Deep Dive Into DownEx Espionage Operation in Central Asia
Tags
country: Afghanistan Kazakhstan Russia
attack-pattern: Data Indirect Dns - T1071.004 Dns - T1590.002 Ip Addresses - T1590.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID 7aa82c08-d277-4163-841a-f2c7d29ab394
Fingerprint 3442b84a7cf9e688
Analysis status DONE
Considered CTI value 2
Text language
Published May 10, 2023, midnight
Added to db Oct. 24, 2023, 1:22 p.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline Deep Dive Into DownEx Espionage Operation in Central Asia
Title Deep Dive Into DownEx Espionage Operation in Central Asia
Detected Hints/Tags/Attributes 79/2/25
Source URLs
Redirection Url
Details Source https://www.bitdefender.com/blog/businessinsights/deep-dive-into-downex-espionage-operation-in-central-asia/
URL Provider
Details Provider Source level domain
Details bitdefender.com www.bitdefender.com
Attributes
Details Type #Events CTI Value
Details Domain 4 
help.py
Details Domain 1 
net-certificate.services
Details File 18 
2022.exe
Details File 6 
2022.doc
Details File 3 
wnet.exe
Details File 16 
utility.exe
Details File 4 
help.py
Details File 1 
pytransform.py
Details File 3 
diagsvc.exe
Details File 1 
c:\\programdata\\temp\\driver.vbs
Details File 1 
hftqlbgtg.php
Details File 3 
slmgr.vb
Details File 43 
www.php
Details File 1 
driver.vbs
Details md5 1 
a45106470f946ea6798f7d42878cff51
Details md5 1 
3ac42f25df0b600d6fc9eac73f011261
Details md5 1 
ae5d4b9c1038f6840b563c868692f2aa
Details md5 1 
f3474c17d8c33055c28cb45a04ab484f
Details IPv4 1 
84.32.188.123
Details IPv4 1 
206.166.251.216
Details Pdb 1 
c:\projects\down\release\down.pdb
Details Threat Actor Identifier - APT 783 
APT28
Details Url 1 
https://net-certificate.services:443
Details Url 1 
http://84.32.188.123/hftqlbgtg.php
Details Url 1 
http://206.166.251.216/www.php