll
Details	File	1	c:\windows\temp\exchangesetup\exch.ps1
Details	File	1	c:\windows\temp\exch.exe
Details	File	1	c:\windows\temp\safenet.exe
Details	File	1	c:\windows\temp\upgrade.exe
Details	File	1	c:\windows\temp\exupgrade.exe
Details	File	1	c:\windows\temp\dvvm.exe
Details	File	1	c:\windows\temp\vgauth.exe
Details	md5	1	5FFC31841EB3B77F41F0ACE61BECD8FD
Details	md5	1	84B20E95D52F38BB4F6C998719660C35
Details	md5	1	4EE3FB2ABA3B82171E6409E253BDDDB5
Details	md5	1	2410D0D7C20597D9B65F237F9C4CE6C9
Details	md5	1	36F2F67A21745438A1CC430F2951DFBC
Details	md5	1	5F15B17FA0E88D40D4E426E53CF94549
Details	md5	1	95EBBF04CEFB39DB5A08DC288ADD2BBC
Details	md5	1	F189D8EFA0A8E2BEE1AA1A6CA18F6C2B
Details	md5	1	65DE95969ADBEDB589E8DAFE903C5381
Details	md5	1	235804E3577EA3FE13CE1A7795AD5BF9
Details	md5	1	30CDA3DFF9123AD3B3885B4EA9AC11A8
Details	IPv4	1	202.182.123.185
Details	IPv4	1	207.148.109.111
Details	Pdb	1	c:\users\godlike\desktop\t\t4\stripheaders-master\x64\release\sessionmanagermodule.pdb
Details	Pdb	1	c:\users\godlike\desktop\t\t4\sessionmanagermodule\x64\release\sessionmanagermodule.pdb
Details	Pdb	1	c:\users\godlike\desktop\t\t4\sessionmanagerv2module\x64\release\sessionmanagermodule.pdb
Details	Pdb	1	c:\users\godlike\desktop\t\t4\sessionmanagerv3module\x64\release\sessionmanagermodule.pdb
Details	Pdb	1	c:\users\godlike\desktop\t\t0\hook-passwordchangenotify-master\hookpasswordchange\x64\release\hookpasswordchange.pdb
Details	Url	1	http://202.182.123.185/dll2.dll','c:\windows\temp\win32.dll
Details	Url	1	http://202.182.123.185/ssp.exe','c:\windows\temp\win32.exe