ioc[.]one - OSINT Cyber Threat Intelligence Database

Detecting New Threats: The Heuristic Approach with DFI - InQuest

Tags

attack-pattern:

Model Models Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Software - T1592.002 Vulnerabilities - T1588.006 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	df520341-a4ea-4f64-9cdc-e1eaa2f4e89e
Fingerprint	b04198f709bceaeb
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 31, 2024, 5:33 p.m.
Added to db	Aug. 31, 2024, 12:24 a.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Detecting New Threats: The Heuristic Approach with DFI
Title	Detecting New Threats: The Heuristic Approach with DFI - InQuest
Detected Hints/Tags/Attributes	30/1/23

Source URLs

	Redirection	Url
Details	Source	https://inquest.net/blog/detecting-new-threats-the-heuristic-approach-with-dfi/

URL Provider

Details	Provider	Source level domain
Details	inquest.net	inquest.net

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	137	✔	InQuest	https://inquest.net/blog/rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	372	wscript.shell
Details	Domain	13	oshell.run
Details	Domain	141	research.checkpoint.com
Details	File	2125	cmd.exe
Details	File	1	heaventool.bat
Details	File	2	'payload.exe
Details	File	1	msd89h2j389uh.bat
Details	File	55	payload.exe
Details	File	37	'cmd.exe
Details	File	1	encrypted.vbs
Details	sha256	1	61f28f87755265f1bacdefbaca8a86e4c5fa71c20206702f4816bc81358fac16
Details	sha256	1	d44f161b75cba92d61759ef535596912e1ea8b6a5a2067a2832f953808ca8609
Details	sha256	1	9c5883cf118f1d22795f7b5661573f8099554c5a3f78d592e8917917baa6d20f
Details	sha256	1	2aa9459160149ecefd1c9b63420eedc7fe3a21ae0ca3e080c93fd39fef32e9c0
Details	sha256	1	8155a6423d64f30d2994163425d3fbe14a52927d3616ffacea36ddc71a6af4b0
Details	sha256	1	c1436f65acbf7123d1a45b0898be69ba964f0c6d569aa350c9d8a5f187b3c0e7
Details	sha256	1	de8ecd738f1f24a94aba06f19d426399bc250cc5e7b848b2cbd92fc1d6906403
Details	sha256	1	d5483049dc32d1a57e759839930fe17fe31a5f513d24074710f98ec186f06777
Details	sha256	1	19a8201c6a3063b897d696330c1b60bd97914514d2ae6a6c3c1796bec236724a
Details	Url	1	https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation
Details	Yara rule	1	rule Generic_PDF_Contains_Batch_Script { strings: $pdf_anchor = "PDF Comment '%PDF" $bat_1 = /\\b[a-z0-9]+\\.bat/ nocase condition: $pdf_anchor at 0 and any of ($bat_*) }
Details	Yara rule	1	rule Generic_PDF_Contains_VBScript { strings: $pdf_anchor = "PDF Comment '%PDF" $vb_1 = /\\b[a-z0-9]+\\.vbs/ nocase condition: $pdf_anchor at 0 and any of ($vb_*) }
Details	Yara rule	1	rule Generic_PDF_Contains_PowerShell_Reference { strings: $pdf_anchor = "PDF Comment '%PDF" $ps_1 = "powershell" nocase condition: $pdf_anchor at 0 and any of ($ps_*) }